.htaccess file mysteriously emptied of code

  • Resolved barnez

    (@pidengmor)


    9 years, 9 months ago

    I was alerted to an issue today when a site returned 404 errors for all pages except the homepage. Troubleshooting led to the .htaccess file in the root, which was completely empty of code, and with a timestamp of last being edited at 05:30 today. The only plugin which writes to the file is Wordfence, and I added other security rules including the 5G Firewall some time back. I’ve checked the access logs and nothing is showing around that time, nor have any other site files been edited (Ninja Firewall has a file check feature). A scan with Securi site check and Wordfence comes up clean, and after restoring the .htaccess file from a backup everything is functioning as normal. However, this is a weird issue. Has anyone experienced this before, or have any suggestions on what could have caused it?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    Without matching data from the logs, it could be anything: a plugin, the server itself, something malicious, etc.

    At the moment, I wouldn’t worry unless it happens again, but you may want to implement some (if not all) of the recommended security measures just in case.

    Thread Starter barnez

    (@pidengmor)

    Hi James,

    Many thanks for getting back on this. The site is pretty secure as I’ve implemented all of the Hardening WordPress recommendations from the codex, plus using the 5G Firewall I mentioned, the Ninja Firewall and Wordfence for scans. I try and take site security pretty seriously :).

    The advice about checking the server logs was excellent by the way, as there is a string of activity at the 05:30 timestamp essentially from 2 x IPs which have both been included on IP blacklists for suspicious activity and are making multiple GET POST request for the fckeditor in the following directories:

    /admin/
    /common/
    /scripts/
    /js/
    /system/
    /systemadmin/
    /common/

    The fckeditor is not installed as a plugin, and I am looking into the logs in detail with the firewall plugin editor, but wanted to say thanks again for your response and pointing me in a valuable direction!

    Moderator James Huff

    (@macmanx)

    You’re welcome!

    None of those accesses would have resulted in the .htaccess file changing, but they’re definitely snooping around in places they shouldn’t be. ??

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘.htaccess file mysteriously emptied of code’ is closed to new replies.

Tags