Apache Performance: Disable .htaccess

Back in 2013, I searched the web for a performance article which I could forward to a client of StackLinux. One that explained how using WordPress Cache plugins that use .htaccess is almost always slower than plugins that don’t use it.

Surprisingly, that search took longer than expected. I finally found this article, where Martin, from Foliovision, raised a good point in the comments section of that post when he said: “I wonder if WP Super Cache in the PHP mode is just as efficient [as .htaccess mode] ?” That scenario brings us to the very point of this blog post.

Published: November 8, 2016 | Last updated: April 29th, 2022

I’ve updated this article again because I still notice the very frequent use of Apache’s .htaccess by web hosts and server admins. Only very recently, a handful of web hosts have begun ending support for, or strongly recommending against the use of .htaccess.

Why you SHOULD disable .htaccess

Source: http://httpd.apache.org/docs/2.4/howto/htaccess.html#when 

You should disable .htaccess, for two reasons really, performance and security. For the scope of this article, we will focus on the unnecessary performance overhead of using .htaccess.

This is not some new or hidden tweak, but it’s officially documented as the recommended best practice.

Here’s an excerpt from Apache docs:

In general, you should only use .htaccess files when you don’t have access to the main server configuration file. There is, for example, a common misconception that user authentication should always be done in .htaccess files, and, in more recent years, another misconception that mod_rewrite directives must go in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things. Likewise, mod_rewrite directives work better, in many respects, in the main server configuration.

.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.

However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.

There are two main reasons to avoid the use of .htaccess files.

The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, httpd will look in every directory for .htaccess files. Thus, permitting .htaccessfiles causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.

Further note that httpd must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, httpd must look for the following files:

/.htaccess
/www/.htaccess
/www/htdocs/.htaccess
/www/htdocs/example/.htaccess

And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if.htaccess files were enabled for /, which is not usually the case.)

In the case of RewriteRule directives, in .htaccess context these regular expressions must be re-compiled with every request to the directory, whereas in main server configuration context they are compiled once and cached. Additionally, the rules themselves are more complicated, as one must work around the restrictions that come with per-directory context and mod_rewrite.

 

The takeaway from Apache Docs

Well, it’s clear to see that the .htaccess feature is just another example of just how flexible the Apache server is. Unfortunately, .htaccess is being used when it should be avoided.

You should only use .htaccess if you are on a shared hosting plan, don’t have root access to the webserver, or if you lack experience with modifying Apache’s config files. Using .htaccess files causes a performance hit, no matter the contents of your .htaccess file.

In fact, it slows down Apache even if your .htaccess is empty since it’s reloaded on every request! Thus, server admins should import the contents of .htaccess into Apache’s server config, where it is only compiled once. After which, you should disable the use of .htaccess completely.

Disabling .htaccess and using mod_rewrite within Apache config

You can disable the use of .htaccess files completely by setting the AllowOverride directive to none:

AllowOverride None

Here’s an example of Apache config:

<VirtualHost *:80> 
ServerName haydenjames.io
ServerAlias haydenjames.io www.haydenjames.io
DocumentRoot /var/www/root/

Options -Indexes FollowSymLinks

#disable htaccess starting at web root 
<Directory /> 
AllowOverride none 
</Directory>

#Import contents of wordpress .htaccess
<Directory /var/www/root/> 
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
</Directory> 
</VirtualHost>

If you are using WP Super Cache with mod_rewrite or even W3 Total Cache, you can cut and paste the entire contents of .htaccess into Apache’s config just like the above example for performance gains. Remember to disable .htaccess completely, or Apache will still search for it on every request.

Are you interested in increasing Apache’s performance further? Related reading: Strip Down Apache to Improve Performance & Memory Efficiency and recommended WordPress Caching Plugins.

Also, read Nginx tuning tips: TLS/SSL HTTPS – Improved TTFB/latency.