As the name says, in this series of posts, I will share a couple of ways for optimization and configuration, that you can easily apply to your website. THIS IS NOT a guide on how to become number one on google. This is a guide about how to make your site loads fast and add a bit of security.
No matter is it a static HTML site or complex CMS like WordPress and Joomla, every site needs some optimization – compressing, cashing, headers and so on had to be set. You may ask – as this is required for every site, why do not set this at the server level? Well, if this is your own server, you are hosting a couple of sites and have root access – yes, this can be done once. But on hosting, there are hundreds, even thousands of sites on one server and they may need specific customisation. For example, you cannot set rewrite rules server-wide.
How exactly to optimize your site?
For WordPress and Joomla there are modules for (almost) everything. Cashing, CORS headers, LazyLoad, compression … whatever you can think of. But there is also a downside. You stop for a moment, take a look, and find your site with dozens of modules, each of them with their own .css and .js files, and all of these files are an additional request to the server when loading your site.
And here comes the .htaccess files. If the module author is thinking for you, they will make it so their module does not have any .css or .js files loaded in the front-end, but placing the rules in your website’s .htaccess file. And here comes the bad news.
.htaccess files (or "distributed configuration files") provide a way to make configuration changes on a per-directory basis. A file, containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that directory, and all subdirectories thereof.
So far so good. We can place .htaccess files practically everywhere, and we can set different rules for each directory, by just placing the .htaccess file in this directory main folder. But if we read further:
In general, you should only use .htaccess files when you don't have access to the main server configuration file. There is, for example, a common misconception that user authentication should always be done in .htaccess files, and, in more recent years, another misconception that mod_rewrite directives must go in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.
Likewise, mod_rewrite directives work better, in many respects, in the main server configuration. .htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration. However, in general, the use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a < directory > section in your main server configuration file.
There are two main reasons to avoid the use of .htaccess files. The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, httpd will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested. Further note that httpd must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. Thus, if a file is requested out of a directory /www/htdocs/example, httpd must look for the following files: /.htaccess /www/.htaccess /www/htdocs/.htaccess /www/htdocs/example/.htaccess And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if .htaccess files were enabled for /, which is not usually the case.)"
How to apply configurations for your website
Note the last quote – “for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files is present”. Now let’s imagine, that our website root folder is not in the 4th directory but in the 6th? This raises the requests to 6. And if there are 1000 site on this server, each one with its own .htaccess file, this makes a total of 6000 requests. Of course, it’s doubtful that all 100 sites will be accessed simultaneously. My point is, that using .htaccess is as good as bad.
In the above scenario, those requests slow down the server, thus the hosted websites behaviour i.e. they will load slower. So, as recommended above, place the rules you need in your domain .vhost file, or, if the hosting person/company granted you access to a control panel, look for a similar feature.
For example, customers hosting their site on my server has access to a hosting panel ISPCOnfig. In it, adding these rules is very simple. Just open your site for editing, go to the “Options tab”, scroll down and you will see 2 boxes – one for additional PHP directives and one for additional Apache directives. The image below shows some directives used for this site:
The above method adds those directives to my site .vhost file. Putting this configuration in the server configuration file results in less of a performance hit, as the configuration is loaded once when the server starts, rather than every time a file is requested.
So, as described above, it is recommended to add all necessary directives directly in your host file or use your hosting control panel features (if any). The way the rules are added in both scenarios is the same
Also, if the control panel has the same features as ISPConfig shown on the image above, you can add a custom PHP setting also.
However, using the .vhost file has some downside – the server must be restarted to apply the configuration. Most hosting companies have some kind of cron/automation to restart the server on a schedule or when the .vhost file is changed, but in most cases, you can’t be sure. So, you can use your .htaccess file to test the directives you want to add to be sure they do not break your site and work as expected, and once done move them to your .vhost file.
NOTE: A sample .htaccess file implementing all techiques in these posts, can be found at the end of part 3.