.htaccess file resets itself to default WP one and file permissions 444?

I’d like to add that only the root .htaccess is affected by this problem. The one in wp-admin was modified successfully via BPS.

Yep, big picture first is that we are aware that some hosts only allow 444 max security permissions for .htaccess files and BPS is currently only doing either 404 or 644 file permissions. At some point we will be including 444 as a standard permission option setting – work in progress. ??

So what is most likely happening is this scenario. Since BPS locks the root htaccess file with 404 file permissions then your host server is automatically either changing the root htaccess file permissions to 444 or going a bit further and automatically replacing the standard BPS root htaccess file with a standard WordPress htaccess file and setting the file permissions to 444.

So do these steps and let me know the results:
1. Go to the Security Modes page > htaccess File Editor tab page > click the Turn Off AutoLock button > click the Unlock htaccess File button.
2. Go to the Security Modes page > click the Create secure.htaccess File AutoMagic button > select the Activate Root Folder BulletProof Mode Radio button > click the Activate|Deactivate button.

Thanks for the reply!

I just followed your steps (as I did in the past following your comment to another post in here) but it didn’t work. I see in FTP after unlocking, the htaccess has 644 as permissions, I then create the secure.htaccess and activate root folder mode, I see the filesize of the htaccess change in ftp but when I refresh after 3 seconds, the filesize changed back to the default and permissions are 444 again.

To be honest it can’t be the host. I’m not sure if you read my original post in full, but I also created a fresh wordpress install on the same host where your plugin works totally fine. So there has to be some other issue on my 30+ existing sites. They of course have a bunch of different plugins, but when I deactivate all except yours, then the error still exists.

Any ideas?

And I just checked the .htaccess file in the wp-admin folder (which I posted earlier was modified fine by BPS), I see it constantly has the 644 permissions, so the host is obviously not changing that one.

Hence it can’t be a serverwide thing if only the root htaccess is affected, but not the one in wp-admin?

And of course your plugin working fine on a fresh WP install on this host, but not on existing sites?

Ok so these are the only possible logical explanations:
1. You have another plugin installed that is automatically changing the root htaccess file.
2. Your site is hacked and the hacker’s script is automatically changing the root htaccess file.
3. Your host server is automatically changing the root htaccess file.

The wp-admin htaccess file does not factor into this equation whatsoever.

And of course your plugin working fine on a fresh WP install on this host, but not on existing sites?

This is a good clue above. So after the fresh install are you installing another plugin or something else that is causing this problem? I think this is what you should look at first and not assume that your site or hosting account is hacked.

Thanks for the quick reply.

The thing is that in order to create new sites, I create a WP Clone backup archive of already existing ones and then deploy that “skeleton” archive to new domains (so I have all plugins, themes etc. already preconfigured). Somehow there must be an error in there somewhere which gets cloned over to new domains over and over again this way.

I also fear it has to be another plugin, though why does the problem not go away when deactivating all of them except yours?

On the fresh WP install, I already tried installing ithemes security (with their setting to prevent changing wp-config, .htaccess etc.) but despite that setting turned on it didn’t affect BPS functionality. All the other plugins I have installed don’t appear to have an obvious impact on .htaccess modification (but they might via some bug, of course).

How could I troubleshoot this further?

(I also believe that it is not host related, the server API is cgi-fcgi and not DSO and none of the 30+ sites appear to be hacked in an obvious way – no “you got hacked” messages, no redirects to other sites, no spam being sent through them. The only thing is the inability to change the .htaccess file)

Ok so at this point you need to contact your host and ask them if they do anything like automatically change htaccess file permissions or automatically replace htaccess files. It seems like the most logical explanation for what is occurring.

Yep, have contacted them already before posting this, they are still looking into it. If it is the host though, I don’t get why it works fine on a fresh WP install.

If you had the logins to a site, do you reckon you could dig down to whats causing this? Though I guess that’s a bit too much to ask for ??

Ok try something really simple.
Deactivate all of your other plugins except for BPS and then run the BPS Setup Wizard. Let me know what happens here and wait for a few minutes to see if the root htaccess file is automatically changed again or not.
Then activate all of your plugins again. Let me know what happens here and wait for a few minutes to see if the root htaccess file is automatically changed again or not.

Thanks. I followed your instructions, but the results were rather disappointing.

Deactivating all except BPS, running wizard: .htaccess file changes from 235 bytes to 12k bytes for literally 2 seconds, then it’s back at the default wordpress .htaccess and permissions 444. Same when I unlock the .htaccess file before running the setup wizard.

Activating all plugins again: Absolutely nothing happens. .htaccess stays at 235 bytes and permissions 444. I stopped watching it after 10 minutes.

What do you think?

Ok logically either your host/host server is changing things automatically or your site/hosting account is hacked. You have eliminated that another plugin is causing this issue.

There is one other possibility that could be causing this. You have added some additional code in your wp-config.php file that is flushing the root htaccess file.

Thanks. I still haven’t heard back from the host, but not sure if that is going to be fruitful given they know about the working test-installation, so it would be easy for them to shrug it off with “it works on the test-install, so can’t be our server but some plugin conflict, out of our support”.

I checked the wp-config but didn’t spot anything unusual. Could you give a quick example of what kind of code I would have to be looking for that might flush the htaccess file?

The wp-config.php code would have one of these words in it: “flush rewrite rules”. The simplest method so that you can verify 100% if the host server is doing this automatically, which we know for a fact happens on at least 30 different web hosts worldwide and probably more, is to install a new WP test site. And more importantly you would have a base/simple WP installation so that the root cause of the problem would be very obvious:

Install a new WordPress test site without doing a clone or anything out of the standard installation/setup, which should only take about 10 minutes to do, and only install the BPS plugin on that site.