WP Toolkit "Block access to .htaccess" measure breaks WP permalinks (404) under AllowOverride None

[G J Piper]

Username:

TITLE

WP Toolkit "Block access to .htaccess" measure breaks WP permalinks (404) under AllowOverride None

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.78.3; WP Toolkit 6.11.0 (build 10571); AlmaLinux 8.10 x86_64

PROBLEM DESCRIPTION

Server setup: Apache 2.4.37 with nginx as reverse proxy, PHP 8.4 FastCGI served by Apache.
The WordPress docroot <Directory .../httpdocs> uses AllowOverride None (customer .htaccess files are intentionally not honored; the WordPress permalink rewrite is supplied via inline directives in the vhost configuration instead).

With the WP Toolkit security measure "Block access to .htaccess and .htpasswd" applied to a WordPress instance whose docroot uses AllowOverride None, all WordPress permalink URLs return HTTP 404 except the home page.

Reverting only that single security measure restores permalinks. Re-applying it reproduces the 404s. This is reproducible on demand.

The measure adds the following block to the generated Apache configuration for the docroot:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} /\.ht[^/]*$ [NC]
RewriteRule .* - [F,L]
</IfModule>

When the docroot's AllowOverride is set to FileInfo instead (so the WordPress .htaccess permalink rules are honored), the problem does not occur. It occurs only with AllowOverride None.

STEPS TO REPRODUCE

1. WordPress instance on an Apache-served Plesk vhost, with the docroot <Directory> set to AllowOverride None.
2. WordPress permalinks set to a non-Plain structure (e.g. Post name, etc).
3. In WP Toolkit > instance > Security, apply "Block access to .htaccess and .htpasswd."
4. Request any non-home permalink URL directly from Apache, with page caching bypassed.

ACTUAL RESULT

HTTP 404 on all URLs except the home page.

EXPECTED RESULT

Permalink URLs resolve normally, as they do when the specific WP Toolkit security measure is reverted.

ANY ADDITIONAL INFORMATION

Workaround: revert "Block access to .htaccess and .htpasswd" on affected instances, OR set the docroot to AllowOverride FileInfo. (which allows .htaccess files to be served)

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Sebahat.hadzhi]

Hi, @G J Piper . Thank you for the report. I don't think this has anything to do with WP Toolkit's "Block access to .htaccess and .htpasswd" setting. Even if the setting is disabled and you set "AllowOverride None" for the domain document root the permalinks do not work, which is somehow expected behavior. This disables processing of .htaccess files for the directory and WordPress relies on .htaccess for rewrite rules. What you can try is adjusting the rule to:

<Directory /var/www/vhosts/example.com/httpdocs>
    AllowOverride None
    Include /var/www/vhosts/example.com/httpdocs/.htaccess
</Directory>

 

[G J Piper]

Hi, @G J Piper . I don't think this has anything to do with WP Toolkit's "Block access to .htaccess and .htpasswd" setting. Even if the setting is disabled and you set "AllowOverride None" for the domain document root the permalinks do not work, which is somehow expected behavior. This disables processing of .htaccess files for the directory and WordPress relies on .htaccess for rewrite rules. What you can try is adjusting the rule to:

<Directory /var/www/vhosts/example.com/httpdocs>
    AllowOverride None
    Include /var/www/vhosts/example.com/httpdocs/.htaccess
</Directory>

Attached are my settings for my server which hosts dozens of WordPress installations set up exactly in the way you say does not work — but they do work and all have Permalinks settings set to:

/%category%/%year%-%monthnum%-%day%/%postname%/

Essentially I have used your suggested code but instead of "iinclude" I just add the code from the .htaccess file to the settings directly. (see my attached text file)

It does work, and I have locked out all .htaccess files from functionality server-wide for security. Been running it like this for almost 12 years.
When I turn ON "Block access to .htaccess and .htpasswd." in WP Toolbox Security Settings, my server permalinks no longer function.
When I turn OFF "Block access to .htaccess and .htpasswd." in WP Toolbox Security Settings, my server permalinks function again perfectly.

I'm not trying to be combative, but the fact remains that WP Toolbox Security breaks my better security when this setting is turned on, and it is infinitely repeatable. I always add the WordPress .htaccess codes to my hard-coded server settings specifically so I can nullify any .htaccess file security problems that ever come along. I only add .htaccess code to my server manually by request from customers and manage all plugins for my clients too.
Ask me any questions about my setup you wish and I'll tell you.

I've got my workaround which is to turn off Block access to .htaccess and .htpasswd but I thought you might want to try to fix it, so out of courtesy I'm helping the process.

Seriously I really appreciate all that you guys produce with Plesk and WP Toolkit — it makes my life easier, mostly.

 

[Sebahat.hadzhi]

Thank you. I will give it a try with your settings. What I tried is adding the following code to "Additional directives for HTTPS" on a domain level:

<Directory /var/www/vhosts/example.com/httpdocs>
    AllowOverride None
</Directory>

and the permalinks stop working regardless of whether "Block access to .htaccess and .htpasswd" is on or off.

Just to confirm, are you adding the additional directives on a domain level, on service plan level, or directly into /etc/httpd/conf.d/zz011_custom_directives.conf?

 

[G J Piper]

<Directory /var/www/vhosts/example.com/httpdocs>
    AllowOverride None
</Directory>

No... the code you enter must be:

<Directory /var/www/vhosts/example.com/httpdocs>
    AllowOverride None
    Options SymLinksIfOwnerMatch
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
        RewriteBase /
        RewriteRule ^index\.php$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
</Directory>

To use AllowOverride None and safely block all .htaccess files from being used server-wide, the contents of those needed files must be added to the server directives.

I attached the code I added in the Plesk GUI in a previous post above. The code goes here:

Subscriptions -> example.com -> click example.com -> Hosting & DNS Tab -> Apache & Nginx -> Additional Apache directives -> Additional directives for HTTPS

Then, toggling "Block access to .htaccess and .htpasswd" breaks it and fixes it.
(important note: http server must be restarted each toggle as it doesn't seem to go into effect unless that happens - this caused me a lot of confusion initially)