htaccess Files for Multiple Website Domains – hierarchy, structure, relationship

[AITpro Admin]

.htaccess files are hierarchical/recursive, which means that the .htaccess file in the hosting account root folder will apply its security rules to all subfolders below this folder, unless the subfolder or subfolders have their own .htaccess files. If they have their own .htaccess files then those subfolders will follow the security rules in their own .htaccess files and not the .htaccess rules in the hosting account root folder (see Note below).  The best Site Security Architecture/Design technique is to compartmentalize your security by installing each of your website’s in their own separate folder (on some hosts that is not possible and you have to have a root website installation) so that 1 website’s .htaccess file does not affect another site’s .htaccess file.  This allows you to create separate and unique security rules per site.

Note:  Some .htaccess directives/code will still be applied to subfolder/subdirectory/Addon/child sites (child folders below the hosting account root folder) if an .htaccess file exists in a hosting account root folder (parent folder).  Example:  If you turn off Security Logging in a subfolder or subdomain site, but have a root website in the hosting account root folder and have Security Logging turned on in the root website then the htaccess ErrorDocument directive from the hosting account root htaccess file will be applied to the subfolder / subdomain site and Security Logging will still occur on a subfolder/subdomain website.  If each site was compartmentalized in its own folder then that would not occur since a parent/child folder relationship would not exist.  If Security Logging is turned on on both the root site and the subfolder/subdomain site then the subfolder/subdomain site is actually using/following the rules/code in its own .htaccess file and not the root website’s htaccess file.

Example:
Let’s say that you are using this Brute Force Login attack protection code in your root website’s htaccess file that is located in your hosting account root folder and you do not have any wp-login.php htaccess code/rules in a subfolder site’s htaccess file.  This root .htaccess file code/rules will be applied to that subfolder site’s Login page since the subfolder site is a child folder of the parent site folder in this particular type of folder/hierarchical relationship.  Both the root site and the subfolder site would use/follow this code/rule.

# Protect wp-login.php from Brute Force Login Attacks based on IP Address
<FilesMatch "^(wp-login\.php)">
Order Allow,Deny
# Add your website domain name
Allow from example.com
# Add your website/Server IP Address
Allow from 69.200.95.1
# Add your Public IP Address using 2 or 3 octets so that if/when
# your IP address changes it will still be in your subnet range. If you
# have a static IP address then use all 4 octets.
# Examples: 2 octets: 65.100. 3 octets: 65.100.50. 4 octets: 65.100.50.1
Allow from 65.100.50.
</FilesMatch>

So let’s now say that you want Brute Force Login protection on the root website, but do not want Brute Force Login protection on the subfolder site. This is how you would achieve that. In your subfolder site’s .htaccess file you would add this .htaccess code below that says allow everyone access your subfolder site’s wp-login.php Login page. The subfolder/child site will follow its own wp-login.php htaccess rule instead of following the root/parent site’s wp-login.php htaccess rule.

<FilesMatch "^(wp-login\.php)">
Order Allow,Deny
Allow from all
</FilesMatch>

Visual Structural Example:
This example shows the hierarchy of several websites installed in folders under a hosting account. Each folder contains a website / is the folder where a website is installed. This example shows the relationship of parent/child folders/websites and how htaccess files/rules will be applied from parent to child folders/websites. The htaccess ErrorDocument directive is an htaccess redirect directive used to redirect errors based on their HTTP Status Response code (the ErrorDocument directive effect/impact on all sites is explained in the Summary).

Note:  Child folder .htaccess files at the same folder structure level do not affect each other.  Example:  The /affiliates/ and /aitpro-blog/ folders/websites are at the same folder structure level.  Their relationship to each other is NOT parent >>> child.

