Title: Internal Server Error with multiple WordPress sites Last modified: August 21, 2016 --- # Internal Server Error with multiple WordPress sites * [DavidWoods](https://wordpress.org/support/users/davidwoods/) * (@davidwoods) * [12 years ago](https://wordpress.org/support/topic/internal-server-error-with-multiple-wordpress-sites/) * I’m trying to put together two WordPress sites, one for a childhood cancer charity( [http://www.badgerchildhoodcancer.org](http://www.badgerchildhoodcancer.org)) and one for their major annual fundraiser ([http://www.badgersuperhero.com](http://www.badgersuperhero.com)). Both sites reside in different directories for the same host provider, (i.e. public_html/wp and public_html/superhero) and each has its own domain name. The main site has been up and running for about a year, and I need to get the fundraising site up ASAP. * I use iThemes Security on both sites. I was about to give up on WordPress because of persistent hacking until I discovered this wonderful tool. I’ve got things locked down pretty tight. * I got the fundraising site working perfectly as a sub-site of the main site ( i.e. [http://www.badgerchildhoodcancer.org/superhero](http://www.badgerchildhoodcancer.org/superhero)) while the badgersuperhero.com URL pointed to an old version of the site elsewhere. Then I moved the domain name to point to the new site and things fell apart. * The HOME page for badgersuperhero.com works correctly. However, when I have WordPress properly configured, with the Site Address setting set to badgersuperhero.com, all sub-pages give an “Internal Server Error” message. I can only get the site to function if I set the Site Address to [http://www.badgerchildhoodcancer.org/superhero](http://www.badgerchildhoodcancer.org/superhero), and when I do that, my URLs are incorrect and my SSL doesn’t work right because I’m no longer in the badgersuperhero.com domain. * I’m here in the iThemes Security forum because my current theory is that the . htaccess files for my two sites are conflicting, and the .htaccess files are full mostly of code from iThemes Security. * I’ve been working on this problem for about two weeks. I’ve exhausted my ISP’s support channels (in that they want money to pursue this further, and I am a volunteer with no budget.) The DNS is set correctly, and I have tried every suggestion I’ve found on the web for Internal Server Error with no luck. I am at a loss for why the fundraising site won’t work under its own domain name. * My three .htaccess files are below. I removed the HackRepair.com Blacklist items to save space. * Any suggestions or ideas? I really appreciate any help you can offer. * David Woods Badger Childhood Cancer Network Volunteer Webmaster * .htaccess in public_html: * # BEGIN Better WP Security Options -Indexes * # Begin HackRepair.com Blacklist RewriteEngine on # Abuse Agent Blocking < list of RewriteCond statements from HackRepair.com removed > RewriteRule ^.* – [F, L] # Abuse bot blocking rule end # End HackRepair.com Blacklist Order allow,deny Deny from all * Order allow,deny Deny from all * Order allow,deny Deny from all * Order allow,deny Deny from all * Order allow,deny Deny from all * RewriteEngine On * RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteCond%{ SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php RewriteRule ^wp-includes/[^/] +\.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L] * RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ –[ F,L] * RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} ^(.*)wp-comments- post\.php* RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org.* RewriteCond%{ HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/ [OR] RewriteCond%{ HTTP_USER_AGENT} ^$ RewriteRule ^(.*)$ – [F,L] * RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.( bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond %{QUERY_STRING} etc/passwd [ NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond%{ QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[ |\]|\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'| <|>|\|{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond%{ QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|% C|%D|%E|%F).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost |loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert |union|declare).* [NC] RewriteCond %{QUERY_STRING} !^loggedout=true RewriteCond%{ QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.* $ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com(.*)$ RewriteRule ^(.*)$ – [F,L] * RewriteRule ^signin/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f [R,L] * RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^manage/? $ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f&redirect_to=/wp/wp-admin/ [R,L] * RewriteRule ^manage/?$ /wp/wp-admin/?hhxlicg22ebbojgu6pz3f [R,L] * RewriteRule ^signup/?$ /wp/wp-login.php?hhxlicg22ebbojgu6pz3f&action=register[ R,L] * RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php RewriteCond %{HTTP_REFERER}! ^(.*)badgerchildhoodcancer.org/wp/wp-admin RewriteCond %{HTTP_REFERER} !^(.*) badgerchildhoodcancer.org/wp/wp-login\.php RewriteCond %{HTTP_REFERER} !^(.*) badgerchildhoodcancer.org/wp/signin RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer. org/wp/manage RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer.org/wp/ signup RewriteCond %{QUERY_STRING} !^hhxlicg22ebbojgu6pz3f RewriteCond %{QUERY_STRING}! ^action=logout RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{QUERY_STRING}! ^action=register RewriteCond %{QUERY_STRING} !^action=postpass RewriteCond %{ HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^.*wp-admin/?|^.*wp-login\. php /wp/not_found [R,L] * RewriteCond %{QUERY_STRING} ^loggedout=true RewriteRule ^.*$ /wp/wp-login.php? hhxlicg22ebbojgu6pz3f [R,L] # END Better WP Security * # BEGIN WordPress RewriteEngine On RewriteBase /wp/ RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond%{ REQUEST_FILENAME} !