I disabled .htaccess by utilizing “AllowOverride none” in vhost file. However, backing up an account with that config and restoring it results in a hosts file that mixes default and new settings, like this:
“AllowOverride none Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch”
This breaks apache until either AllowOverride is set from none to All (re-enabling .htaccess) or options are removed (disabled .htaccess- desired outcome). This is not a big issue but it’s a bit annoying.
Is there a way to change this so that the backed up config is restored as-is? We already have the reset feature under server validation so restoring default settings in any way during regular backup restore seems a bit redundant.
Apache starts but website(Wordpress) throws Internal Server Error page and apache error logs display only the following:
/home/example/public_html/.htaccess: RewriteEngine not allowed here
Php logs show nothing, last entry was 10 minutes before I ran the scenario to produce above output.
After deleting the options making the AllowOverride directive again set to none, apache restart brings the site back online and running as intended.
This silent failure was an issue first time it happened, because I blindly restored a backup and didn’t bother to check since it’s a development site, but it became unreachable next time I restarted the web server.
Apache actually recommends not using .htaccess if root access is possible. You can pretty much(sometimes you need to make some changes) just copy the contents of .htaccess to vhost config under public_html directory and use AllowOverride set to none to make the site more secure and even a bit faster. Nothing changes on the Wordpress side, everything runs as usual, it’s just that the directives are no longer read from .htaccess upon each visit, but instead read only once from vhost config when apache is started. This means that while usually .htaccess can be changed on the fly even from within Wordpress, to make changes to the vhost Apache needs to be restarted.
On a side note- I first did this for a client that completely opted out of maintenance, and the site ran for about 20 months without any updates and changes(except mandatory wordpress updates). When I checked it recently it was running fine, but upon closer inspection I found that .htaccess was altered with redirects to .html files and .php scripts that were uploaded to uploads folders of Wordpress, those were scam ads for random stuff like fake medicine, betting sites and get rich quick schemes. None of it was causing an issue because .htaccess was not being read at all. Since then we run all sites with .htaccess disabled, it works like a charm and attack surface is reduced.
