Support » Fixing WordPress » Litespeed vs Nginx vs Apache (htaccess malware?)

  • petevskal

    (@petevskal)


    hello I am reading on Reddit that .htaccess Apache files can be dangerous for WordPress hosting because they can be hacked from malware……

    And, that Nginx does not have the hacking risk because no .htaccess files.

    means it is the same with Litespeed servers, can be hacked from the same malware attacks that Apache servers got?

    if that is true so Nginx is safer for all WP hosting? and why don’t every hosting company use Nginx if that can avoid attacks…

    • This topic was modified 1 year ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Rep

    >> I am reading on Reddit that <<

    If it’s on the internet, must it be true. What you’re asking about is not the case.

    There are many vectors for hacks. Yes, some malware may add stuff to .htaccess, but malware may also mess with WP’s own files or add files to your site. Nginx is somewhat more efficient that Apache and that’s why many hosts use it.

    Moderator Yui

    (@fierevere)

    ゆい

    LiteSpeed DOES support user-side configuration using apache-syntax .htaccess

    So if you meant malware redirects using .htaccess – that workk work on LiteSpeed too (not Open LiteSpeed, which has limited functionality).

    Also regarding Nginx, many hosters are using Nginx as reverse proxy to Apache,
    so all features of Apache are supported by Apache which runs behind Nginx.

    Pure Nginx lacks user-side configuration and therefore many hosters dont use it,
    only if they can offer specialized plans, where they can predict user htaccess configuration rules.

    corrinarusso

    (@corrinarusso)

    Never heard of this.
    Can you provde the Reddit link? Seems very fishy.

    You don’t have to use the directives in the .htaccess file at the root.
    You can configure the server to use it somewhere else.
    But, it would be a pain and out of process imo.

    Thread Starter petevskal

    (@petevskal)

    LiteSpeed DOES support user-side configuration using apache-syntax .htaccess

    So if you meant malware redirects using .htaccess – that workk work on LiteSpeed too (not Open LiteSpeed, which has limited functionality).

    Okay so Litespeed and Apache got the same vulnerability about .htaccess hacking?

    because I had some cPanel sites before got totally 301 redirected from that type of malware hack and SEO was destroyed for a while

    everyone on Facebook said Litespeed was better but seems the same risk like if my customer installed some bad quality WP plugins it can happen again because Litespeed allowed WordPress plugin to edit .htaccess rules, same as Apache seems…..

    Moderator Yui

    (@fierevere)

    ゆい

    It is not to be called vulnerability, it is a software feature, to allow user supplied configuration. In both, apache and litespeed, it can be disabled using system administrator supplied config (while nginx is using ONLY sysadmin supplied config), but it is intentionally enabled by webhosting provider to allow flexible configuration.

    In other words – it is not a vulnerability at all, in fact many features can be abused by malware.
    I.e. executing user supplied scripts (ex. PHP),
    imagine – webserver will execute user supplied code! (Thats even bigger “vulnerability”) but you will not run WordPress or any other CMS without that possibility.

    So please, take things as they should be and as they are. It is not a vulnerability and it is not a problem, try securing your site properly
    you can start with this article

    Hardening WordPress

    My client’s Litespeed server also had this malware problem in .htaccess (redirecting his site to Adult spam) and I had to clean it many times.

    I really don’t know what is causing the repeat malware infection, it seems to affect only .htaccess and not plugins or themes.

    And he is using managed Litespeed hosting who does a lot of advertising online, not self-hosting (so I assume their hosting should be strong security).

    https://wordpress.org/support/topic/litespeed-htaccess-getting-malware-constantly/

    Advice always appreciated.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Litespeed vs Nginx vs Apache (htaccess malware?)’ is closed to new replies.