Last couple of days we’ve had a website that is actively under DDoS attack. At some point I’ve noticed that the attack have stopped (or at least my notifications for it from the security plugin we use – Better WP Security)
Opening the website I’ve noticed that it returned Error 500 so I started looking in the ploblem. Happily enough it was an easy thing to spot by the steps I used:
1. To check if it was an account-specific error or a general server error I opened other websites that were hosted on the same server. The other sites were working so it was a problem specificly for this hosting account.
2. To check if it was PHP/WP error or Apache error I tried to open a static html file. Opening the file failed so it was some Apache error.. (most probably .htaccess).
Looking through the .htaccess file the end of the file was wrong and had some part of the rewrite rules partially included after the End Of WordPress comment.
... #Normal .htaccess rules
# END WordPress
iteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
For some reason the last part, starting from ‘iteEngine on’ was added second time. It is highly possible that this was caused by Better WP Security when adding another IP to the blacklisted domains.
If you have any idea what exactly might cause this problem let me know in the comments 😉
P. S.: You can follow me on twitter – @ninarski