WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
Internal Server Error with multiple WordPress sites (1 post)

  1. DavidWoods
    Member
    Posted 2 months ago #

    I'm trying to put together two WordPress sites, one for a childhood cancer charity (http://www.badgerchildhoodcancer.org) and one for their major annual fundraiser (http://www.badgersuperhero.com). Both sites reside in different directories for the same host provider, (i.e. public_html/wp and public_html/superhero) and each has its own domain name. The main site has been up and running for about a year, and I need to get the fundraising site up ASAP.

    I use iThemes Security on both sites. I was about to give up on WordPress because of persistent hacking until I discovered this wonderful tool. I've got things locked down pretty tight.

    I got the fundraising site working perfectly as a sub-site of the main site (i.e. http://www.badgerchildhoodcancer.org/superhero) while the badgersuperhero.com URL pointed to an old version of the site elsewhere. Then I moved the domain name to point to the new site and things fell apart.

    The HOME page for badgersuperhero.com works correctly. However, when I have WordPress properly configured, with the Site Address setting set to badgersuperhero.com, all sub-pages give an "Internal Server Error" message. I can only get the site to function if I set the Site Address to http://www.badgerchildhoodcancer.org/superhero, and when I do that, my URLs are incorrect and my SSL doesn't work right because I'm no longer in the badgersuperhero.com domain.

    I'm here in the iThemes Security forum because my current theory is that the .htaccess files for my two sites are conflicting, and the .htaccess files are full mostly of code from iThemes Security.

    I've been working on this problem for about two weeks. I've exhausted my ISP's support channels (in that they want money to pursue this further, and I am a volunteer with no budget.) The DNS is set correctly, and I have tried every suggestion I've found on the web for Internal Server Error with no luck. I am at a loss for why the fundraising site won't work under its own domain name.

    My three .htaccess files are below. I removed the HackRepair.com Blacklist items to save space.

    Any suggestions or ideas? I really appreciate any help you can offer.

    David Woods
    Badger Childhood Cancer Network
    Volunteer Webmaster

    .htaccess in public_html:

    # BEGIN Better WP Security
    Options -Indexes

    # Begin HackRepair.com Blacklist
    RewriteEngine on
    # Abuse Agent Blocking
    < list of RewriteCond statements from HackRepair.com removed >
    RewriteRule ^.* - [F,L]
    # Abuse bot blocking rule end
    # End HackRepair.com Blacklist
    <files .htaccess>
    Order allow,deny
    Deny from all
    </files>

    <files readme.html>
    Order allow,deny
    Deny from all
    </files>

    <files readme.txt>
    Order allow,deny
    Deny from all
    </files>

    <files install.php>
    Order allow,deny
    Deny from all
    </files>

    <files wp-config.php>
    Order allow,deny
    Deny from all
    </files>

    <IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]

    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org.*
    RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule ^(.*)$ - [F,L]

    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
    RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
    RewriteCond %{QUERY_STRING} !^loggedout=true
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
    RewriteRule ^(.*)$ - [F,L]

    RewriteRule ^signin/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f [R,L]

    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^manage/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f&redirect_to=/wp/wp-admin/ [R,L]

    RewriteRule ^manage/?$ /wp/wp-admin/?hhxlicg22ebbojgu6pz3f [R,L]

    RewriteRule ^signup/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f&action=register [R,L]

    RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/wp-admin
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/wp-login\.php
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/signin
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/manage
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/signup
    RewriteCond %{QUERY_STRING} !^hhxlicg22ebbojgu6pz3f
    RewriteCond %{QUERY_STRING} !^action=logout
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{QUERY_STRING} !^action=register
    RewriteCond %{QUERY_STRING} !^action=postpass
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^.*wp-admin/?|^.*wp-login\.php /wp/not_found [R,L]

    RewriteCond %{QUERY_STRING} ^loggedout=true
    RewriteRule ^.*$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f [R,L]
    </IfModule>
    # END Better WP Security

