Help with .htaccess file being overwritten

Lee

(@junior)

I am hosting WordPress on my home server and while it works great, I have enabled the apache status page so It can be accessed by the Apache HTTP Server Metrics Telegraf plugin and visualize it with Grafana.

The issue is whenever something changes my .htaccess file, my apache status page stops working. I believe it’s due to the location of the code which is inserted between the BEGIN WordPress and END WordPress which it’s clearly labeled that it will be overwritten. I have tried adding the code elsewhere in the file but then the apache status page becomes inaccessible.

Here’s the .htaccess file in question (the line that controls apache status page is RewriteCond %{REQUEST_URI} !=/server-status:

### Custom - Hardening WordPress ###
<files wp-config.php>
order allow,deny
deny from all
</files>

### Custom - Hardening WordPress ###
# Disable directory listing.

### Custom - Hardening WordPress ###
#Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

### Custom - Hardening WordPress ###
# Disable hotlink protection while allowing the sites below
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mywebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?facebook.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?twitter.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/server-status
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Any ideas how to make this work?

Viewing 4 replies - 1 through 4 (of 4 total)

threadi
(@threadi)

1 week, 3 days ago

I would recommend not enabling the status page via htaccess but via a vhost file. Have a look at this article: https://www.serverlab.ca/tutorials/linux/web-servers-linux/how-to-access-apache-server-status-with-wordpress-sites/

Thread Starter Lee
(@junior)

1 week, 2 days ago

@threadi, did you link to the right article? My configuration is exactly what is described on the article. My issue is that the line RewriteCond %{REQUEST_URI} !-/server-status gets overwritten sometimes due to the being inside the WordPress Begin and End block.
threadi
(@threadi)

1 week, 2 days ago
So you also have such an entry in the Vhost? Then an entry in the .htaccess would not be necessary because requests to server-status should not even get through there.

Irrespective of this, server-status should ideally only be accessible via the server IP. This means that a request to your website with a domain would not reach it at all. There are also security reasons for this. You can certainly discuss this in more detail in a community that supports your server system.

Of course, WordPress overwrites such customisations in the part of the .htaccess file generated by WordPress. The aim should therefore be not to customise it in the first place. This would be possible in the way described above. If this does not work for you – for whatever reason – try the following alternative: create a subdirectory server-status in the directory of your WordPress installation (where the .htaccess file is located). The two rules provided by WordPress will then take effect:
```
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
```
Thread Starter Lee
(@junior)

1 week, 2 days ago
Your solution of creating the empty folder server-status worked perfectly. I completely removed the line RewriteCond %{REQUEST_URI} !-/server-status from my .htaccess file now.

I am having a hard time understanding why the need for this at all though because what you said earlier makes sense: those requests are internal only so no need to have anything on the .htaccess file. I am running Apache for WordPress on a Ubuntu VM that sits behind a NGINX reverse proxy VM also on Ubuntu.

Even though your workaround is perfect, I would love to actually do without it as well as a matter of keeping things as tight as possible since after all, I am self hosting it at home.

Thanks for your help.
- This reply was modified 1 week, 2 days ago by Lee.

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Views