WordPress Toolkit security measure breaks WordPress REST API


Jul 21, 2021
cPanel Access Level
Root Administrator
I've become aware recently that one or some of the security measures which can be run through WordPress Toolkit may potentially interfere with the REST API. Here are the steps to reproduce it - we've now seen 3 new customers recently with random REST API errors, like posts not saving, certain plugins not working etc (which can be a real pain in the ass to diagnose):

Pre-requisite: Either WordPress must be installed with a plugin/theme set which includes a plugin or theme which creates a .htaccess file, or a plugin or theme which creates a .htaccess file in the WordPress root must be installed before proceeding to step 2 below.

A prime example of such a plugin is a caching plugin like LiteSpeed Cache which will create, and add directives to, a .htaccess file

1) Install WordPress via WordPress Toolkit.
2) Apply all available security measures
3) One of these (possibly "Block access to .htaccess and .htpasswd") will change the permissions of .htaccess to 0600
4) WordPress will show REST API error under Tools > Site Health.
5) Attempting to change or set permalinks will fail (Settings > Permalinks) - any post created or accessed will 404 if you're using pretty permalinks

While not directly a bug, it seems a bit bad to effectively be able to break a WordPress install before the user has even logged in - the average user would not have the skills necessary to diagnose such an error.


Jurassic Moderator
Staff member
Oct 19, 2014
cPanel Access Level
Root Administrator
Hey there! I reached out to the WPT team directly about this issue, and here is their response:

"Security sets permissions 0644/755 for all files/directories, and 0600 for wp-config.php. It also adds a web server rule to prevent fetching these files via http through the "block access to .htaccess and .htpasswd" function.

If you remove the permissions to read .htaccess for the group user, the webserver cannot read it cannot apply rewrite rules for permalinks."

What they didn't find, was any code that sets .htaccess to 0600, so they don't believe that specific change is caused by WPT.

If you're able to reproduce this issue consistently, can you submit a ticket to our team and then we can take a look and escalate to the WPT team if necessary?