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /wp/
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /wp/index.php [L]
    </IfModule>

    # END WordPress

    .htaccess file from public_html/wp:

    # BEGIN iThemes Security
    # BEGIN Ban Users
    # Begin HackRepair.com Blacklist
    RewriteEngine on
    < list of RewriteCond statements from HackRepair.com removed >
    RewriteRule ^.* - [F]
    # END Ban Users
    # BEGIN Hide Backend
    # Rules to hide the dashboard
    RewriteRule ^/manage/?$ /wp-login.php [QSA,L]
    # END Hide Backend
    # BEGIN Tweaks
    # Rules to block access to WordPress specific files
    <files .htaccess>
    Order allow,deny
    Deny from all
    </files>
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files readme.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files wp-config.php>
    Order allow,deny
    Deny from all
    </files>

    # Rules to disable XML-RPC
    <files xmlrpc.php>
    Order allow,deny
    Deny from all
    </files>

    # Rules to disable directory browsing
    Options -Indexes

    <IfModule mod_rewrite.c>
    RewriteEngine On

    # Rules to protect wp-includes
    RewriteRule ^wp-admin/includes/ - [F]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    RewriteRule ^wp-includes/theme-compat/ - [F]

    # Rules to prevent php execution in uploads
    RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]

    # Rules to block unneeded HTTP methods
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F]

    # Rules to block suspicious URIs
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
    RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
    RewriteCond %{QUERY_STRING} !^loggedout=true
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
    RewriteRule ^(.*)$ - [F]

    # Rules to block foreign characters in URLs
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
    RewriteRule ^(.*)$ - [F]

    # Rules to help reduce spam
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org.*
    RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule ^(.*)$ - [F]
    </IfModule>
    # END Tweaks
    # END iThemes Security

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /wp/
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /wp/index.php [L]
    </IfModule>
    # END WordPress

    .htaccess file from public_html/superhero:

    # BEGIN iThemes Security
    # BEGIN Ban Users
    # Begin HackRepair.com Blacklist
    RewriteEngine on
    < list of RewriteCond statements from HackRepair.com removed >
    RewriteRule ^.* - [F]

    # END Ban Users
    # BEGIN Hide Backend
    # Rules to hide the dashboard
    RewriteRule ^/superhero/manage/?$ /wp-login.php [QSA,L]

    # END Hide Backend
    # BEGIN Tweaks
    # Rules to block access to WordPress specific files
    <files .htaccess>
    Order allow,deny
    Deny from all
    </files>
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files readme.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files wp-config.php>
    Order allow,deny
    Deny from all
    </files>

    # Rules to disable XML-RPC
    <files xmlrpc.php>
    Order allow,deny
    Deny from all
    </files>

    # Rules to disable directory browsing
    Options -Indexes

    <IfModule mod_rewrite.c>
    RewriteEngine On

    # Rules to protect wp-includes
    RewriteRule ^wp-admin/includes/ - [F]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    RewriteRule ^wp-includes/theme-compat/ - [F]

    # Rules to prevent php execution in uploads
    RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]

    # Rules to block unneeded HTTP methods
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F]

    # Rules to block suspicious URIs
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
    RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
    RewriteCond %{QUERY_STRING} http\: [NC,OR]
    RewriteCond %{QUERY_STRING} https\: [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
    RewriteCond %{QUERY_STRING} !^loggedout=true
    RewriteCond %{QUERY_STRING} !^action=rp
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
    RewriteRule ^(.*)$ - [F]

    # Rules to block foreign characters in URLs
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
    RewriteRule ^(.*)$ - [F]

    # Rules to help reduce spam
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org.*
    RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule ^(.*)$ - [F]
    </IfModule>
    # END Tweaks
    # END iThemes Security

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /superhero/
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /superhero/index.php [L]
    </IfModule>
    # END WordPress

    https://wordpress.org/plugins/better-wp-security/

Reply

You must log in to post.

About this Plugin

About this Topic