Extra comment lines added to .htaccess

  • Gal Baras

    (@galbaras)


    7 years, 11 months ago

    I’m not sure if this is related to updating the plugin, to updating its settings or to both, but on many sites, I see the following comment lines being added into .htaccess, sometimes more than 20 times:

    # BEGIN iThemes Security – Do not modify or remove this line
    # iThemes Security Config Details: 2
    # Quick ban IP. Will be updated on next formal rules save.
    # END iThemes Security – Do not modify or remove this line

    They serve no purpose and are eventually followed by the actual block of directives that should be there, so it’s more of a nuisance than a problem, but it makes .htaccess files unnecessarily large.

    https://wordpress.org/plugins/better-wp-security/

Viewing 4 replies - 1 through 4 (of 4 total)
  • dwinden

    (@dwinden)

    7 years, 11 months ago

    @gal Baras

    I noticed similar behavior in this topic.
    It could be something specific on those envs which is causing it.
    On the other hand it could also be a bug.

    Would it be possible to test the plugin in one of those envs with only the iTSec plugin installed/activated and Twenty Sixteen theme active ?

    Additional note:

    The issue does seem to be specific to banning.
    So tests should be performed where invalid logins and/or too many 404s ultimately lead to IP bans.

    dwinden

    Thread Starter Gal Baras

    (@galbaras)

    7 years, 10 months ago

    @dwinden

    I don’t think these are the same issues, because I’m just getting comments. I’ve had cases after an update that blocked sites, but these were quickly fixed.

    The only thing that could be special about my environment is LiteSpeed. I use Genesis+child on some of them and that’s a pretty standard theme setup.

    Are you thinking this happens when something is banned (added to the ban list)? In my case, the bans are listed way below where the comments are added.

    I’ve just tested simply saving the plugin settings and all the comments at the top disappeared. When comparing the date and time on .htaccess with the first invalid login attempt of the last banned IP, they seem to match, so maybe you’re right.

    Maybe something remains in some buffer or the directives are appended to a string, instead of being assigned to that string?

    Cheers,
    Gal

    dwinden

    (@dwinden)

    7 years, 10 months ago

    @gal Baras

    Yes they are. And no it is not just comments. It looks like it is just comments. But it’s actually an identical quick ban with a LiteSpeed bug that prevents the actual ban lines from being included as well …

    The get_prepared_modification() function from the class-itsec-lib-config-file.php file wraps any iTSec plugin .htaccess modification in BEGIN/END comments.
    The start comment is:

    # BEGIN iThemes Security – Do not modify or remove this line
    # iThemes Security Config Details: 2

    The end comment is:

    # END iThemes Security – Do not modify or remove this line

    So that means this comment line must be part of the modification:

    # Quick ban IP. Will be updated on next formal rules save.

    However the Quick ban modification is incomplete due to a bug in the quick_ban() function located in the class-itsec-files.php file.
    The code is only checking for ITSEC_Lib::get_server() to return nginx or apache thus skipping litespeed !

    But this is just a side effect that is distracting us from the real issue.

    To be continued … (other things to do) 😉

    dwinden

    Thread Starter Gal Baras

    (@galbaras)

    7 years, 10 months ago

    Looks like you’ve hit the nail on the head. Check for LiteSpeed, do the right thing, and voila. No?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Extra comment lines added to .htaccess’ is closed to new replies.