Apache Performance: Disable .htaccess

A while back, I searched the web for a performance article which I could forward to a client of StackLinux. An article explaining how using WordPress Cache plugins which make use of .htaccess, are almost always slower than plugins that don’t use .htaccess.

Surprisingly, that search took a lot longer than expected, until I finally came across this article. Martin, from Foliovision, raised a good point in the comments section of that post when he said: “I wonder if WP Super Cache in the PHP mode is just as efficient [as .htaccess mode] ?” That scenario brings us to the very point of this blog post.


Why you SHOULD disable .htaccess

Disable htaccess
Source: http://httpd.apache.org/docs/2.4/howto/htaccess.html#when 

Well for two reasons really, performance and security. For the scope of this article we will focus on the unnecessary performance overhead of using .htaccess. Now this is not some new or hidden tweak but it’s officially documented as the recommended best practice. I’ve updated this article because I still notice frequent use by web server admins of Apache’s .htaccess.

Here’s an excerpt from Apache docs:

In general, you should only use .htaccess files when you don’t have access to the main server configuration file. There is, for example, a common misconception that user authentication should always be done in .htaccess files, and, in more recent years, another misconception that mod_rewrite directives must go in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things. Likewise, mod_rewrite directives work better, in many respects, in the main server configuration.

.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.

However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.

There are two main reasons to avoid the use of .htaccess files.

The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, httpd will look in every directory for .htaccess files. Thus, permitting .htaccessfiles causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.

Further note that httpd must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, httpd must look for the following files:


And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if.htaccess files were enabled for /, which is not usually the case.)

In the case of RewriteRule directives, in .htaccess context these regular expressions must be re-compiled with every request to the directory, whereas in main server configuration context they are compiled once and cached. Additionally, the rules themselves are more complicated, as one must work around the restrictions that come with per-directory context and mod_rewrite.


The takeaway from Apache Docs

Well, its clear to see that the .htaccess feature is just another example of just how flexible Apache server is. Unfortunately, it’s being used when it should be avoided in preference of using Apache’s main server config.

You should only use .htaccess if you are on a shared hosting plan, don’t have root access to the webserver, or if you lack experience with modifying Apache’s config files. Using .htaccess files causes a performance hit, no matter the contents of your .htaccess file.

In fact, it slows down Apache even if your .htaccess is empty since it’s reloaded on every request! Thus, the contents of .htaccess should be imported into your Apache server config file where it is compiled once. After which, you should disable use of .htaccess completely.


Disabling .htaccess and using mod_rewrite within Apache config

The use of .htaccess files can be disabled completely by setting the AllowOverride directive to none:

AllowOverride None

Here’s an example of Apache config:

<VirtualHost *:80> 
ServerName haydenjames.io
ServerAlias haydenjames.io www.haydenjames.io
DocumentRoot /var/www/root/

Options -Indexes FollowSymLinks

#disable htaccess starting at web root 
<Directory /> 
AllowOverride none 

#Import contents of wordpress .htaccess
<Directory /var/www/root/> 
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

If you are using WP Super Cache with mod_rewrite or even W3 Total Cache, you can cut and paste the entire contents of .htaccess into Apache’s config just like the above example for performance gains. As mentioned above, remember to disable .htaccess completely or Apache will still search for it on every request.

Interested in increasing Apache’s performance further? Related reading: Strip Down Apache to Improve Performance & Memory Efficiency and recommended WordPress Caching Plugins)


Originally published: Nov 8, 2016

Tags: , , ,