Folders (not URL’s):
/.htaccess – root .htaccess file (ie /public_html/.htaccess) is a parent htaccess file in the Document root folder of the hosting account.
/api/
/affiliates/
/aitpro-blog/
/exampleA.com/
/exampleB.com/
/forum/private/
/wordpress-testing-website/

Root .htaccess file in the Document Root folder of the hosting account:
Note: See this Forum Topic link for where and how to add RewriteRule custom code to BPS Custom Code:  http://forum.ait-pro.com/forums/topic/custom-applications-outside-of-wordpress-3rd-party-apps/#post-13664

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# Do not apply rules to other child websites &
# do not log errors for these child sites
RewriteRule ^api/ - [L]
RewriteRule ^affiliates/ - [L]
RewriteRule ^aitpro-blog/ - [L]
RewriteRule ^exampleA.com/ - [L]
RewriteRule ^exampleB.com/ - [L]
RewriteRule ^forum/ - [L]
RewriteRule ^wordpress-testing-website/ - [L]

The root website’s htaccess file will not apply the ErrorDocument directive htaccess code/rules to any of these folders/websites since the RewriteRules will rewrite directly to these URI’s instead of continuing to be processed by this root htaccess file/code/rules. In other words, this is a form of a skip/bypass rule for folders/websites of sorts.

The /forum/ folder/website has a subfolder website that is in a subfolder of the /forum/ folder – /forum/private/. The root .htaccess file in the root of this hosting account / the Document Root folder is not applying its rules to the /forum/ folder. The /forum/ website will use a RewriteRule for the /private/ folder so that rules from the /forum/.htaccess file are not applied to the /private/ folder/website.

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# Do not apply rules to other child websites &
# do not log errors for these child sites
RewriteRule ^private/ - [L]

Summary: The root website in the hosting account root folder will not apply the ErrorDocument rules to the /forum/ site and the /forum/ site will not apply the ErrorDocument rules to the /private/ site. What this means is that each site is now independently controlling the ErrorDocument directive/rule for that site, which means each site is controlling its own Security Logging. If you did not create RewriteRules like this then the hierarchical nature of htaccess files would apply the root website’s ErrorDocument rule to all child sites meaning even if Security Logging was turned off on a child site then Security Logging would still occur since the parent htaccess file in the root website would be applying the ErrorDocument directive rule to all child websites.

[dtyler1]

[Topic has been merged into this relevant Topic]
Another post mentions that if BPS Pro is installed on a domain in the root then all other domains below the root must have their own .htaccess file.  My host requires primary domains be installed (automatically) in the root, so I cannot assign the domain to its own folder and will have to install .htaccess file for all the other non-root domains.

Would you describe in detail how this is done, and how do I install BPS Pro in non-primary domains?

[AITpro Admin]

Note: email response was replied to already regarding this question.

[Zsolt Edelényi]

[Topic has been merged into this relevant Topic]
I have subdomains, and the folder of a subdomain is located in the main domain’s folder. Like this:
root/main-domain/subdomain/
1. Is it possible to have only one BPS PRO on the main domain, which controls the subdomains?
OR
2. Install BPS Pro on each subdomain, and exlude somehow subdomains?
Is this understandable? Is there any other solution?

[AITpro Admin]

@ Zsolt Edelenyi – Please read the beginning of this forum topic to get a general idea about htaccess code/files for multiple websites under a hosting account.  A subdomain site is not the same as a subfolder site.  This forum site is a subdomain site. The WordPress installation for the forum site is in a folder named:  /forum/ in the root hosting account folder and a DNS CNAME record (or A record can be used for subdomain sites) has been created that points to this site:  forum.ait-pro.com.  The AITpro Blog site is a subfolder site.  The WordPress installation folder for the AITpro Blog site is in a folder named:  /aitpro-blog/ in the root hosting account folder. The URL is:  ait-pro.com/aitpro-blog/.

1. Yes, that is possible, but that is a bad site structure/design to use.  Each website should have its own htaccess files in order to better control security specifically for each site individually.

