I’m having the same problem – it’s happening about once a day and is driving us nuts.
Have wordfence enabled without caching, super cache enabled with caching, and WP REST API and WordPress OAuth Server are all the only ones i think that touch htaccess.I’m having the same problem – it’s happening about once a day and is driving us nuts.
Have wordfence enabled without caching, super cache enabled with caching, and WP REST API and WordPress OAuth Server are all the only ones i think that touch htaccess.
meijin2k:
Sorry to hear this — are you getting the “500” server errors repeatedly, or only the first time when the .htaccess file got to be extremely long?
If you are still trying to track down when it happens, you might be able to match the timestamp on the .htaccess file with a visit (or a few visits) around the same time in your site’s access log file. If you know where to find the log, that may help narrow it down, if there is anything odd.
Or, if you just want the problem to stop, you can temporarily switch to “Basic Caching” on the Performance Setup page, at least while we investigate. If Falcon is causing it, I want to solve the problem of course, but not by testing it on your live site, if possible!
Also, are you using any of the plugins mentioned in thelanj’s post, above? I’m only asking in case they don’t write anything to .htaccess with your particular settings, but they may still read and rewrite the file.
thelanj: Thanks for the input — I know of one open issue where .htaccess is written when Wordfence’s Falcon cache is not enabled, but that is only triggered once when a new URL is added to the “Immediately block IP’s that access these URLs” option, and I don’t think it duplicates the standard WordPress .htaccess code. (If you’re not editing that field daily, and don’t have Falcon enabled, this may be a different issue.)
Just wanted to add that after having the htaccess file changed 3 times now, it has not reoccurred over the last 24 hours or so. The last time it happened, I just deleted the offending and repeated “code” and resaved the file. I have changed nothing else on the site. So far, nothing has repeated. So, kind of scratching my head over this one…
Ok, thanks — if it does happen again, if you can note the timestamp that .htaccess changed, and find the visits for the same time period in your site’s access log, that could help track down the cause.
Let me know also if you have a chance to check your plugins against the list from the user thelanj, above, to see if there is any similarity. Thanks!
Matt, while I do have alot of plugins active, none are in the list that thelanj has posted above.
Thanks again — I will try some testing here with what I know so far, but if you (or thelanj) can save the site’s access log and note the date/time of the .htaccess file the next time it happens, that would be a big help.
You can email me the access log, or a portion of it (and note the timestamp that was on .htaccess) if you don’t mind sharing it, just so it is not available publicly here with IP addresses and information about your site. My email address is: mattr [at] wordfence.com
Please include a link to this post if you email me, too.
Otherwise, if you can post the lines that were a few minutes before and after the time, that may be good enough, but you might want to remove any identifying information. (If it’s long, use a site like pastebin, and just post the link here.)
-Matt R
Well, I spoke way too soon I guess. After about 48 hours of nothing happening, I thought the issue was resolved. Then, this morning, it hit again with a fury. I caught it before it generated a 500 Internal Server Error. Deleted the repeated code and re-saved. Then, while in chat with my host to see if they could help me set up something to see when the htaccess file was being modified (and hopefully where the modification was coming from), it happened again. I have to say, I have reached my level of incompetence. I have grabbed everything that I could and will email it to you Matt.
At this point, I have turned off all caching via Wordfence/Falcon. I was a little concerned that the htaccess file did not have any of the Wordfence/Falcon “code” removed from it. So, I just replaced it with a standard WordPress htaccess file.
The only thing that I saw was odd was that I saw an absolute TON of hits in the log file from Pingdom. Quite some time ago, I set up a free “uptime monitor” with them. On the off chance something strange was going on, I deleted that monitor with them. There was also something in the error log from Auttomatic that referenced blocked access to htaccess. Not sure why that would be happening. I do use their VaultPress service, so I am going to email them and see if they can tell me what is going on. So Matt…and email coming soon.
ps – I should add that I did a full Wordfence scan and found nothing out of the ordinary there.
Thanks.
Ok — I’ll look for your email soon. I don’t see anything yet, so if you have already sent it, there may be an issue with attachments. (If so, send me a plain email, and we can work out another way to transfer the files.)
It’s strange too that the Falcon code wouldn’t be removed when disabling caching, so there may be something more to it, but I’ll see what I can find from your log files.
This might help, since it might be a “fail” of code attempting to do what was happening to my sites.
My htaccess file was getting written back to default on several websites on the same host. WordPress reported modified nav-menu files, which I corrected and did extra scans for infections. After I thought everything was clear, it continued to happen. More scans, including scanning files outside wordpress and scanning picture files as executable found more. Two of the files were infected image files. Using the date of infection, I found additional modified files. (I still don’t know how the original infection occurred.)
The code resetting the htaccess was mostly in the nav-menu and chmods the index.php and htaccess files to 644 and then back to 444. I’m not entirely proficient in php, but it also appears to read the directories and send files to a remote server.
Hey Matt…sorry about the delay in getting the email to you. I am going to do that in just a bit. Juggling several projects at the moment, so I am spread a little thin at the moment.
In addition to you looking at that info I am going to send (and I thank you for that), I am considering just deleting Wordfence and then using a plugin called Plugins Garbage Collector which does a good job of cleaning up left over remnants of plugins and then reinstalling from scratch and see how that goes. I was wondering what your thoughts were on this?
Thanks and that email will be headed your way soon.
Michael
Thanks again for the details.
We got some input from another person on this too, and it looks like Falcon will need some changes. It seems that very fast login attempts are causing .htaccess to be written too many times very close together, which is causing the problem on certain servers.
For anyone that is having the same problem, you should temporarily disable Falcon caching. Basic caching should not be affected, since it does not use .htaccess for this.
Thank you everyone, for all of the details you have sent. This will be fixed in a future version of Wordfence.
-Matt R
FB912
