Corrupt entries added automagically to .htaccess? What? (5 posts)

  1. GuardianAngel
    Posted 1 year ago #


    My WordPress install was inaccessible this morning because this got added to my main .htaccess (the one directly in the WordPress install directory)

    nphp_value suhosin.post.max_value_length 100000000nphp_value suhosin.request.max_value_length 100000000

    The forum rendering might not show it as well as I would like but what I have is one single line that start with "nphp_value" and in the middle of the line I have "100000000nphp_value"...

    Now this looks like an improperly escaped "newline" as what was probably supposed to be inserted there was "\n", not "n" so this would have been inserted like this in the file:

    php_value suhosin.post.max_value_length 100000000
    php_value suhosin.request.max_value_length 100000000

    I tried a few Twitter plugins yesterday (and I still had one installed today which I removed manually (I checked through the code and I saw nothing like this in it though).

    I removed that line once and it didn't work as it got appended again. I removed it a second time and now everything works as it didn't get appended again.

    Now I see to understand this is used to armor a WordPress installation or something so I don't think I have been hacked but then, what happened?

    Any ideas?

    Thank you!


    PS: It is somewhat funny that I have a problem with suhosin considering what suhosin means (ie "guardian angel")... (-;

  2. esmi
    Forum Moderator
    Posted 1 year ago #

    Are you running this server yourself? Only there's nothing in WordPress that I know of that would add such a line to your .htaccess file.

  3. GuardianAngel
    Posted 1 year ago #

    Yes, this is a VPS...

    The "provider" implication is minimal and if anything their default setup (when they install the "image) was less secure than it should have been....

    I have a feeling a plugin added that but I am no longer sure which plugin I tried (is this logged somewhere?) and the only plugin that was still installed this morning (of the ones I tried yesterday) is very simple and had no code to do that.

    The weirdest thing is that when I saw the problem I tried writing those lines as I thought they were supposed to be written but the corrupted line got appended one last time to my .htaccess when I tried to reaccess my install and then it stopped doing that...

    I did a grep of everything under the directory where WordPress is install and I see nothing that matches nphp_value, suhosin, etc...

    I am perplexed...

    Thank you!


  4. esmi
    Forum Moderator
    Posted 1 year ago #

    I've not come across any plugin that would add such a suhosin specific line. It's the specificity of it that seems bizarre. Have you tried:

    - deactivating all plugins to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s).

    - switching to the default theme to rule out any theme-specific problems.

    - resetting the plugins folder by FTP or PhpMyAdmin. Sometimes, an apparently inactive plugin can still cause problems.

  5. GuardianAngel
    Posted 1 year ago #

    Hi esmi!

    Sorry for the delayed reply...

    It does work now, I can actually access my server by SSH (and even using some sort of VNC)

    What I did the day before was try out many Twitter plugins, only one of them was still installed the next day (when I noticed the problem) and this plugin is very simple (it only adds a widget) and has no code for this....

    What was weird is that once I fixed it, it got added one more time (as if what had added it had run one more time) and then never again...

    I doubt this was an attempt to hack as this seems to be more meant to armor a server than to make it hackable if I understood what it does correctly so I can only assume a plugin added it (a plugin I removed I guess as I scanned all the plugins and could not find "suhosin" line in any of them...).

    Just in case I asked my VPS provider and this was their reply

    "We do not have any access to your VPS. We are not actually able to change anything involving your configuration"

    This was essentially the answer I expected to receive from them but I wanted to make sure just in case...

    This is verrrry weird...

    Thank you and have a nice day!


Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.