Tim S requested this question: wp overwriting .htaaccess file

Asked by:
HubFans / n/a Points
Time:
2015-10-07 9:17 pm EST
Category:
Wordpress
Hits:
64
urls for blogs no longer work: weightlosswestchesterny.com/weightlossblog/ and scarsdaleaikido.com/aikidoblog/ ..htaaccess file is overwritten to allow only default urls and not postname. chaging urls is very bad for seo for obvious reasons.

I spoke with a developer and this is a common problem. your company tried all the basic approaches including testing plugins, checking errant code in wp-config file, looking into themes (twentyfourteen & iconic one). Nothing resolved the issue. There are internal server side problems that should be investigated as the source. Assuming you have other customers with this issue and they are as frustrated in resolving it, you may not hear about it so much in your department because they just leave your company as I would expect to do as well.

The developer explained the standard fixes: set permissions to read only for .htaaccess file which will break whatever is overwriting - then look at your company's logs to see what broke. That is the source of the problem. Your company said no to this fix. The second fix is to set permissions to the .htaaccess file as read only and leave it there so whatever is trying to over-write is blocked. Your company set it to 444 and the file was still over-written and the blogs broke. Currently I have deleted the local .htaaccess file and coded the ones in the folder above to handle the requests. From time to time this thing actually creates a new .htaaccess file locally which then breaks all the urls in my blogs. So the fix your company offered was to sit around and wait for the blogs to break and go in to fix them by hand every time. That doesn't work for obvious reasons.

To ask this user for more information, please first login.

To submit an answer, please login.

ANSWERS

0

arnelc
Staff
17,314 Points
2015-10-07 9:46 pm EST
Hello,

Apologies for the continued problems with your website. When we reviewed your site, it is apparent that your site has been hacked with the same code injection from 3 weeks before. I just went back into your site and found the same hack.

Just to be clear, we did not set your .htaccess file to be read-only. We noticed BEFORE we made any changes that your files were all being set to 444 permissions. We noticed this because whenever we would try to make any changes, they wouldn't save. When I researched to see if anyone had every reported this type of issue before, I found this post that discussed the same thing happening. They described the issue as a hack and that malware should be removed.

Due to the public nature of our forum, we can't discuss specifics of your account. However, you'll need to have a developer clean the hack, make sure your WordPress installation core, plugins and themes are up-to-date. Also, make sure to change your account passwords (cPanel, FTP, WordPress Admin, etc.) as this is standard protocol when you've been hacked.

Apologies again for the continued problems, if you have any further questions or comments, please let us know.

Regards,
Arnel C.

To submit a comment on this answer, please first login.

you are very confused. your company told me when I asked to have the file as read only YOU set it to 444. You also tested for malware and it was negative. if you read the question above you would know that what did happen is the .htaaccess file was generated improperly and/or overwritten sporadically. all aspects of my side of the problem were tested. then when you asked me to contact a developer, you refused to run the tests to find the real problem. I tested it another way. I started a hosting plan at bluehost. I uploaded the databases and wp-content folders. this tests the entirety of my side of the problem. the blogs work perfectly on their platform. lastly, if there was malware on my site, why would I hire a developer to clean YOUR servers. you won't give me access to them. you just clean out everything and I re-upload after I've checked my pc for problems. but in this case, you tested negative for malware and so did I. your only reason to believe there is malware is because you have not properly tracked that your firm put in the 444 permissions.
if you would like to keep your customers going forward, I suggest you handle yourselves differently. as soon as I finish testing a couple more sites on bluehost, I will be shifting my hosting to them. staying with you would put me out of business.
skanney
9 Points

2015-10-17 8:43 pm EST
Hello skanney,

Sorry to hear you are thinking of moving. The hack file that we removed, has been rehacked apparently. That specific file is wp-includes/nav-menu.php Look around line 526 and you will see a block of encrypted code (base64) You can firmly see that line 530 sets file permissions via the chmod command to 0444. Everything in the file from line 503 down is not part of the WordPress file. Any coder can see that the code is different than the standard code in WordPress. If you have a developer or coder on hand, have them take a look.

I did see you are on the current version, but you will need to restore all the core files for WordPress or it will happen again. This can still happen if you decide to move your site somewhere else.

It keeps getting overwritten because there is a back door in the files somewhere. This is not server related, but code related. There are posts about setting the permissions to 444 on the web as well as instructions on how to remove the backdoor that is being used to hack your site. This replaces the core files, which is where the issue lies.

As to account security, we are responsible for the security of the server, the account owner is responsible for the security of the account. Entry into an account via code is not something that is within our scope. Nor is that within the scope of any host. Be sure and ask them up front.

I do apologize you feel this was our issue, but if you take your files as-is to another host you will have the same issue. Please follow the instructions linked above to secure your site, whether you stay here or not. I would hate for you to go through the hassle of moving your sites just to have it happen there and start the cycle over again.

Kindest Regards,
Scott M
ScottM
16,266 Points
Staff
2015-10-19 11:49 pm EST
Want to share this Question?

Related Articles

It looks like there are no related articles.
Would you like to ask a question about this page? If so, click the button below!
Need More Help?

Help Center Search

Current Customers

Email: support@WebHostingHub.com Ticket: Submit a Support Ticket
Call: 877-595-4HUB (4482)
757-416-6627 (Intl.)
Chat: Click To Chat Now

Ask the Community

Get help with your questions from our community of like-minded hosting users and Web Hosting Hub Staff.

Not a Customer?

Get web hosting from a company that is here to help.
}