.htaccess file disappears

Started by jeyavinoth, Sep 21, 2022, 09:48 AM

Previous topic - Next topic

jeyavinothTopic starter

Has anybody ever encountered such a problem when the .htaccess file disappears on web hosting? It is diagnosed simply - it is impossible to follow the internal link on the website. It is also treated simply - by pouring a new file to the hosting. That's not the question. Is it possible to delete a critical file from the outside, and how to resist this?
I've already had this happen twice.

Thanks in advance.


The reasons for hаcking are different:
The first reason for hаcking is the theft or selection of passwords to your FTP account or to the administrative part of your web site.
This can happen because of a virus on your PC, OS, or because of an outdated, vulnerable version of the browser from which the saved password was downloaded, or the password set was too simple (for instance, it consisted only of numbers) and it was easily picked up. As for the selection of passwords, on the hosting, a firewall is installed on all servers that blocks the IP address if more than 5 attempts to enter incorrect data are made from it for 5 minutes.

Therefore, always set a strong password that consists of numbers, large and small letters, and also contains other keyboard characters.
You can use the appropriate online resources to generate passwords. Do not store passwords in unverified applications on unprotected (without antiviruses) PCs.

The second reason for hаcking is an outdated, vulnerable version of the CMS system (its components, plugins) on which your web site runs.
The most "favorite" CMS for hаckers are Joomla and WordPress. After checking hundreds of websites running on CMS Joomla that are located on our servers, we got the following: 77% of them do not use the latest releases of the corresponding branches.

As for WordPress, the situation looks similar - 73% have not been updated to the latest Stable version. And the risk of hаcking sites on outdated CMS versions is very high, and it does not depend on us as a hosting provider in any way. And most of the CMS hаcks occur through "leaky" plugins and components that the client installs for himself. And through these "holes" they upload all sorts of exploit, iframe, php shell to the server.

We have noticed the following vulnerable components and scripts, which are often hаcked by requests, for CMS Joomla these are:
- file substitution LICENCE.php ;
- loading php shell into templates/beez/html/mod_login/ and replacing templates/beez/index.php

for WordPress :
- replacement wp-login.php ;
- downloading php shell and php eMailer via:
wp-content/plugins/wp-my-admin-bar ;
wp-includes/js/tinymce/ ;
wp-content/themes/infinity .
- vulnerability of the theme timthumb.php which we wrote about here.

In turn, we would like to inform you that on the hosting side, a number of settings have been implemented to improve the security of the client's sites. Namely on each server:

- Firewall is installed;
- mod_security and suhosin are enabled;
- PHP has disabled functions such as: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen ;
- safe_mode and register_globals are disabled .

Summarizing the above, we will write briefly

Your actions in case of site hаcking:
Check the site files for the latest changes by downloading them to a local PC or checking through the built-in file manager in the Cpanel panel.

Restore the site from an archived copy.

Check for updates to the CMS of website, for Joomla or for WordPress, as well as installed modules, plugins and CMS components.

Change the hosting access password (FTP accounts) and the administrative password for accessing web site.

Clear the cache/ and tmp/ directories of the site.

If you follow the updates of the CMS web site, install components only from trusted sources, work with web site only from secure PCs and have strong passwords - the probability of hаcking your site will be minimal.


On Linux, files whose names start with "." are considered systemic. Many programs, knowing this, do not display them. Any file whose name starts with a dot will "disappear" like this.
For the Linux console program/command ls, you can pass the -a or --all option so that it shows all files and does not ignore files starting with "."


Clean up the entire site. But it's not easy to clean up - it's necessary to find backdoors if there are - otherwise it won't help.

After that, just change the latest version of JCE.
I now have a queue of such sites for treatment - and on all JCE versions 1.6.3 and below.
Update components on time - you can't be so frivolous about security. And not only JCE is vulnerable, and not only on Joomla.
There will most likely be no injections into the database - unless you have a super comprehensive approach there.