Enable permalink breaks .htaccess parse

WilliamKF
(@williamkf)

11 years, 12 months ago
I had permalinks not working properly due to Apache server configuration issues. Upon resolving those, the .htaccess created by iThemes Security was not valid and choked on the Tweaks section with entries like:
```
<files .htaccess>
			Order allow,deny
			Deny from all
		</files>
		<files readme.html>
			Order allow,deny
			Deny from all
		</files>
		<files readme.txt>
			Order allow,deny
			Deny from all
		</files>
		<files install.php>
			Order allow,deny
			Deny from all
		</files>
		<files wp-config.php>
			Order allow,deny
			Deny from all
		</files>

		Options -Indexes

		<files xmlrpc.php>
			Order allow,deny
			Deny from all
		</files>
```
I deleted the offending lines, but that seems to have confused the iThemes Security when it goes to edit the file as it still showed these items on and turning them off, I now see this error when I save settings:

The file path entered does not appear to be valid. Please ensure it exists and that WordPress can write to it.

How can I reset the iThemes Security so it works again and how do I keep it from generating .htaccess that Apache says is invalid?

https://ww.wp.xz.cn/plugins/better-wp-security/

Viewing 3 replies - 1 through 3 (of 3 total)

Thread Starter

(@williamkf)

I deleted the plugin and reinstalled it, all worked fine until I did the tweaks section and the .htaccess was edited to add:

# BEGIN Tweaks
		# Rules to block access to WordPress specific files
		<files .htaccess>
			Order allow,deny
			Deny from all
		</files>
		<files readme.html>
			Order allow,deny
			Deny from all
		</files>
		<files readme.txt>
			Order allow,deny
			Deny from all
		</files>
		<files install.php>
			Order allow,deny
			Deny from all
		</files>
		<files wp-config.php>
			Order allow,deny
			Deny from all
		</files>

		# Rules to disable directory browsing
		Options -Indexes

		<IfModule mod_rewrite.c>
			RewriteEngine On

			# Rules to protect wp-includes
			RewriteRule ^wp-admin/includes/ - [F]
			RewriteRule !^wp-includes/ - [S=3]
			RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
			RewriteRule ^wp-includes/[^/]+\.php$ - [F]
			RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
			RewriteRule ^wp-includes/theme-compat/ - [F]

			# Rules to prevent php execution in uploads
			RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]

			# Rules to block unneeded HTTP methods
			RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
			RewriteRule ^(.*)$ - [F]

			# Rules to block suspicious URIs
			RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
			RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
			RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
			RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
			RewriteCond %{QUERY_STRING} http\:  [NC,OR]
			RewriteCond %{QUERY_STRING} https\:  [NC,OR]
			RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
			RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
			RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|Ãª|"|;|\?|\*|=$).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
			RewriteCond %{QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC]
			RewriteCond %{QUERY_STRING} !^loggedout=true
			RewriteCond %{QUERY_STRING} !^action=jetpack-sso
			RewriteCond %{QUERY_STRING} !^action=rp
			RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
			RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$
			RewriteRule ^(.*)$ - [F]

			# Rules to block foreign characters in URLs
			RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F).* [NC]
			RewriteRule ^(.*)$ - [F]
		</IfModule>
	# END Tweaks

Which gets errors:

.htaccess: Invalid command ‘Order’, perhaps misspelled or defined by a module not included in the server configuration