I'm having issues with .htaccess changing itself and causing 500 - Internal Server Errors on my website. This change occurs every second day or so.
My original .htaccess file looks like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
And after it changes itself, it looks like this:
# BEGIN WordPress<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Essentially, this line is moved up to the end of the above line:
<IfModule mod_rewrite.c>
Our website was hacked a few weeks ago and used for phishing. Our host shut it down, and we made changes which they felt were good enough to re-open our website. We changed...
Updated to the latest version of Wordpress (we're normally up to date, but were a few days late on this).
Installed two security plug-ins (Better WP Security and Bulletproof Security).
As well as removing a forums plug-in which we believe COULD have been the cause of vulnerability.
Both security plug-ins have now been removed.
I have now changed the permissions on the htaccess file
We can't really afford to have our site go down (500 server error) again. Is there anything I have missed that could be causing .htaccess to get changed? Note: When I replace the changed htaccess file with the original, it fixes the 500 server error.
The problem is probably caused by the interaction between the two security plugins. Maybe disabling one of them will fix the problem.
Another way to secure your htaccess is assigning it to the root user (if you are allowed to) and/or make it read only. Of course it does not solve the underlying problem, but at least the effects are contained.