• Resolved G

    (@gnetworkau)


    Hello, the plugin works fine. There is one niggling problem that I would like to get rid of. The plugin adds the following entry to my .htaccess file:

    # BEGIN MainWP
    # The directives (lines) between <code>BEGIN MainWP</code> and <code>END MainWP</code> are
    # dynamically generated, and should only be modified via WordPress filters.
    # Any changes to the directives between these markers will be overwritten.
    
    # END MainWP

    I usually have my .htaccess permissions set to read only, but sometimes I make edits and leave it writable – thats when MainWP likes to insert that code.

    I don’t want ANY plugins writing to my .htaccess as I view it as a security vulnerability.

    Please can you post the code that I could add to functions, so that my .htaccess is not touched? Thankyou.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi @gnetworkau, I am not sure if something like this can be done via functions. I made a quick research and found how other users handle this, please see here.

    Thread Starter G

    (@gnetworkau)

    On the page link you gave, I already use those suggestions.

    As stated above, the problem occurs when my .htaccess is left “unprotected”.
    MainWP is the only plugin I have that keeps doing this.

    If you have no suggested function, can you at least point me to the code that generates the htaccess entries, I will dig in and do it myself.

    Thread Starter G

    (@gnetworkau)

    Ok, don’t worry about it. I have further locked things down.

    MainWP has too many references to htaccess in the code.

    I think that any plugin that creates/modifies .htaccess should come with a warning. The .htaccess file is part of the Apache server configuration, NOT the web application, even though it can be used by it.

    The problem comes when the 0-day exploit overpowers the plugin, and the controller (hacker) realizes he has write access to .htaccess too. Now he opens more “doors” and eventually OWNS the server.

    • This reply was modified 1 year, 6 months ago by G.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘How to stop .htaccess modification?’ is closed to new replies.