I dont really know if you consider this a bug, but its a really bad issue that happens occasionally on all my sites I have password protected, and has done for a long time.
but often I would password protect directories, then notice sometime later its not protected anymore. the .htaccess file doesnt have the code anymore to protect it.
I just set one up again, and I notice the code goes in between # BEGIN WordPress and # END WordPress.
So if this is the issue, then that may explain it because anything between these could be managed by Wordpress.
We also use other plugins like WP Rocket, Wordfence, ithemes security, that would edit the htaccess file. But all of them add # comments to signify the start and end of their modifications. I would guess NOT adding protection code inside any of these comments would mean it survives other modifications.
Maybe wrap virtualmin added code in # tags too.
Comments
Submitted by JamieCameron on Sun, 09/30/2018 - 19:37 Comment #1
Do you mean that there are commented sections in the
.htaccess
file that are used by Wordpress, and that something is deleting the comments?Submitted by amityweb on Sun, 10/07/2018 - 12:16 Comment #2
No. I mean when virtualmin adds in the password protection code it adds it between wordpresses comments so often gets overwritten as Wordpress manages htaccess inside its comments.
Submitted by JamieCameron on Sun, 10/07/2018 - 17:28 Comment #3
Ah, I see. Can you attach the whole
.htaccess
file to this bug report so I can see the format Wordpress uses?Submitted by amityweb on Fri, 11/02/2018 - 10:25 Comment #4
Sorry for late response, was waiting until I have another site I need to protect.
This is the htaccess file after I choose to protect directories.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
AuthUserFile "/home/mysite/public_html/htusers"
AuthType Basic
AuthName "Login"
require valid-user
<Files htusers>
deny from all
</Files>
# END WordPress
You can see the code is entered in between # BEGIN WordPress and # END WordPress. Well Wordpress will manage content inside here, and so often I get compaints from customers that their development site is indexed in Google, so when I go check it out the password protection is gone and Google has indexed it. Its very very bad for customers to have their new development sites show up in Google. I find password protection the best way to protect a development project. But I cant rely on it.
So what I do is make .htaccess 444 so it cant be written to. but then actually there are times we do want Wordpress to write to it, and it cant. When we install caching plugins, or Wordpress firewall, they need to write to it but cant.
So it would be best that Virtualmin respect these areas of .htaccess and not write to inside the comments. Its not just Wordpress comments, but the caching plugins and firewall plugins all add their own comments to show where their code starts and ends, and nothing should be written inside these.
Thanks!
Submitted by amityweb on Fri, 11/02/2018 - 10:25 Comment #5
For info, this is what Wordpress default htaccess should look like
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Submitted by amityweb on Fri, 11/02/2018 - 10:27 Comment #6
You can see online like on this site it states you must not add anything in between these comments or expect it to be overwritten: https://premium.wpmudev.org/blog/htaccess/
Submitted by JamieCameron on Sat, 11/03/2018 - 18:13 Comment #7
Ok, the next Webmin release will handle this case properly.
Submitted by IssueBot on Thu, 02/28/2019 - 09:07 Comment #8
Automatically closed - issue fixed for 2 weeks with no activity.