Apache Performance: Disable .htaccess

About 3 years ago I wrote a short blog entry about the very basic Apache configuration mistakes and oversights which developers and server admins of the then $500 million dollar Healthcare.gov website made. Most shocking, were elemental oversights, as if devs were not aware of common best practices. Which brings us to another Apache performance related entry.

A while back, I was searching the web for a performance article to forward to a VPS hosted client. One which discussed how WordPress Cache plugins which use Apache Mod_rewrite with .htaccess are almost always slower than plugins such as Hyper Cache which don’t use mod_rewrite at all. (Also see: Top 5 Recommended WordPress Cache Plugins) Surprisingly, that search took almost 30 mins, until finally I came across this detailed article. Their vs tests resulted in Hyper Cache as the winner over the immensely popular Wp Super Cache. Martin, also from Foliovision.com, raised a great point in the comments section of that post, when he said: “I wonder if WP Super Cache in the PHP mode is just as efficient”? That scenario brings us to the very point of this blog post…

Why you SHOULD disable .htaccess when possible

Disable htaccess

Well for two reasons really, performance and security. For the scope of this article we will focus on the unnecessary performance overhead of using .htaccess. Now this is not something new or some hidden tweak but it’s officially documented as the recommended best practice.

Here’s an excerpt from Apache docs:

In general, you should only use .htaccess files when you don’t have access to the main server configuration file. There is, for example, a common misconception that user authentication should always be done in .htaccess files, and, in more recent years, another misconception that mod_rewrite directives must go in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things. Likewise, mod_rewrite directives work better, in many respects, in the main server configuration.

.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.

However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.

There are two main reasons to avoid the use of .htaccess files.

The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, httpd will look in every directory for .htaccess files. Thus, permitting .htaccessfiles causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.

Further note that httpd must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, httpd must look for the following files:

/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess

And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if.htaccess files were enabled for /, which is not usually the case.)

In the case of RewriteRule directives, in .htaccess context these regular expressions must be re-compiled with every request to the directory, whereas in main server configuration context they are compiled once and cached. Additionally, the rules themselves are more complicated, as one must work around the restrictions that come with per-directory context and mod_rewrite.

The takeaway from Apache Docs

Well its clear to see that the .htaccess feature is just another example of just how flexible Apache server is. Unfortunately its being used when it should be avoided in preference of using Apache’s main server config. You should only use .htaccess if you are on a shared hosting plan, don’t have root access to the web server or if you lack experience with modifying Apache’s config files. Using .htaccess files causes a performance hit, no matter the contents of your .htaccess file. In fact, it slows down Apache even if your .htaccess is empty and is reloaded on every request! Thus, the contents of .htaccess should be imported into your Apache server config file where it is compiled once. After which, you should disable use of .htaccess completely.

Disabling .htaccess and using mod_rewrite within Apache config

The use of .htaccess files can be disabled completely by setting the AllowOverride directive to none:

AllowOverride None

Here’s an example of Apache config:

<VirtualHost *:80> 
ServerName haydenjames.io
ServerAlias haydenjames.io www.haydenjames.io
DocumentRoot /var/www/root/

Options -Indexes FollowSymLinks

#disable htaccess starting at web root 
<Directory /> 
AllowOverride none 
</Directory>

#Import contents of wordpress .htaccess
<Directory /var/www/root/> 
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
</Directory> 
</VirtualHost>

If you are using WP Super Cache with mod_rewrite or even W3 Total Cache (compare top WP cache plugins here) you can also cut and paste the entire .htaccess contents into Apache’s config just like the above example for performance gains. As mentioned above, remember to disable .htaccess completely or Apache will still search for it on every request. Interested in increasing Apache’s performance further? Read on… Strip Down Apache to Improve Performance & Memory Efficiency.

Tags: , , ,

Apache Performance: Disable .htaccess

20 Responses

  1. Thanks allot man. I am using your code as we speak. Just tested it and it works like a charm!!!

    Anthony December 23, 2014 at 11:22 pm #
  2. Hey James man, thanks for taking the time to write up your tips.
    I manage my own dedicated server and I’ve always used .htaccess files for security measures (to prevent useless bots from crawling my site) and I have a separate .htaccess file in the public_html folder of each wordpress site. But after reading your article I don’t suppose that’s the best way to go about it.

    So I’d like to ask, where is the “global” htaccess file, and what do I need to stick in there to have all my wordpress sites run correctly?

    Here is my “template” htaccess file, so to speak. Can you share your recommended htaccess file for wordpress users? Thanks man, I appreciate your time.

