.htaccess becomes corrupt
-
Hi,
I have a problem that for some reason the .htaccess file becomes corrupt and this causes the site to stop working. All of the Solid Security bans are not written there, plus once it had also removed the basic .htaccess settings that WordPress adds. This has now happened twice. The site has very high usage, so I wonder if there is some kind of limit on how much info can be written in the file?
I have now disabled the “write to files” but I guess it would be better to have it on, so any solutions to that original problem?
-
Hi @verkkovaraani, we’re here to help!
If Solid Security writing to the .htaccess file keeps getting corrupted, we recommend leaving the “Write to Files” OFF to prevent crashes. I’m unsure if there’s a limit, as we have not replicated this issue on our test environments yet. It’s a bit of a mystery why this sometimes happens in some environments.
Instead, manually add the rules to your config files (which you can grab from the Security > Tools page). Don’t worry, the block and ban lists will still be enforced by the plugin even if this setting is turned OFF.
You can find in this article what features are enforced by .htaccess.
Hope this helps!
I am facing the same issue! the .htaccess file becomes corrupt it removes the basic wordpress settings in the .htaccess file also removes the litespeed caching settings! this is a serious issue you guys must fix this.
@verkkovaraani i also have the Jetpack plugin on my website, do you use it too?
UPDATE: i can’t disable the Write to Files option, when i unckeck the Write to Files option then SAVE, the option is still active can’t disable it!
- This reply was modified 8 months ago by brad1st.
We havent experienced this before December 2023, so I am suspecting that this is related to new version of WordPress and/or Solid security. We do not use jetpack on that site
Hi @verkkovaraani and @brad1st!
We’re definitely keen to fix anything we can from our side.
@brad1st it sounds like your issue is deeper than just this issue, and I don’t want to annoy the thread-starter here (it’ll email them every time we reply) so please start a new thread with your issue. In that thread, I’d love the answer to these questions:
- Is that the only setting that doesn’t save correctly?
- Can you open the developer’s console and see if there are any errors there?
- I would turn on WP_DEBUG and WP_DEBUG_LOG (and turn off WP_DEBUG DISPLAY) and then try to save, and check that error log for clues. See the lines to add to your wp-config.php file at the end of this message.
Back to the original issue: In order to get any traction here, we’ll need to be able to replicate a problem.
First though, let me assure you that turning off Write To Files setting doesn’t make your site less secure, it just makes the process of changing that file more manual. Disabling (by unchecking) the Write To File functionality doesn’t change what’s already written to the file.
We’ve had three reports of this happening over the past few months (and a handful even before the rebrand to SolidWP, so I am not convinced this is a new issue yet) 3 reports for a plugin of 900,000+ installs is so insignifcant in terms of percentage that it’s got me thinking it’s going to be extremely difficult to isolate.
My hunch at this point is something (either something caused by Solid Security, or some other process on the site, some other site on the shared server, or something!) is causing the plugin to stop right in the middle of writing to that file, which is causing it to be malformed, which is in turn causing it to erase itself, or something.
Like I said initially: the first step is reproducing it. Today I spent time on 4 different test sites with various servers (NGINX, Apache, PHP versions 7.2 all the way to 8.2) and I can’t get it to fail in the ways that are being described in the thread.
Until I can see it happening, I’m stuck.
Here’s those DEBUG lines to add to wp-config.php:
// Turn debugging on define('WP_DEBUG', true); // Tell WordPress to log everything to /wp-content/debug.log define('WP_DEBUG_LOG', true); // Turn off the display of error messages on your site define('WP_DEBUG_DISPLAY', false); // Hide general PHP errors @ini_set('display_errors', 0);
One thing I’ve never understood is why the Solid Security plugin flush-files cron job writes to the server configuration file every hour, even when there are no changes. (So when there are no changes, the server configuration file still gets completely rewritten every hour).
In my perception, the less times there is being written to the server configuration file the lower the risk of breaking stuff. If it works and there are no changes, don’t touch it. Just let it be.Can we optimize the flush-files cron job to check hourly whether there are any changes and if so only then write to the server configuration file?
I’m not saying this will 100% solve the issue as reported in this topic. But again, less unnecessary writing means less risk of breaking the server configuration file.
Hi @nlpro, I’ve heard back from our lead developer regarding your suggestion on optimizing the flush-files cron job, and the short version is that the team is considering exploring this path in the future and has moved the request into the backlog.
The longer version is that the flush-files cron job writing hourly to the config file wasn’t how the plugin was initially architected. According to the state of Solid Security’s settings and configuration, the system knows what the config file should look like at any given time. Scheduled updates mean the file will be “healed” if it falls into an improper state.
I hope this answers your question!
We have now also had this in the last couple of weeks across 3 x sites, so will look to change the Write to Files setting for now, but of course would be great for this to be addressed generally as we’ve never had this before. Many thanks!
Thank you for your feedback.
Please navigate to Security > Dashboard and count the number of IPs in the Banned IPs card. By default the SolSec plugin writes max 100 banned IPs to the server configuration file. Perhaps it may help to lower that number. It probably depends on your current IP count in the Banned IPs card. If the count turns out to be low (< 30) you can simply forget/ignore this post 😉
- This reply was modified 7 months, 2 weeks ago by nlpro.
I would like to give you some insight into this .HTACCESS corrupting issue (which causes the 404 issue on other pages besides the home page), so forgive me for necroing this post.
This has been a recurring problem since the days of iThemes Security and WP 6.0. It appears to occur just after WordPress performs a minor security update.
While Solid Security completes writing it’s HTACCESS code, nothing else has a chance to write it’s own code to the file. For example, WordPress itself, along with plugins such as WPML, WordFence, and caching plugins. Basically anything that will write to the file.
It’s possible that the server times out, just stops processing the update script, or has crashed before the WP permalink structure can be rewritten to the file.
I can typically gauge when this issues happens, because every one of my client’s websites usually takes a dive, one after the other. When this issue starts, it’s always after a minor security update from WordPress, and it’s always the same issue; only iThemes code in the HTACCESS, as it has the highest priority when writing to this file.
I hope this helps.
@solcryss What you described just now is exactly the problem I am facing aswell with one of my websites, I run about 20 websites but only one has this problem, even though they all have Solid Security plugin. Only my homepage stays functioning but every other page or product gives a 404 error, I can temporarily fix it by double-saving permalink settings however I can’t stabily run ads for this website as I never know when it’s working properly or when it’s not. I will try the above reccomendations however I’m affraid it won’t make much of a difference, I already tried to change the permissions for the httacces and change certain code in there but once again all the “solutions” were only temporary.
We have has this issue for years. But it’s very intermittent. For example, one today, the iThemes code doens’t finish after SetEnvIF below.
... SetEnvIF REMOTE_ADDR "^222\.73\.22\.8$" DenyAccess SetEnvIF X-FORWARDED-FOR "^222\.73\.22\.8$" DenyAccess SetEnvIF X-CLUSTER-CLIENT-IP "^222\.73\.22 # BEGIN WordPress # The directives (lines) between "BEGIN WordPress" and "END WordPress" are # dynamically generated, and should only be modified via WordPress filters. ...
- This reply was modified 4 months ago by THRIVE - Web Design Gold Coast.
- You must be logged in to reply to this topic.