I first asked this question on the main WP troubleshooting forum, but I suspect I'm better off asking here.
My question on the WP troubleshooting forum was:
I just added a new addon site under my main domain name. I then installed WordPress 3.4.2 and added some plugins and some working content, along with the Graphene theme. As part of doing that, I installed Bullet Proof WP Security and Better WP Security, as well as Yoast SEO and several other plugins. I know that those three (at least) make major changes to the default htaccess file.
This morning I was looking at my site stats via my Cpanel and while I was in Cpanel I decided to remove some old subdomains that I don't use anymore. And what I found surprised me. On my list of subdomains was the new addon site, as would be expected. But along with that new subdomain was another new subdomain that I hadn't created, and that subdomain had the user name that I had assigned to the new subdomain that I *had* created.
Something like this:
--new subdomain (also new addon) = newaddonsite.mainsite.com
--When I created "newaddonsite" I had to add a user name for ftp, etc-- let's say "newsiteusername"
--But now there's also a new subdomain in the list called "newsiteusername.mainsite.com", which I didn't create.
--Moreover, both subdomains are shown to redirect to /\..*$ and I never set any redirects for either of those subdomains or any others.
When I checked the Cpanel list of addon sites "newaddonsite.com" showed up in the list, as it should. But it also shows as being redirected to /\..*$, the same as the two new subdomains. And there should be no redirect.
So, I have a strange new subdomain that I didn't create and a new subdomain/addon site that I did create, both of which redirect to somewhere or other that I can't figure out, and that I didn't create.
I asked my site host tech support what was going on, and they said that this was happening because there was something wrong or hacked in the htaccess file for the new site.
So that brings me back to Bullet Proof Security and Better WP Security, and perhaps other plugins that modify htaccess files: is the redirect and the extra subdomain something that are part of the security settings, or do I have larger problems?
After further research, I found a line in the site's htaccess as follows:
# DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot RedirectMatch 403 /\..*$
Which tells me that the redirect is part of Bulletproof's security. But the questions remain, why is there an unwanted subdomain and is the addon redirect what should be happening? Is what I'm seeing normal and OK? At this point I'm asking not only for my own sake, but to pass the info onto my web host because they were clueless.
I'm basically a Joomla developer, and my site host is primarily dedicated to Joomla hosting, so I'm in unfamiliar territory here, and it would appear that my host is also.
Thanks for any feedback...