Multiple .htaccess files: which to keep, where to put?

  • Resolved ctenos

    (@ctenos)


    7 years, 9 months ago

    [ Moderator note: moved to Fixing WordPress. ]

    After reading these forums and a bunch of external pages, I’m uncertain – and very afraid of making a mistake that will open the site to hackers.

    Background 1: I recently consolidated several independent sites (call them domain1.com, domain2.com etc.) as add-ons to one new shared-hosting domain (call it maindomain.com).

    Background 2: Spambots and other nasties hit my site constantly. Recently, began having 508 error site closures due to too many entry processes, physical memory overuse and such. Host has killed “zombie processes” each time to restore service, but I have no idea what the faulty processes or attacks might be. NewStatPress and the cPanel Visitors log all show only about one-per-minute hits (some from bad bots), and not the thousands the host claims to see. So I don’t even know how to tell if I’m being attacked, or by what/whom.

    Background 3: I routinely monitor NewStatPress for suspicious activity, and add bad IP addresses to All In One WP Security’s blacklist manager. When several close addresses show up, I used wildcards to blacklist whole ranges. Also use IQ Block to block the countries from which the worst offenders seem to come. Nonetheless, NSP and cPanel logs show steady hits from banned addresses. I’m *hoping* that that means they hit but were blocked.

    There are currently several .htaccess files in various places in maindomain.com. Most of them are under 300 bytes. The big one (60 kB) with all the blacklist information is in a directory I’ll call public_html/domain2.com/blogname – in other words, the main WP install folder. Articles seem to indicate that a hit anywhere in the site will reach an .htaccess file wherever it may be.

    So, the big questions:

    – If there are smaller .htaccess files in home/maindomaincom, home/maindomaincom/public_html and several deeper places, will these just add their own directions/protections, or will they interfere with the one containing the blacklist?

    – Should I delete all but the main one? If so, should I move it somewhere higher in the file structure so it covers all the sites? I have one other WP install in another add-on domain, call it domain3.com. If I put the big .htaccess file above where the domains are separate – say, in public_html or even the root home/maindomaincom – will it apply the same blacklists to all my sites? That would make life a lot easier!

    Thanks so much for reading all this (if anyone does) and for whatever guidance you can offer.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    Should I delete all but the main one?

    Yes, I’d say just to make things less confusing, keep everything in one .htaccess file in the domain’s root. This will apply to all lower directories on the same domain.

    Additionally, 60kb is quite large for a .htaccess file, that’s a lot for the server to process before the incoming visitor is allowed to access the site. You can probably cut down on a lot of those blocked IPs by just blocking the bad behavior in general.

    Plugins like https://www.ads-software.com/plugins/block-bad-queries/ and https://www.ads-software.com/plugins/better-wp-security/ will help with that.

    • This reply was modified 7 years, 9 months ago by James Huff.
    Thread Starter ctenos

    (@ctenos)

    Much obliged for this help, James. I have renamed all of the .htaccess files in the line from site root (/home/maindomaincom/) down through public_html/domain2.com/blogname, leaving only the one in public_html/domain2.com (asterisks below). Is that what you meant by the domain’s root? Just for clarity, the File Manager tree looks like this:

    – /home/maindomaincom
    -.- /home/maindomaincom/public_html
    -.-.- /home/maindomaincom/public_html
    -.-.-.- /home/maindomaincom/public_html/domain1.com [a sinple static site]
    -.-.-.- /home/maindomaincom/public_html/domain3.com [another WP install]
    -.-.-.- /home/maindomaincom/public_html/domain2.com [index page for site]**
    -.-.-.-.- /home/maindomaincom/public_html/domain2.com/blogname [WP install with issues]

    And if it is correct, will that .htaccess also protect domain3.com, in a parallel branch of the file structure?

    I have been using iThemes security (=BWPS) for a couple of years, but apparently it can’t handle whatever’s going on, or I have it configured wrong. Will add BBQ when I next regain access to my blog’s backend.

    Most of the 57 kB .htaccess file is lists of banned IPs. However, there seem to be two redundant lists, of the form “Deny from aa.bb.cc.dd” and “Require not ip aa.bb.cc.dd” – and both seem to come from All In One WP Security. Can I safely delete one list?

    Apologies for mis-statements made in ignorance – this all seems pretty mysterious, even with forums and web tutorials!

    • This reply was modified 7 years, 9 months ago by ctenos.
    • This reply was modified 7 years, 9 months ago by ctenos.
    • This reply was modified 7 years, 9 months ago by ctenos.
    • This reply was modified 7 years, 9 months ago by ctenos.
    Moderator James Huff

    (@macmanx)

    In most server configurations, .htaccess files are specific to the domain, so where you have it now under /home/maindomaincom/public_html/domain2.com will only protect domain2.com, it will not protect the others. Each domain will need its own .htaccess file.

    On the All In One WP Security question, I recommend asking at https://www.ads-software.com/support/plugin/all-in-one-wp-security-and-firewall so the plugin’s developers and support community can help you with this.

    Thread Starter ctenos

    (@ctenos)

    Thanks for all that, and wilco.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Multiple .htaccess files: which to keep, where to put?’ is closed to new replies.