The Situation: Shared hosting environment
File structure (my first time on share hosting so I don't know if it is the same everywhere) is such that:
1) As usual .htaccess is in folder named /home/usrname/public_html
2) The WordPress installation for the FIRST registered domain goes there too.
3) Subsequent addon domains go in /home/usrname/public_html/www/site url without www (ex. sitename.xxx) - Note, this is a sub-directory of public_html.
The Issue / Offending Line of Code:
1) .htaccess files are recursive.
2) The htaccess modifications included in a standard AIOWPS_FIVE_G_BLACKLIST installation includes, under 5G:[REQUEST STRINGS], the following line:
RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
This line, I'm not a programmer so if I'm wrong don't yell at me, seems to be protecting the site from injections by redirecting requests to executables to a 403 - Page Not Found error.
Because of the shared hosting environment and the recursive nature of .htaccess files, this line of code prevents calls to executables in the sub-directories housing the content of other sites.
The Proposed Solutions by my Hosting Provider:
"...line 202. If you are ok with disabling this line, then your addon domains will start functioning properly.
If you don't not wish to remove this line, the only option would be to change the document root for the addon to be outside of public_html. (For example, /home/usrname/sitename.xxx/ instead of /home/usrname/public_html/sitename.xxx).
The Potential Issues with the Proposed Solutions
1) Disabling the offending line of code would leave the site (I think, am not sure) potentially open to executable injections.
2) Moving the document root for the addon domain outside of public_html would make it no longer subject to the .htaccess rules of the folder (a good thing),
I would need to adjust any code that looks at
/home/usrname/public_html/sitename.xxx directly if you chose this option.
The Bottom Line Question
Each of my addon domains is a WordPress installation.
I am not a WordPress "guru."
Would moving these files outside of public_html totally destroy the functionality of a WordPress installation?
Which is the better alternative; and if it's option 2, moving the document root for the addon domains, what would be required in order to bring the sites into line with the WordPress Codex?
That's the whole story. I thought it would be good to ask / post here in case anyone else is attempting to use the 5G Blacklist option of AIO in a shared hosting environment.
All feedback welcome.