cPanel alters htaccess files

2Pro4u

Member
Jan 17, 2017
18
0
1
Earth
cPanel Access Level
Root Administrator
Cpanel what do you think you're doing changing my htaccess files? I do not care if you consider it a "security fix", you need to process your security OUTSIDE of my website files.

I've never given cpanel permission to alter files on my server.

Please instruct me on how I get cpanel to stop altering MY files that control my site as per this thread: SOLVED - Comodo entries added to htaccess

Without confirmation you have absolutely ZERO right to be messing with my files for YOUR security.

I would like to know how to how to prevent cpanel from doing this in the future, and how to get it to AUTO remove what it has added to my htaccess files on my 15 sites, but I sure as hell don't plan on doing it manually.

Completely overstepping your bounds in where you can insert code for security. My .htaccess files do not belong to you, nor did you put them there. Hence they are files that do not belong to you, nor do you have permission to be changing their contents without notifying me.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,225
463
Hello @2Pro4u,

This behavior started in cPanel version 60 and is part of the AutoSSL feature:

cPanel & WHM’s AutoSSL | cPanel Blog

The rules aren't for security, but rather are added to exclude DCV checks from HTTP redirections so that the DCV checks for the AutoSSL feature complete successfully. Could you let us know if these rules are causing any specific issues with your websites?

You'd need to disable the AutoSSL feature per the instructions on the following document if you'd like to disable this behavior:

Manage AutoSSL - Documentation - cPanel Documentation

You can find additional discussion on the topic of preventing the AutoSSL feature from writing to the .htaccess files on the following feature request:

Ability to prevent autossl editing .htaccess fles

I encourage you to vote for this request, and add a comment to voice your concern.

Thank you.
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
The MultiPHP Manager also adds entries to the .htaccess for different versions of PHP and enabling PHP-FPM. I haven't had any issues with either the AutoSSL or MultiPHP Manager's modifications to .htaccess even on sites with complicated redirects for caching plugins and the like.

I kind of figured there wasn't a better option, and I certainly wouldn't want to give up AutoSSL or MulitPHP/PHP-FPM on an account-specific basis.

@2Pro4u, is there a better alternative to .htaccess for giving us account-specific functions like AutoSSL and MultiPHP?
 
  • Like
Reactions: quizknows

gwc_wd

Member
Oct 24, 2010
16
1
53
Hello @2Pro4u,

Ability to prevent autossl editing .htaccess fles

I encourage you to vote for this request, and add a comment to voice your concern.

Thank you.
I would vote for it but cPanel assets seem to want completely separate registrations and I've already got one for support and one for these forums. I am uninterested in creating yet a third to access the features subdomain.

The fact is that these htaccess edits are wholly indiscriminate. They are being added to strict secureity segments that have nothing to do with cPanel, autossl or anything else they should be touching. I object most strenuously that a vendor thinks they have carte blanche to compromise security measures simply because they deem themselves to be wholly trustworthy. They don't even spell out actual domains that get the free pass, but use wild cards to permit any domain originating with the the appeneded URL. This is just dangerous and irresponsible. Shame on cPanel.

Look at this:

^/[0-9]+\..+\.cpaneldcv$
So, by their rule, evildoers.com\anything\cpaneldcv is allowed through.

That is unnecessary exposure.

Stay the H out of my htaccess files.
 
  • Like
Reactions: John Napoletano
Mar 17, 2016
18
1
3
cPanel Access Level
Root Administrator
Same here. I was reviewing one of 20+ cpanel accounts, and at first I thought all those unwanted htaccess lines where just some sort of mistake, error on ftp update of the files. now I'm depressed thanks to cpanel. just ruined my week. my htaccess files are now unreadable. and like others I have security blocks in there that just don't look secure any longer. if i block a directory via htaccess it means should be blocked no? waste of our time.