htaccess causing Internal Server Error 500

  • Some features of the iThemes Security plugin cause my site to be unavailable making it give an Internal Server Error.

    If I delete this section of htaccess my site becomes available again:

    # Rules to disable directory browsing
		Options -Indexes

		<IfModule mod_rewrite.c>
			RewriteEngine On

			# Rules to protect wp-includes
			RewriteRule ^wp-admin/includes/ - [F]
			RewriteRule !^wp-includes/ - [S=3]
			RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
			RewriteRule ^wp-includes/[^/]+\.php$ - [F]
			RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
			RewriteRule ^wp-includes/theme-compat/ - [F]

			# Rules to help reduce spam
			RewriteCond %{REQUEST_METHOD} POST
			RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
			RewriteCond %{HTTP_REFERER} !^(.*)cappellaniauniromatre.org.*
			RewriteCond %{HTTP_REFERER} !^https://jetpack\.wordpress\.com/jetpack-comment/ [OR]
			RewriteCond %{HTTP_USER_AGENT} ^$
			RewriteRule ^(.*)$ - [F]

			# Rules to prevent php execution in uploads
			RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]

			# Rules to block unneeded HTTP methods
			RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
			RewriteRule ^(.*)$ - [F]

		</IfModule>

    I tried deleting just one section or another inside of this, but the site remains unavailable either with a 500 error code or with a 430 error code (you are not authorized to access). Deleting the whole section causes the site to become available again.

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 1 replies (of 1 total)

  • Hey Lwangaman,

    Your post is a little long in the tooth but thought i’d reply anyway.

    Copy / pasting into the .htaccess file straight from the plugin dashboard doesn’t work. You need to clean it up a bit.

    I copy/paste into Notepad++ (or similar) first and eyeball it for missing spaces or other weird characters. Remove the double spacing too as that’s painful.

    In the end there’s usually a line or two that butt up against each other which become a bit more obvious in a colour coded text editor.

    The block i have in my htaccess (using latest version of ithemes security) looks like this:

    # Rules to disable directory browsing
        Options -Indexes

        <IfModule mod_rewrite.c>
            RewriteEngine On

            # Rules to protect wp-includes
            RewriteRule ^wp-admin/includes/ - [F]
            RewriteRule !^wp-includes/ - [S=3]
            RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
            RewriteRule ^wp-includes/[^/]+\.php$ - [F]
            RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
            RewriteRule ^wp-includes/theme-compat/ - [F]

            # Rules to prevent php execution in uploads
            RewriteRule ^(.*)/uploads/(.*).php(.?) - [F] 

            # Rules to block unneeded HTTP methods
            RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
            RewriteRule ^(.*)$ - [F]

            # Rules to help reduce spam
            RewriteCond %{REQUEST_METHOD} POST
            RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
            RewriteCond %{HTTP_REFERER} !^(.*).*
            RewriteCond %{HTTP_REFERER} !^https://jetpack\.wordpress\.com/jetpack-comment/ [OR]
            RewriteCond %{HTTP_USER_AGENT} ^$
            RewriteRule ^(.*)$ - [F]

        </IfModule>

    Slightly different, but it works for me.

Viewing 1 replies (of 1 total)
  • The topic ‘htaccess causing Internal Server Error 500’ is closed to new replies.