2. See the help information at the beginning of this forum topic.

[AlexG]

BPS free seems to work fine on the base site (myURL.com/), but on each of my subsites (myURL.com/site-1) I get the following error message:

HUD Check: PHP/php.ini handler htaccess code check
PHP/php.ini handler htaccess code was found in your root .htaccess file, but was NOT found in BPS Custom Code.
To automatically fix this click here: Setup Wizard Pre-Installation Checks …

When I click that setup wizard link I get “Sorry you are not allowed to access this page” triggered by the WordPress core, stack:

1. wp_die()
   wp-admin/includes/menu.php:364

The setup wizard runs fine in the base site, though, and doesn’t show any errors there.

I’m assuming there is some separate version of htaccess for each sub-site, but looking at my file structure I have no idea where that would be (there is no folder for “site-1/htaccess”, etc).

Is this a serious thing?

[AITpro Admin]

@ AlexG – The subsites on a WordPress Multisite website are virtual. So they do not have a separate .htaccess file.  There is only 1 root htaccess file for a WordPress Multisite website.  Are you seeing the HUD check on the primary site or only on subsites?  This error check should not be displayed on subsites. So I will need to fix that.  To check if the error check is valid, check your root htaccess file on the htaccess File Editor page and check BPS Root Custom Code text box #1 for php.ini handler .htaccess code.

[AITpro Admin]

@ AlexG – I have tested BPS with network plugin activation and with single site plugin activation and BPS is working correctly.  The HUD check is only displayed on the primary site and not on the subsites.  In any case, fix the problem on the Primary site and the error message will go away.

[AlexG]

Sorry, a bit slow to get back.

There is no error message on the primary site, it only shows on the sub-sites.

The .htaccess file in the folder “public_html” has a first textbox that reads:

# CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
# PHP/php.ini handler htaccess code
AddHandler application/x-httpd-ea-php80___lsphp .php .php8 .phtml

Is that what you were asking for?

[AITpro Admin]

@ AlexG – Send a WordPress Administrator login to your site to: info@ait-pro.com

[Kevin]

When managing multiple website domains on a single web server, the .htaccess file plays a crucial role in configuring and controlling various aspects of each domain. The .htaccess file is a configuration file used by the Apache web server, and it allows you to define rules and settings for specific directories or domains.

The hierarchy, structure, and relationship of .htaccess files for multiple website domains depend on how your web server is set up and how you want to manage the domains. Here are some common scenarios:

1. Single .htaccess file for all domains: In this scenario, you have a single .htaccess file located in the root directory of your web server (e.g., /var/www/html). This file will contain rules and configurations that apply to all domains hosted on that server. For example, you might have settings like URL rewriting, error handling, or access control rules that are the same for all domains.
2. Separate .htaccess file for each domain: In this setup, each domain has its own root directory, and there is an individual .htaccess file in each domain’s root directory. This allows you to have different rules and settings specific to each domain. For instance, you might have different rewrite rules or authentication configurations for each domain.
3. Main .htaccess file and additional domain-specific .htaccess files: In this configuration, you can have a main .htaccess file in the web server’s root directory with rules that apply to all domains, and then each domain’s root directory may have an additional .htaccess file with domain-specific rules. This allows you to have a combination of global rules and rules specific to individual domains.
4. Hierarchical .htaccess files: You can create a hierarchical structure where you have a primary .htaccess file in the web server’s root directory that sets general rules for all domains. Then, within each domain’s directory, you can have another .htaccess file that overrides or adds to the rules defined in the main .htaccess. This enables you to have a centralized configuration with domain-specific customizations.

It’s essential to consider the performance implications of using .htaccess files as well. If you have many domains and complex rules, having multiple .htaccess files may result in a slight performance overhead. In such cases, it might be more efficient to define configurations in the main server configuration (e.g., httpd.conf or virtual host configuration files) instead of relying heavily on .htaccess files.

[AlexG]

Done. Sent you an email last week I think with the details

[AITpro Admin]

@ AlexG – I did not receive an email from you. I have sent you a direct email. Please reply to that email.

[Author]

Posts