.htaccess and wp-config.php CLEARED!

  • On 6th August, one of the hourly executions of itsec_cron (flush-files) has cleared .htaccess to zero byte.
    The next day, it cleared both .htaccess wp-config.php.
    I disabled the plugin until you’ll fix it, showing evidence of bug and correction.
    I don’t know under what particular condition this is happening (I’m quite sure there are relations with other plugins, server components or scripts, otherwise many users would have reported), but for everyone safety, my suggestion:

    DISABLE THE PLUGIN TO PREVENT SITE BREAK UP

Viewing 14 replies - 1 through 14 (of 14 total)

  • Had .htaccess not finish saving because of this and broke a site. Had to restore the .htaccess from a backup.

    Disabling Settings > Configure > Global Settings seems to have stopped it from being re-saveing every hour.

    It should only be updating these files on config save!

    Thread Starter jasmines

    (@jasmines)

    Plugin disabled and removed.
    Bye bye.

    It was also saving them with 644 permissions. I had to go through and manually update the permissions on 50+ sites.

    Lowering the (default=100) value for the Security > Settings > Features -> Lockouts > Ban Users “Limit Banned IPs in Server Configuration Files” setting might help.

    Limiting the number of IPs blocked by the Server Configuration Files (.htaccess and nginx.conf) will help reduce the risk of a server timeout when updating the configuration file. If the number of IPs in the banned list exceeds the Server Configuration File limit, the additional IPs will be blocked using PHP. Blocking IPs at the server level is more efficient than blocking IPs at the application level using PHP.

    +++++ To prevent any confusion, I’m not iThemes +++++

    • This reply was modified 3 years, 7 months ago by nlpro.
    • This reply was modified 3 years, 7 months ago by nlpro.

    If banned IP’s are set to write to the database that option shouldn’t affect anything. The files were never getting overwritten hourly before version 8.

    Hi @tbob21

    I’m afraid that’s not how it works.

    Also, according to the 7.8.0 release Changelog:

    Enhancement: Remove quick bans. Persist banned hosts to .htaccess or nginx.conf on an hourly schedule.

    So it looks like the hourly itsec_cron (flush-files) job was introduced before the 8.0.x branch.

    OK, maybe it was then. I never had this issue previously, and it did seem to keep the previous permissions if it was overwriting the files.

    Either way, I’m no longer using that function as there seems to be too much risk of it breaking something.

    Ok, there is an explanation for everything ??

    In addition, the 8.0 release did remove some settings like in System Tweaks (amongst others):

    Remove File Writing Permissions – This feature didn’t offer much protection, since the server’s web user would have the ability to change the permissions back. Instead, it would often create conflicts with other plugins and web hosts that expect to be able to write to the wp-config.php or .htaccess files.

    I highly recommend to read the iThemes Security 8.0 Brings New Design, Features blog post on iThemes blog.

    I disagree on the wp-config.php permissions.

    See the following documentation:

    Changing File Permissions

    NOTE: If you installed WordPress yourself, you likely DO need to modify file permissions. Some files and directories should be “hardened” with stricter permissions, specifically, the wp-config.php file. This file is initially created with 644 permissions, and it’s a hazard to leave it like that. See Security and Hardening.

    @tbob21

    You may be interested in reading (if not already) this topic.

    I did see that, as mentioned in that very post setting to more restricted permissions is more secure.

    Required? Maybe not, but the WP documentation does say it’s a “hazard” to leave it at 644.

    I was more concerned with the plugin overriding the permissions I had set previously which should not be happening, sounds like the plugin needed more testing before this major release.

    • This reply was modified 3 years, 7 months ago by tbob21.

    I can confirm that as part of the update process to the iTSec 8.0.x release the permissions of both files are reset to 0644, but only if the Remove File Writing Permissions setting was enabled.

    It looks like after updating, while using the plugin, the permissions for both files are left untouched.

    Previously deactivating/uninstalling the plugin reset the permissions of both files to 0644. This is no longer the case in the 8.0.x branch (which makes sense).

    Yes, I believe it was enabled on my sites. Just looking at my backups before the 8.0 update the permissions were still 0400.

    I believe there should have been a warning after update to warn that files may have been reset to “hazardous” permissions, if it wasn’t for the sites going down I may have not noticed.

    Just to be clear, I realize that this isn’t as much of an issue on dedicated hosting, but on shared hosting it is more likely to be an issue.

    • This reply was modified 3 years, 7 months ago by tbob21.

    If the permissions were set to 0400 it was not the iTSec plugin who did that. The iTSec plugin Remove File Writing Permissions setting when enabled would set the permissions to 0444.

    I believe there should have been a warning after update to warn that files may have been reset to “hazardous” permissions, if it wasn’t for the sites going down I may have not noticed.

    Definately agree on that. The Remove File Writing Permissions section in iThemes blog post should have included such a warning (If enabled, after update to 8.0.x permissions 0444 -> 0644).

    Just to be clear, I realize that this isn’t as much of an issue on dedicated hosting, but on shared hosting it is more likely to be an issue.

    Correct.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘.htaccess and wp-config.php CLEARED!’ is closed to new replies.