[ANSWERED] Move .htaccess files in tmp folder

I’m not sure whether to post this here or to the bug tracker, but here goes:

On my installation there are two .htaccess files in my Piwik ‘tmp’ folder which are owned by the apache user:

My site runs on a shared hosting service and I’ve recently had some trouble with a security vulnerability which allowed someone to modify the contents of all .htaccess files on the server to which the apache user had write access, including those mentioned above.

If I understand correctly, combining these files into a single .htaccess which resides in …/piwik/tmp would allow me to own the .htaccess file instead of the apache user, and so reduce the chance of this happening again.

Piwik creates the .htaccess files once during installation. After that you can do whatever you want with them. (They aren’t regenerated or replaced by a software update.)

if you want a more robust solution, use a bootstrap.php file to move your config and tmp folders outside of your web document root. (subject to any open basedir restrictions you might have)