How to Get The Benefits of .htaccess Without the Downside

Apache2 Logo - .htaccess files

If you're hosting your site in a shared hosting environment, check with your webhost to see if they support this. Those of us running our sites on Virtual Private Servers (VPS) or our own server are in luck.

Why We Use .htaccess Files

The .htaccess file puts a lot of power in a webmaster's hands. In fact, it's usually the only way a webmaster has to make changes to their own configuration in a shared hosting environment. Joomla comes bundled with an htaccess.txt file. Renaming that file to .htaccess allows you to use Joomla's best native SEF URL functionality. There are also some security benefits to using it. Many use .htaccess files for canonicalization - mapping non-www to www urls. Webmasters can block access to the administrator directory with .htaccess too. There are a many benefits and reasons for using the .htaccess file. That's why most Joomla webmasters use the .htaccess file. Even those using their own server or virtual private server.

What's Wrong With .htaccess Files?

Performance and security. On the performance side, the server checks the .htaccess file every request a visitor makes of the site. I'm not talking about a page, I'm referring to the html page, every image, every file that the visitor's browser needs to on every page. What's worse is that the server checks each directory above the requested file to see if there are any processing rules there as well. With many processing rules in the .htaccess file, applied to every request can have a pretty big impact on performance.

With regard to security, I've recently had several calls about Google blocking websites for malware and the owners weren't sure why. As it turns out hackers had added a few rules to the .htaccess file - if a visitor came through a search on Google, Bing, Yahoo and several others then redirect them immediatly to another website - which distributed malware. The owners didn't know what was going on because they accessed their site directly, not through search. The hackers were smart and used a vulnerability they'd found to update the .htaccess file every 60 seconds. So it took quite a bit more than just fixing and adjusting security on the .htaccess files.

What's The Alternative?

But, If I don't use .htaccess how can I use Joomla's SEF, improved security, canonicalization and other features? If you're on a shared hosting environment, there may not be much you can do. Check with your webhost to see. If you're using your own server or VPS you're in luck. You can add the joomla htaccess.txt file in your apache configuration file (apache2.conf or httpd.conf). If you're hosting several sites, and don't what the rules to apply to each, add the rules in your virtual hosting file. Then disable .htaccess files on your site. Remember, though, to keep mod-rewrite enabled.

How To Do It

Here's how to do it on a Debian-based server:

Add the rules in your VirtualHost file - cd into your sites-available directory and get a list of the sites:

cd /etc/apache2/sites-available
ls

Then using vi or nano edit each VirtualHost file you want to change, adding the Joomla SEF rules in in the <Directory> section:

sudo nano mysite.conf

Find the <Directory /path/to/joomla/base/directory/> section and Read Joomla's htaccess.txt file there. What in that file find AllowOverride and set it to None to disable .htaccess files. Then save the file and reload Apache:

sudo service apache2 reload

Voila, you've disabled htaccess files and kept your rules.

More Information