Tutorial :Is it a security risk not to use a .htaccess file?


I have a Joomla site www.siteA.com and another Joomla site www.siteA.com/siteB.

I have a .htaccess -file at siteA, but not at siteB.

Is it a security risk not to have a .htaccess -file at siteB?


.htaccess files are configuration files used to override options on a per directory level. These same options (and more) could be set from the main apache configuration (often in /usr/local/etc/apache*). If you own your server and have set up your Apache configuration properly it may actually be a gain to disable .htaccess for performance reasons.

Not properly configuring permissions is usually a security risk. How you set them is up to you. Some people prefer having .htaccess enabled so they could keep application specific settings together.

To answer your specific question about Joomla: the .htaccess file provided by default does little more than URL rewriting. This provides near-zero security benefit so not having a .htaccess file should not be a problem. It also adds some basic protection for some old third party modules. However you should be updating or removing them, not relying on .htaccess

Lastly it depends on what you mean by secure (as does almost any question relating to security).


.htaccess files are used to override settings otherwise set in the apache configuration. If you have nothing you want to change, then you don't need (and shouldn't have) an .htaccess file.


The .htaccess file written for Joomla! is mainly for mod_rewrite purposes so you can get the SEF URLs without /index.php/ stuck in the middle. There are some additional rules in there to thwart off attacks that occur with either misconfigured servers or poorly coded 3rd party extensions. It is not necessary to use this file to protect the core Joomla! system. This is your last line of defense rather than your first.


Do you have access to the main server configuration files? If so, you shouldn't be using .htaccess files at all. It's a security risk not to have your server configured properly, but all that configuration should be done in the main configuration file (like /etc/apache2/httpd.conf for example).

If you don't have access to the main server configuration files, it's probably not a security risk to not have a .htaccess file. Typically whoever wrote the main server configuration file didn't leave any major security holes (well, at least we hope so). But it depends on the specifics of your website. For instance, the main server could be configured to allow directory listings when there's no index file in a directory. That could be a security risk if you have files that you don't want anyone to find by accident, but otherwise there's no harm in it.


Is it a security risk to USE an htaccess file? I uploaded an htaccess file to a public web folder at work to restrict a page to staff only, but was told that I shouldn't be using htaccess files or programming or I'll stuff up the whole website and risk security. I used the standard htaccess file I've used before at work in other areas with no problems. What did the webmaster mean when they said 'using htaccess is a security risk'?

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »