AutoSSL is a great service, to the whole internet. But I do not understand why it must be implemented to find every single htaccess rule and prepend exceptions. Why can it not simply check the path(s) it needs rather than creating such a bleeding mess?
It rewrites htaccess to give itself unrestricted access to *everything* including the vast majority of cases it has no business ever touching.
Back when it was being introduced there were commitments this would be looked at, but the solution delivered is an all-or-nothing one: either enable autossl and live with the absurdity of weakened security to accommodate a security service, or disable it and forego the benefits.
I restrict access to plugins and custom code directories, admin directories, penalize access to file types that do not exist and therefore would never be accessed by a legitimate visit, block a variety of fake referrers and bad bots, and many other custom ht rules that have prevented a lot of attacks -- attacks that have compromised many thousands of sites. Every single ht rule has three lines prepended by cPanel just in case the rewrite somehow prevents it from getting to its needed directory.
It not only is unneeded and makes working with the file far more complicated due to all the goo, but it also opens new vectors of potential attack. Why? Why the universal, everything, everywhere, all the time, exceptions? It is just counterintuitive that people trying to improve security would make such a sweeping choice.
I've had to disable it on more than twenty sites, leaving it active on one because I don't really care what happens to that one. I do know my sites are all more secure without it than they are with it.
It rewrites htaccess to give itself unrestricted access to *everything* including the vast majority of cases it has no business ever touching.
Back when it was being introduced there were commitments this would be looked at, but the solution delivered is an all-or-nothing one: either enable autossl and live with the absurdity of weakened security to accommodate a security service, or disable it and forego the benefits.
I restrict access to plugins and custom code directories, admin directories, penalize access to file types that do not exist and therefore would never be accessed by a legitimate visit, block a variety of fake referrers and bad bots, and many other custom ht rules that have prevented a lot of attacks -- attacks that have compromised many thousands of sites. Every single ht rule has three lines prepended by cPanel just in case the rewrite somehow prevents it from getting to its needed directory.
It not only is unneeded and makes working with the file far more complicated due to all the goo, but it also opens new vectors of potential attack. Why? Why the universal, everything, everywhere, all the time, exceptions? It is just counterintuitive that people trying to improve security would make such a sweeping choice.
I've had to disable it on more than twenty sites, leaving it active on one because I don't really care what happens to that one. I do know my sites are all more secure without it than they are with it.
