WordPress.org

Forums

iThemes Security (formerly Better WP Security)
I just narrowed it down to the rewrite rules of my htaccess file (2 posts)

  1. xondra
    Member
    Posted 1 year ago #

    So, my site crashed after upgrading this Plugin. My site was down for a whole night since no support was ever made available. I had a copy of htaccess in my computer so, since I've no tech skills to speak of I thought of simply replacing the new one with the old just for the shit and laughs.

    It worked.

    Now I can access my dashboard and everything but it's still kind of wonky. Wonky in that I get my login page and a 404 in the same window (the 404 is sort of a footer in this case)

    I thus managed in a very empirical way to narrow the issue down to the rewrite rules which now look as follows:

    # BEGIN Tweaks
    		# Rules to block access to WordPress specific files
    		<files .htaccess>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files readme.html>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files readme.txt>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files install.php>
    			Order allow,deny
    			Deny from all
    		</files>
    		<files wp-config.php>
    			Order allow,deny
    			Deny from all
    		</files>
    
    		# Rules to disable directory browsing
    		Options -Indexes
    
    		<IfModule mod_rewrite.c>
    			RewriteEngine On
    
    			# Rules to protect wp-includes
    			RewriteRule ^wp-admin/includes/ - [F]
    			RewriteRule !^wp-includes/ - [S=3]
    			RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
    			RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    			RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
    			RewriteRule ^wp-includes/theme-compat/ - [F]
    		</IfModule>
    	# END Tweaks

    I leave this here for developers in the hope they might fix this issue, since renaming my wp_content folder doesn't allow me to just delete the plugin and go on with my life. Btw, that option (change wp_content name) is missing from the dashboard.

    Greetings,

    Xondra

    https://wordpress.org/plugins/better-wp-security/

  2. xondra
    Member
    Posted 1 year ago #

    Hiding the backend def has something to do with the issue. Disabling the url protect option (wherein an attacker cannot execute scripts via url) also sems to help or to be involved in this.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic

Tags

No tags yet.