The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel alters htaccess files

Discussion in 'Security' started by 2Pro4u, Jan 17, 2017.

Tags:
  1. 2Pro4u

    2Pro4u Registered

    Joined:
    Jan 17, 2017
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    Cpanel what do you think you're doing changing my htaccess files? I do not care if you consider it a "security fix", you need to process your security OUTSIDE of my website files.

    I've never given cpanel permission to alter files on my server.

    Please instruct me on how I get cpanel to stop altering MY files that control my site as per this thread: SOLVED - Comodo entries added to htaccess

    Without confirmation you have absolutely ZERO right to be messing with my files for YOUR security.

    I would like to know how to how to prevent cpanel from doing this in the future, and how to get it to AUTO remove what it has added to my htaccess files on my 15 sites, but I sure as hell don't plan on doing it manually.

    Completely overstepping your bounds in where you can insert code for security. My .htaccess files do not belong to you, nor did you put them there. Hence they are files that do not belong to you, nor do you have permission to be changing their contents without notifying me.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,064
    Likes Received:
    1,287
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @2Pro4u,

    This behavior started in cPanel version 60 and is part of the AutoSSL feature:

    cPanel & WHM’s AutoSSL | cPanel Blog

    The rules aren't for security, but rather are added to exclude DCV checks from HTTP redirections so that the DCV checks for the AutoSSL feature complete successfully. Could you let us know if these rules are causing any specific issues with your websites?

    You'd need to disable the AutoSSL feature per the instructions on the following document if you'd like to disable this behavior:

    Manage AutoSSL - Documentation - cPanel Documentation

    You can find additional discussion on the topic of preventing the AutoSSL feature from writing to the .htaccess files on the following feature request:

    Ability to prevent autossl editing .htaccess fles

    I encourage you to vote for this request, and add a comment to voice your concern.

    Thank you.
     
    quizknows and linux4me2 like this.
  3. linux4me2

    linux4me2 Well-Known Member

    Joined:
    Aug 21, 2015
    Messages:
    149
    Likes Received:
    34
    Trophy Points:
    28
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    The MultiPHP Manager also adds entries to the .htaccess for different versions of PHP and enabling PHP-FPM. I haven't had any issues with either the AutoSSL or MultiPHP Manager's modifications to .htaccess even on sites with complicated redirects for caching plugins and the like.

    I kind of figured there wasn't a better option, and I certainly wouldn't want to give up AutoSSL or MulitPHP/PHP-FPM on an account-specific basis.

    @2Pro4u, is there a better alternative to .htaccess for giving us account-specific functions like AutoSSL and MultiPHP?
     
    quizknows likes this.
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    982
    Likes Received:
    75
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Related to the above post, I do feel that MultiPHP settings would be better placed in includes files rather than .htaccess files.
     
  5. gwc_wd

    gwc_wd Member

    Joined:
    Oct 24, 2010
    Messages:
    15
    Likes Received:
    1
    Trophy Points:
    53
    I would vote for it but cPanel assets seem to want completely separate registrations and I've already got one for support and one for these forums. I am uninterested in creating yet a third to access the features subdomain.

    The fact is that these htaccess edits are wholly indiscriminate. They are being added to strict secureity segments that have nothing to do with cPanel, autossl or anything else they should be touching. I object most strenuously that a vendor thinks they have carte blanche to compromise security measures simply because they deem themselves to be wholly trustworthy. They don't even spell out actual domains that get the free pass, but use wild cards to permit any domain originating with the the appeneded URL. This is just dangerous and irresponsible. Shame on cPanel.

    Look at this:

    ^/[0-9]+\..+\.cpaneldcv$
    So, by their rule, evildoers.com\anything\cpaneldcv is allowed through.

    That is unnecessary exposure.

    Stay the H out of my htaccess files.
     
    John Napoletano likes this.
  6. John Napoletano

    Joined:
    Mar 17, 2016
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Delaware
    cPanel Access Level:
    Root Administrator
    Same here. I was reviewing one of 20+ cpanel accounts, and at first I thought all those unwanted htaccess lines where just some sort of mistake, error on ftp update of the files. now I'm depressed thanks to cpanel. just ruined my week. my htaccess files are now unreadable. and like others I have security blocks in there that just don't look secure any longer. if i block a directory via htaccess it means should be blocked no? waste of our time.
     
Loading...

Share This Page