: Is Checking For mod_write Really Necessary? Recently I noticed that many people post .htaccess files here with: <IfModule mod_rewrite.c> Sometimes this even appears several times in the file!

@Nimeshi995

It is mostly used by Content Management Systems such as WordPress, since they can operate with PHP rewrite or mod_rewrite, if the mod_rewrite is not supported and you do not use IfModule then some sites will result in error 500.

Every install of WordPress will attempt to use .htaccess and during major upgrades it can trigger a check to see if this code is present:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress


On several occasions I have witnessed WordPress adding the code AGAIN if their code has been modified. This is why WordPress users will generally leave that code unchanged or use chmod to prevent WordPress appending to it, it's actually a good idea from a security stand point to set your .htaccess to 0444.

This is why I decided to leave it alone when answering one of my questions regarding WordPress HTTP to HTTPS without trailing slash results in double redirect

Summary

Using <IfModule mod_rewrite.c> or not is not going to make any measurable difference in terms of performance for the normal website, if you can remove it then by all means do, it won't make a difference if you do or do not, just roll with what works best for your setup.

Vote Up Vote Down

@Alves908

No, most of the time, checking for mod_rewrite is not necessary. In fact, it is often preferable to remove this check.

If the mod_rewrite directives are required by your site then you should not wrap them in a <IfModule mod_rewrite.c> container. Because if they are required and mod_rewrite is not available then the directives simply fail silently and your site continues to break in some other way (masking the underlying cause) and possibly exposes something you weren't expecting. Without the <IfModule> wrapper then the site would break instantly (and completely) with an easily identified error and nothing unexpected is exposed.

The only times when the <IfModule mod_rewrite.c> should be used is either:


The site is designed to work with or without mod_rewrite. This is the case with WordPress. Without mod_rewrite the site still "works", you just don't get the "pretty" URLs.


Or


You have directives from another module that are dependent on mod_rewrite having executed successfully. So, in this case you would wrap these other directives in a <IfModule mod_rewrite.c> wrapper. For example, setting an HTTP response header (with mod_headers) based on some property of the request that you have determined using mod_rewrite. In this case you might wrap the Headers directive in a <IfModule mod_rewrite.c> container.


Most of the time, if you know your server, then you don't need the <IfModule mod_rewrite.c> check - since you already know whether mod_rewrite is enabled or not. The only time when you do need it is if you are writing portable code to work on multiple servers and either condition #1 or #2 above are met.


Sometimes this even appears several times in the file!


And most of the time this is completely unnecessary. However, in defence of this behaviour, this often occurs when you have different plugins that edit .htaccess automatically and independently. The same is true for multiple RewriteEngine and RewriteBase directives.

For hand-written code you should never see this. For hand-written code this generally occurs through mindless copy/paste (which unfortunately seems to happen a lot with .htaccess directives).


Is there an advantage in having the <IfModule mod_rewrite.c> fail rather than the RewriteRule statements below it?


Only in the case of #1 or #2 above. Most of the time, no.


mod_write now is so essential and ubiquitous that I do not check for it anymore. Might this cause a vulnerability of some kind?


If it's essential for your site then there is no need to check for it. No vulnerability.

In fact, the opposite could even be true... if the mod_rewrite directives are essential then checking for the presence of mod_rewrite could even cause you more problems if mod_rewrite suddenly become unavailable for whatever reason. As mentioned above, your mod_rewrite directives would now silently fail (stress "silent" - no error), but the website may still continue to function without a server error being triggered but returning nonsense to the user (and search engine bots) with a 200 OK status. If the <IfModule> wrapper had been omitted then you would have been notified immediately of the problem. However, if this error was silenced it may be some time before the problem is discovered, by which time more serious damage may have already been done.

Vote Up Vote Down