Can’t make changes to .htaccess

  • Resolved bekokstover

    (@bekokstover)


    2 years, 5 months ago

    I’m trying to set up Wordfence, but keep getting the message that Wordfence can’t make changes to my .htaccess file. Looked into the permissions in my provider’s File Manager, but I am not getting anywhere. Can I manually change the .htaccess file to continue with the install? I’m afraid my website is already compromised in some way.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @bekokstover, thanks for getting in touch.

    On some servers running CGI/FastCGI, and possibly other configurations, you could use FTP or a file manager to access your .htaccess file in the root directory and make sure this code is input:

    # Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF

    Then also, in the same directory, edit your .user.ini file with this code:

    ; Wordfence WAF
auto_prepend_file = '/your/path/to/wordfence-waf.php'
; END Wordfence WAF

    Make sure to change the path above with the one where wordfence-waf.php actually resides.

    Once you have this code in place, your firewall should be optimized. If you visit your Wordfence > Firewall page, you should see 84% (which is the max a free customer can reach).

    There is some more information around adding this code and how to manually optimize the firewall here: https://www.wordfence.com/help/firewall/optimizing-the-firewall/#firewall-optimization-setup

    Let me know if you have any further questions!

    Peter.

    Thread Starter bekokstover

    (@bekokstover)

    Thank you, Peter.

    I see now that I overlooked the option to set things up manually. My site doesn’t have a user.ini, but I found my way via php.ini.

    Wordfence is already reporting many errors and possibly infected files though, and it even look like changes to .htaccess are being reverted. I’m afraid to simply delete the infected files – what would be my next line of action?

    Plugin Support wfpeter

    (@wfpeter)

    Hi @bekokstover,

    You could send us an example of some of the results you’re seeing. Before attempting to clean any files it’s always a good idea to take a site backup in case something breaks.

    If you do have evidence of a breach, I can provide site cleaning instructions for you here, although without seeing the results I’m not sure if they’re necessary, but don’t want to delay getting that information to you.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
    https://www.ads-software.com/download/releases/
    WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks,

    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Can’t make changes to .htaccess’ is closed to new replies.