Everything perfect for days, now some images don't show

What might have changed on your site? ie did you install a new plugin? Did you change any plugin settings? Is your root .htaccess file locked? Does your Host allow you to lock your root .htaccess file?

See the BulletProof Security Forum link below for the 3 most common issues/problems:
1. the broken cPanel HotLink Protection tool
2. flush_rewrite_rules problem
3. hosts that do not allow the root .htaccess file to be locked
https://forum.ait-pro.com/forums/topic/read-me-first-free/

Thanks for your quick reply!

Someone must’ve gotten into my root .htaccess file, but I don’t know why whatever was changed affected only some images and not all of them, nor any other content.

After just now replacing the root .htaccess with a copy of the one in the BPS backup folder, everything is back to normal. And, at the time I discovered the issue, I had not yet changed permissions on the files and folders as you recommend (including the root .htaccess), but I just did now, and everything looks fine.

Is changing permissions the same as locking a file?

Thanks again.

If you have another plugin that is writing to the root .htaccess file then maybe it changed something in your root .htaccess file. I believe Better WP Security does that.

Yes, “locking” means change file permissions to 404 Read-Only file permissions. The most secure/restrictive file permission that you can set for .htaccess files is 404 file permissions.

You can Lock and Unlock your root .htaccess file by clicking the Lock and Unlock htaccess File buttons on the Edit/Upload/Download page.

As a small business owner, I’m trying to administer my own site as best I can. As the site’s been hacked a couple of times (thankfully not severely… yet), I’m trying out various security plugins.

I had Better WP Security in place when another hacking took place. I wasn’t able to use all of its features a conflict developed between it and my theme, so I then added BulletProof Security. The two plugins haven’t caused a problem yet, but if Better WP Security wants to be writing to my root.htaccess, and I’ve just changed permissions, there will undoubtedly be a problem.

Do you think I can safely stop using Better WP Security and stick with your BulletProof Security?

Well if you had asked me that question prior to adding Login Security in BPS then I would have said that you should continue to use Better WP Security for the Login protection feature. ?? If you do decide to continue to use Better WP Security then any options in that plugin that have to do with .htaccess code can just be turned off since BPS .htaccess code is already doing this in a more comprehensive and sophisticated way. Another option is to add Better WP Security .htaccess code to BPS Custom Code so that when you create new Master .htaccess files with BPS AutoMagic buttons then the Better WP Security .htaccess code will be included in your new Master .htaccess files.

Also I would imagine the Better WP Security will unlock your root .htaccess file and write to it based on a check to see if its code is in the root .htaccess file if you have turned on htaccess options in Better WP Security. I am not sure about that, but it would be logical to do something like that.

Yes, something changed the permissions on root.htaccess and wp-config.php back to their original states, and there were two login attempts made within the last hour or two. When I checked the site, it was again offline, generating a 500 internal server error.

So I again copied the root.htaccess from BPS_backup and that brought the site back, after which I took your advice and removed all .htaccess options from Better WP Security, and changed the permissions for root.htaccess and wp-config.php back to your recommended states.

About your suggestion to “add Better WP Security .htaccess code to BPS Custom Code:” why would I have a need to create new Master .htaccess files with the BPS AutoMagic buttons? What would require me to do that?

Thanks.

Let’s say for example you wanted to use the hide login page feature in Better WP Security. The last time I checked (6+ months ago) this was done with .htaccess code.

So in this case you would copy that hiding .htaccess code to BPS Custom Code, save this custom code, click the secure.htaccess File AutoMagic button to create a new Master .htaccess file that contained the Better WP Security hiding .htaccess code in your BPS root Master .htaccess file. You would then activate Root BulletProof Mode, which copies your Master .htaccess file to your website root folder – makes it an active/currently in use root .htaccess file.

I really appreciate your taking the time to walk me through this.

When I first enabled it, I chose to have Better WP Security hide only the login slug. The login page still appears, but its URL is different. And I just now also had it hide the Admin slug, too. However I removed the option of having Better WP Security write to .htaccess, wp-config.php and other files.

Because I’m new to this, I’m trying to be very careful so that I don’t create a conflict between these plugins. But I’ll see if I can find the code that Better WP Security uses to hide the login page.

Thanks!

Did you get this figured out? If so, post the steps or any other useful info for other folks who may want this info. Thanks.

I never was able to figure out what caused some of the images to stop showing, but I was able to correct the situation only by restoring the database and the root.htaccess file from backups.

I now have another problem, regarding the login screen, but I believe it’s due to something with Better WP Security.

So, if you want to close out this thread, that’s fine.

Again, I appreciate your taking the time to help!