.htaccess自行更改-导致500内部服务器错误

Question

I'm having issues with .htaccess changing itself and causing 500 - Internal Server Errors on my website. This change occurs every second day or so.

My original .htaccess file looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

And after it changes itself, it looks like this:

# BEGIN WordPress<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Essentially, this line is moved up to the end of the above line:

<IfModule mod_rewrite.c>

Our website was hacked a few weeks ago and used for phishing. Our host shut it down, and we made changes which they felt were good enough to re-open our website. We changed...

• Updated to the latest version of Wordpress (we're normally up to date, but were a few days late on this).

• Installed two security plug-ins (Better WP Security and Bulletproof Security).

• As well as removing a forums plug-in which we believe COULD have been the cause of vulnerability.

• Both security plug-ins have now been removed.

• I have now changed the permissions on the htaccess file

We can't really afford to have our site go down (500 server error) again. Is there anything I have missed that could be causing .htaccess to get changed? Note: When I replace the changed htaccess file with the original, it fixes the 500 server error.

Answer 1

Taking a quick look at your two security plug-ins, the Bulletproof Security does a lot of touching of your .htaccess file. Personally, I would never let a plug-in touch .htaccess, because if there are any bugs in the plug-in, it can knock your site offline with a 500 server error.

I would take a look at what the plug-in is trying to do in .htaccess and manually add that to the file, after disabling Bulletproof Security.

Alternatively, you could try adding an extra linespace between the initial comment and the following line, like this:

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

And lastly, you could do away with the "IfModule" altogether, since you know it's installed on your server:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Answer 2

The problem is probably caused by the interaction between the two security plugins. Maybe disabling one of them will fix the problem.

Another way to secure your htaccess is assigning it to the root user (if you are allowed to) and/or make it read only. Of course it does not solve the underlying problem, but at least the effects are contained.

Answer 3

我遇到了同样的问题，但最终我发现.htaccess文件编码应保留在默认的ANSI ，并且错误仅是因为我将其编码更改为UTF8 。