Internal Server Error with multiple WordPress sites
-
I’m trying to put together two WordPress sites, one for a childhood cancer charity (https://www.badgerchildhoodcancer.org) and one for their major annual fundraiser (https://www.badgersuperhero.com). Both sites reside in different directories for the same host provider, (i.e. public_html/wp and public_html/superhero) and each has its own domain name. The main site has been up and running for about a year, and I need to get the fundraising site up ASAP.
I use iThemes Security on both sites. I was about to give up on WordPress because of persistent hacking until I discovered this wonderful tool. I’ve got things locked down pretty tight.
I got the fundraising site working perfectly as a sub-site of the main site (i.e. https://www.badgerchildhoodcancer.org/superhero) while the badgersuperhero.com URL pointed to an old version of the site elsewhere. Then I moved the domain name to point to the new site and things fell apart.
The HOME page for badgersuperhero.com works correctly. However, when I have WordPress properly configured, with the Site Address setting set to badgersuperhero.com, all sub-pages give an “Internal Server Error” message. I can only get the site to function if I set the Site Address to https://www.badgerchildhoodcancer.org/superhero, and when I do that, my URLs are incorrect and my SSL doesn’t work right because I’m no longer in the badgersuperhero.com domain.
I’m here in the iThemes Security forum because my current theory is that the .htaccess files for my two sites are conflicting, and the .htaccess files are full mostly of code from iThemes Security.
I’ve been working on this problem for about two weeks. I’ve exhausted my ISP’s support channels (in that they want money to pursue this further, and I am a volunteer with no budget.) The DNS is set correctly, and I have tried every suggestion I’ve found on the web for Internal Server Error with no luck. I am at a loss for why the fundraising site won’t work under its own domain name.
My three .htaccess files are below. I removed the HackRepair.com Blacklist items to save space.
Any suggestions or ideas? I really appreciate any help you can offer.
David Woods
Badger Childhood Cancer Network
Volunteer Webmaster.htaccess in public_html:
# BEGIN Better WP Security
Options -Indexes# Begin HackRepair.com Blacklist
RewriteEngine on
# Abuse Agent Blocking
< list of RewriteCond statements from HackRepair.com removed >
RewriteRule ^.* – [F,L]
# Abuse bot blocking rule end
# End HackRepair.com Blacklist
<files .htaccess>
Order allow,deny
Deny from all
</files><files readme.html>
Order allow,deny
Deny from all
</files><files readme.txt>
Order allow,deny
Deny from all
</files><files install.php>
Order allow,deny
Deny from all
</files><files wp-config.php>
Order allow,deny
Deny from all
</files><IfModule mod_rewrite.c>
RewriteEngine OnRewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F,L]RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org.*
RewriteCond %{HTTP_REFERER} !^https://jetpack\.wordpress\.com/jetpack-comment/ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ – [F,L]RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|?a|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteCond %{HTTP_REFERER} !^https://maps\.googleapis\.com(.*)$
RewriteRule ^(.*)$ – [F,L]RewriteRule ^signin/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f [R,L]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^manage/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f&redirect_to=/wp/wp-admin/ [R,L]RewriteRule ^manage/?$ /wp/wp-admin/?hhxlicg22ebbojgu6pz3f [R,L]
RewriteRule ^signup/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f&action=register [R,L]
RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/wp-admin
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/wp-login\.php
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/signin
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/manage
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/signup
RewriteCond %{QUERY_STRING} !^hhxlicg22ebbojgu6pz3f
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{QUERY_STRING} !^action=register
RewriteCond %{QUERY_STRING} !^action=postpass
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^.*wp-admin/?|^.*wp-login\.php /wp/not_found [R,L]RewriteCond %{QUERY_STRING} ^loggedout=true
RewriteRule ^.*$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f [R,L]
</IfModule>
# END Better WP Security# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wp/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wp/index.php [L]
</IfModule># END WordPress
.htaccess file from public_html/wp:
# BEGIN iThemes Security
# BEGIN Ban Users
# Begin HackRepair.com Blacklist
RewriteEngine on
< list of RewriteCond statements from HackRepair.com removed >
RewriteRule ^.* – [F]
# END Ban Users
# BEGIN Hide Backend
# Rules to hide the dashboard
RewriteRule ^/manage/?$ /wp-login.php [QSA,L]
# END Hide Backend
# BEGIN Tweaks
# Rules to block access to WordPress specific files
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files readme.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files># Rules to disable XML-RPC
<files xmlrpc.php>
Order allow,deny
Deny from all
</files># Rules to disable directory browsing
Options -Indexes<IfModule mod_rewrite.c>
RewriteEngine On# Rules to protect wp-includes
RewriteRule ^wp-admin/includes/ – [F]
RewriteRule !^wp-includes/ – [S=3]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
RewriteRule ^wp-includes/[^/]+\.php$ – [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F]
RewriteRule ^wp-includes/theme-compat/ – [F]# Rules to prevent php execution in uploads
RewriteRule ^(.*)/uploads/(.*).php(.?) – [F]# Rules to block unneeded HTTP methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F]# Rules to block suspicious URIs
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|?a|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteCond %{HTTP_REFERER} !^https://maps\.googleapis\.com(.*)$
RewriteRule ^(.*)$ – [F]# Rules to block foreign characters in URLs
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
RewriteRule ^(.*)$ – [F]# Rules to help reduce spam
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org.*
RewriteCond %{HTTP_REFERER} !^https://jetpack\.wordpress\.com/jetpack-comment/ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ – [F]
</IfModule>
# END Tweaks
# END iThemes Security# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /wp/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /wp/index.php [L]
</IfModule>
# END WordPress.htaccess file from public_html/superhero:
# BEGIN iThemes Security
# BEGIN Ban Users
# Begin HackRepair.com Blacklist
RewriteEngine on
< list of RewriteCond statements from HackRepair.com removed >
RewriteRule ^.* – [F]# END Ban Users
# BEGIN Hide Backend
# Rules to hide the dashboard
RewriteRule ^/superhero/manage/?$ /wp-login.php [QSA,L]# END Hide Backend
# BEGIN Tweaks
# Rules to block access to WordPress specific files
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files readme.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files># Rules to disable XML-RPC
<files xmlrpc.php>
Order allow,deny
Deny from all
</files># Rules to disable directory browsing
Options -Indexes<IfModule mod_rewrite.c>
RewriteEngine On# Rules to protect wp-includes
RewriteRule ^wp-admin/includes/ – [F]
RewriteRule !^wp-includes/ – [S=3]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
RewriteRule ^wp-includes/[^/]+\.php$ – [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F]
RewriteRule ^wp-includes/theme-compat/ – [F]# Rules to prevent php execution in uploads
RewriteRule ^(.*)/uploads/(.*).php(.?) – [F]# Rules to block unneeded HTTP methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F]# Rules to block suspicious URIs
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|?a|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteCond %{HTTP_REFERER} !^https://maps\.googleapis\.com(.*)$
RewriteRule ^(.*)$ – [F]# Rules to block foreign characters in URLs
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
RewriteRule ^(.*)$ – [F]# Rules to help reduce spam
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org.*
RewriteCond %{HTTP_REFERER} !^https://jetpack\.wordpress\.com/jetpack-comment/ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ – [F]
</IfModule>
# END Tweaks
# END iThemes Security# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /superhero/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /superhero/index.php [L]
</IfModule>
# END WordPress
- The topic ‘Internal Server Error with multiple WordPress sites’ is closed to new replies.
