Removed access to .htaccess for admin role

  • Resolved poppydev

    (@poppydev)


    11 months ago

    Hi team,

    Looking at your recent change log you have removed access to .htaccess for the fear of abuse. This doesn’t make sense for roles under Admin.

    Why not put an Admin role behind a password wall? Or allow to add a password to specific file types or folders in any role that is managed under Admin?

    It seems backwards to remove this and ask people to log in through FTP to access .htaccess. Doesn’t that make your plugin redundant. Anyone can access wp-config.php in your plugin and completely take down the site that way, which can cause more damage compared to the misuse of .htaccess alone.

    Please revisit this and add another level of security i.e. password protection, rather then taking features away.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter poppydev

    (@poppydev)

    11 months ago

    Why not follow the route below to secure this without removing access to .htaccess etc:

    1. Role-Based Access Control
      Only allow access to sensitive files like .htaccess, wp-config.php, .env, etc., for users with the administrator role or a custom capability (e.g., filester_manage_sensitive_files).
    2. Optional Password Prompt (Re-authentication)
      Prompt users to enter their WordPress password before accessing/editing protected files. This is a common pattern in WordPress (e.g., exporting personal data or changing site settings).
    3. Developer Override (for advanced users)
      Add a constant or filter to allow controlled override, like: phpCopyEditdefine('FILESTER_ALLOW_HTACCESS_EDIT', true); or phpCopyEditadd_filter('filester_allow_htaccess_edit', '__return_true');

    This approach keeps things locked down by default for most users but still provides developers and advanced admins with the flexibility they need — especially since files like wp-config.php are still editable in the current version.

    • This reply was modified 11 months ago by poppydev.
    • This reply was modified 11 months ago by Jan Dembowski.
    Plugin Support alina98

    (@alina98)

    11 months ago

    Hi @poppydev ,

    Thanks for your contributions.

    Please note that recently, due to security concerns of websites, we needed to block the .htaccess file to avoid security breach, so you need to use FTP account to edit it instead from now on.

    Also, we also prevent users with roles other than Administrator from uploading files related to code such as; .php, .html, .js, and .css to ensure that no one can compromise the site.

    I will also share your idea with the dev team for consideration if possible.

    Regards.

    Thread Starter poppydev

    (@poppydev)

    11 months ago

    Thank you for the prompt reply.

    Please do consider the password option. I get the security around this and the abuse that could happen but that rule follows with any file in the hosting platform. Not just .htaccess.

    It has to be down to the user to secure their processes when relying on your plugin. Adding the password option allows you to add another level without compromising in accessibility.

    Plugin Support mialewp

    (@mialewp)

    10 months, 3 weeks ago

    Hello @poppydev,

    Good day!

    Thanks for your suggestion, we will investigate and consider improving it in the new update if there is a chance. Please do not hesitate to contact us if you have any further questions.

    Best regards,

    Mia

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Removed access to .htaccess for admin role’ is closed to new replies.

Tags