-d RewriteRule . /wp/index.php [L] * # END WordPress * .htaccess file from public_html/wp: * # BEGIN iThemes Security # BEGIN Ban Users # Begin HackRepair.com Blacklist RewriteEngine on < list of RewriteCond statements from HackRepair.com removed > RewriteRule ^.* – [F] # END Ban Users # BEGIN Hide Backend # Rules to hide the dashboard RewriteRule ^/manage/?$ /wp-login.php [QSA,L] # END Hide Backend# BEGIN Tweaks # Rules to block access to WordPress specific files Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all * # Rules to disable XML-RPC Order allow,deny Deny from all * # Rules to disable directory browsing Options -Indexes * RewriteEngine On * # Rules to protect wp-includes RewriteRule ^wp-admin/includes/ – [F] RewriteRule! ^wp-includes/ – [S=3] RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files. php RewriteRule ^wp-includes/[^/]+\.php$ – [F] RewriteRule ^wp-includes/js/tinymce/ langs/.+\.php – [F] RewriteRule ^wp-includes/theme-compat/ – [F] * # Rules to prevent php execution in uploads RewriteRule ^(.*)/uploads/(.*). php(.?) – [F] * # Rules to block unneeded HTTP methods RewriteCond %{REQUEST_METHOD} ^(TRACE |DELETE|TRACK) [NC] RewriteRule ^(.*)$ – [F] * # Rules to block suspicious URIs RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond%{ QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [ NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING}(\ <|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA- Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC, OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond%{ QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{ QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC] RewriteCond %{QUERY_STRING}! ^loggedout=true RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE}! ^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\. com(.*)$ RewriteRule ^(.*)$ – [F] * # Rules to block foreign characters in URLs RewriteCond %{QUERY_STRING} ^.*(% 0|%A|%B|%C|%D|%E|%F).* [NC] RewriteRule ^(.*)$ – [F] * # Rules to help reduce spam RewriteCond %{REQUEST_METHOD} POST RewriteCond %{ REQUEST_URI} ^(.*)wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer. org.* RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/[ OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule ^(.*)$ – [F] # END Tweaks # END iThemes Security * # BEGIN WordPress RewriteEngine On RewriteBase /wp/ RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond%{ REQUEST_FILENAME} !-d RewriteRule . /wp/index.php [L] # END WordPress * .htaccess file from public_html/superhero: * # BEGIN iThemes Security # BEGIN Ban Users # Begin HackRepair.com Blacklist RewriteEngine on < list of RewriteCond statements from HackRepair.com removed > RewriteRule ^.* – [F] * # END Ban Users # BEGIN Hide Backend # Rules to hide the dashboard RewriteRule ^/superhero/manage/?$ /wp-login.php [QSA,L] * # END Hide Backend # BEGIN Tweaks # Rules to block access to WordPress specific files Order allow,deny Deny from all Order allow,deny Deny from all Order allow, deny Deny from all Order allow,deny Deny from all Order allow,deny Deny from all * # Rules to disable XML-RPC Order allow,deny Deny from all * # Rules to disable directory browsing Options -Indexes * RewriteEngine On * # Rules to protect wp-includes RewriteRule ^wp-admin/includes/ – [F] RewriteRule! ^wp-includes/ – [S=3] RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files. php RewriteRule ^wp-includes/[^/]+\.php$ – [F] RewriteRule ^wp-includes/js/tinymce/ langs/.+\.php – [F] RewriteRule ^wp-includes/theme-compat/ – [F] * # Rules to prevent php execution in uploads RewriteRule ^(.*)/uploads/(.*). php(.?) – [F] * # Rules to block unneeded HTTP methods RewriteCond %{REQUEST_METHOD} ^(TRACE |DELETE|TRACK) [NC] RewriteRule ^(.*)$ – [F] * # Rules to block suspicious URIs RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR] RewriteCond%{ QUERY_STRING} etc/passwd [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [ NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING}(\ <|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA- Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC, OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|”|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(127\.0).* [NC,OR] RewriteCond%{ QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{ QUERY_STRING} ^.*(request|concat|insert|union|declare).* [NC] RewriteCond %{QUERY_STRING}! ^loggedout=true RewriteCond %{QUERY_STRING} !^action=rp RewriteCond %{HTTP_COOKIE}! ^.*wordpress_logged_in_.*$ RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\. com(.*)$ RewriteRule ^(.*)$ – [F] * # Rules to block foreign characters in URLs RewriteCond %{QUERY_STRING} ^.*(% 0|%A|%B|%C|%D|%E|%F).* [NC] RewriteRule ^(.*)$ – [F] * # Rules to help reduce spam RewriteCond %{REQUEST_METHOD} POST RewriteCond %{ REQUEST_URI} ^(.*)wp-comments-post\.php* RewriteCond %{HTTP_REFERER} !^(.*)badgerchildhoodcancer. org.* RewriteCond %{HTTP_REFERER} !^http://jetpack\.wordpress\.com/jetpack-comment/[ OR] RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule ^(.*)$ – [F] # END Tweaks # END iThemes Security * # BEGIN WordPress RewriteEngine On RewriteBase /superhero/ RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond%{ REQUEST_FILENAME} !-d RewriteRule . /superhero/index.php [L] # END WordPress * [https://wordpress.org/plugins/better-wp-security/](https://wordpress.org/plugins/better-wp-security/) The topic ‘Internal Server Error with multiple WordPress sites’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=3529351) * [Kadence Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) * 0 replies * 1 participant * Last reply from: [DavidWoods](https://wordpress.org/support/users/davidwoods/) * Last activity: [12 years ago](https://wordpress.org/support/topic/internal-server-error-with-multiple-wordpress-sites/) * Status: not resolved