    Vlad February 10, 2015 at 3:29 am #
    • Hi Vlad,

      You need to move all .htaccess rule into httpd.conf (Centos/Red Hat) or apache2.conf (Debian/Ubuntu)
      There’s usually not much reason to use .htaccess if you have a dedicated server. (as per Apache’s documentation linked to above)

      So for example for basic WordPress you would move all .htaccess config into the “directory” section of your httpd.conf or apache.conf file:

      Then as per above article att “AllowOverride none” which disables search for .htaccess, improves performance and also this is how Apache was intended to work. .htaccess is just a convenience at the cost of performance.

      Make sure to disable .htacess in Apache config as well. Excerpt from article:
      ” In fact, it slows you down even if it [.htaccess] is empty and it’s reloaded on every request. Thus, the contents of .htaccess should be imported into your Apache server config file where it is compiled “once” and cached. Lastly, you should disable .htaccess completely.”

      Hayden James February 10, 2015 at 3:43 am #
    • Respect, I will apply this.
      Just to make sure, can I just copy-paste the code in my htaccess template directly into directory section of httpd.conf? I have centos.
      Thanks!

      Vlad February 11, 2015 at 3:30 am #
    • Correct. Ironically its the same httpd.conf that is still pulling in .htaccess via AllowOverride. You are simply avoiding the unnecessary overhead and placing it all in Apache’s config.

      Hayden James February 11, 2015 at 6:07 am #
    • Great, yeah that should definitely speed things up. Thank you my man!
      If you’re ever in Vancouver (Canada) hit me up!

      Vlad February 12, 2015 at 12:51 am #
  3. Just an observation – disabling .htaccess (allowoverride none) with W3 Total Cache results in it complaining all the time about it not being configured (despite the configuration being moved to the httpd.conf file). Not sure if that actually has an impact and removes some of its functionality?

    Keith August 15, 2015 at 2:51 pm #
  4. You can try L2MP Stack (http://l2mp.ml) It support htaccess and Litespeed 6x Faster than Apache

    Tha Thi September 7, 2015 at 9:08 am #
  5. Hi Heyden,

    Thank you for this tutorial. I recently migrated from shared hosting to Digital Ocean and was having a problem with the site permalinks. All of the community-generated documentation on Digital Ocean was saying that you should turn “AllowOverride All”, on but that advice bothered me because I remembered reading something on the Apache website awhile ago about only using .htaccess when you didn’t have access to the main configuration file when I was studying for an interview at a hosting company. However, I was having a hard time finding where I read it on the apache website.

    Thank you for a link back to the apache website where I could read the documentation for myself. It’s nice when you can go to the source and read it for yourself instead of relying on other people’s solutions which may or may not be the best thing for your particular situation. I left a couple of comments on the pages I found on Digital Ocean while searching for the solution with a link back to this page. Hopefully, this helps people get out of the habit of using .htaccess files when they don’t need to.

    I’m also going to try your tutorial on how to strip down apache. Thanks once again!

    Thomas December 6, 2015 at 6:56 pm #
  6. 500 million, not billion. Good article though.

    Mike Henken March 2, 2016 at 6:40 pm #
  7. Post updated and broken links fixed.

    Hayden James November 8, 2016 at 5:35 am #
  8. Really crucial information!

    Would love to see some numbers on how long a route takes with and without “AllowOverride All”.

    akamaozu November 8, 2016 at 7:01 am #
  9. Thanks for posting this. Very useful!

    DavidCWebs November 8, 2016 at 9:14 am #
  10. Hello and thanks for this article…
    I believe it will be quite difficult to make 301 redirects without an Active .htaccess… or maybe you found another way in Apache ?
    To me even if .htaccess takes time to load, it’s a necessary feature to all website hosting Env. I would recommend you optimize the code of existing .htaccess instead of shutting off

    Gary Le Masson November 8, 2016 at 11:31 am #
    • Quite the opposite. You do not need .htaccess to use 301 redirects or any redirects for that matter. Please read the article and the official Apache documentation.

      Hayden James November 8, 2016 at 11:40 am #
  11. This is a great tip, thank you! I wrote a small PHP script to make this easier to do for WordPress (typically plugins add their own .htaccess files so it gets messy pretty quick): https://gist.github.com/danyell/16a60fded14ff9fb263a65469eb0dfc4

    danyell March 2, 2017 at 12:02 pm #
  12. Hi. Can anyone give me an idea which file in Apache2 this code may be added? There are several conf files there. Thank you.

    Joe Narula October 22, 2017 at 10:46 am #

Leave a Reply