How to rever htaccess changes applied by themes security pro

Hi. I found this article: [How to remove the iThemes Security Plugin Created Database Tables] and basically it says to deactivate the plugin and then remove the tables that this plugin applied in the database, but my question is: how to rever the changes in the htaccess file?

In my experience, enter to your htaccess file after ithemes security pro touched it is a real headache, especially when there are thousand of lines there that I don’t understand (url rewriting, banned IP, etc.). Also, I’m always afraid of delete something I should not or that maybe another plugin changed.

I’d really really really wonder to know what to do in this case.

Maybe by replacing the htaccess file for a clean one with a base configuration (if this is the case what htaccess file should be), or maybe just deleting the file, or activating a plugin that fixes the htaccess (which I’d like to know what plugin it is), or any other idea?

thank you in advanced.

I’m not using iThemes, but I’ve cleaned sites that had used it. Most plugins mark their code with comment lines like:

## START iThemes Security
here are some lines with code
## END iThemes Security

so you can remove these whole block(s).

If you rename or remove the .htaccess and go to Settings - Permalinks in your dashboard, just pressing Save (no changes) will recreate the default clean .htaccess.

But you can also copy the contents of your .htaccess file to https://pastebin.com/ so we can check it and remove all the iThemes related code for you.

Jos, thank you very much your quick and kind response. I really appreciate it.

Well, at this moment I don’t have any monster htaccess like the one I told you, but here (at the end) is an example of a little one.

Personally, it happened to me more than once that the issue fails and when I open the htaccess it’s a real mess, like three hundred lines for example and a spagetti code.

I have backed up the file and reviewed it line by line through trial-and-error for hours, eliminating several (or even all) lines, replacing the file with a new one similar to the one you already mentioned to me, or by completely eliminating the file, deleting tables, combining with the option "define ( ‘ITSEC_DISABLE_MODULES’, true); ", etc… but I have never had a good result. Basically I’ve always done it when a theme crashes or maybe a kind of bug comes up making me losing access to wp-admin, which definitely hasn’t ever helped.

at this moment I don’t have this problem, but when I found mainwp I discovered a new world of management (you know what I mean), and something I noticed was the wordfence integration. then, by reviewing the word fence plugin and the amount of installations it has (4 millions vs 1 million of ithemes) I realize that it will be much better to use wordfence. Now I am worried about leaving ithemes garbage somewhere that complicate wordfence installation.

however I am going to encourage myself to do a testing version this weekend to install and uninstall ithemes in order to install wordfence after that. If I see something doubtful, I will ask you again.

In a few words, and why other people wonder which of those 2 plugins is better (and based on my experience of course), the problem of ithemes security pro is that it applies too many large and complex rules sometimes, so when the administrator wants to change some configuration the plugin crashes and the system access is blocked, as if applying many rules caused conflicts whit other rules of the same plugin, resulting in an unwanted security system that turns against the administrator.

Thanks in advance.

BEGIN iThemes Security - Do not modify or remove this line

iThemes Security Config Details: 2

# Pass through Authorization header.
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTP:Authorization} ^(.*)
	RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
</IfModule>

# Ban Hosts - Security > Settings > Banned Users
SetEnvIF REMOTE_ADDR "^5\.188\.62\.140$" DenyAccess
SetEnvIF X-FORWARDED-FOR "^5\.188\.62\.140$" DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP "^5\.188\.62\.140$" DenyAccess

SetEnvIF REMOTE_ADDR "^185\.244\.214\.42$" DenyAccess
SetEnvIF X-FORWARDED-FOR "^185\.244\.214\.42$" DenyAccess
SetEnvIF X-CLUSTER-CLIENT-IP "^185\.244\.214\.42$" DenyAccess

<IfModule mod_authz_core.c>
	<RequireAll>
		Require all granted
		Require not env DenyAccess
		Require not ip 5.188.62.140
		Require not ip 185.244.214.42
	</RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
	Order allow,deny
	Allow from all
	Deny from env=DenyAccess
	Deny from 5.188.62.140
	Deny from 185.244.214.42
</IfModule>

END iThemes Security - Do not modify or remove this line

BEGIN WordPress

Las directivas (líneas) entre «BEGIN WordPress» y «END WordPress» son

generadas dinámicamente y solo deberían ser modificadas mediante filtros de WordPress.

Cualquier cambio en las directivas que hay entre esos marcadores serán sobrescritas.

RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]

END WordPress

Hi Jos,

Well, it looks that there’s not any problem by deactivating the ithemes security pro theme, removing tables and discard code in htaccess file.

For the moment it looks everything to work fine. So I think I’ll use word fence from now on since I had very bad experiences with theme’s plugin more than once and I don’t want to like this headache again.

At the end, my htaccess is like this…

BEGIN WordPress

Las directivas (líneas) entre “BEGIN WordPress” y “END WordPress” son

generadas dinámicamente y solo deberían ser modificadas mediante filtros de WordPress.

Cualquier cambio en las directivas que hay entre esos marcadores serán sobrescritas.

RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]

END WordPress

Thank you very much for your time.

Regards,
DM

1 Like

These lines look like the default lines, so that’s clean. Please (for the next time) format the lines as “preformatted text” or use PasteBin.
I totally agree with you that Wordfence is working much better than iThemes, but like every security plugin it’s important to have a good configuration, keep your sites updated, use strong passwords etc.