Skip to main content

Understanding Apache, .htacess, Drupal



The Drupal CMS provides a robust set of tools for anyone looking to get a site up and running in a short amount of time. All you need to do is download Drupal, setup a theme on a hosting provider, and essentially you have a website up and running. Very easy, affordable, and simple, right? Often times something that is overlooked is how the “voodoo” or “black magic” makes that site work under the hood. One of those “voodoo” items in particular that I see overlooked often is how Apache, .htaccess, and Drupal all work together in keeping a custom site configuration in-sync.

The best way to explain this is to start from the top, at Apache, in the httpd.conf/apache2.conf file that is usually found in the /etc/httpd/conf folder off the root of any Linux server. In the Apache configuration file you will find a stanza that looks similar to this:

  <Directory "/var/www/html">
    Options Indexes FollowSymLinks
    #Here is the override for .htaccess
    AllowOverride All
    Order allow,deny
    Allow from all

What this stanza is configuring for Apache is the publicly exposed folder that essentially you will setup all of your public facing websites in. In the folder, /var/www/html Apache should then be configured with the basic rules that are described in the stanza. The line that gives the Drupal .htacces file power is AllowOverride All. What this is telling Apache is that for the directory, /var/www/html, .htaccess has the chance to override any command that Apache has put in place in it’s own configuration file. In the case of Drupal, the .htaccess file is used in every request as a way to normalize the playing field, so no matter what you have setup in Apache, Drupal ensures that the request coming in always behaves in a structured format.

Right about now, you might be asking yourself, “well where should I add my extended site configuration, Apache or .htaccess?” The answer to that question is it all depends upon the situation in how your Drupal core is configured. For example, if you only have one site in your Drupal core and do not plan on putting any other sites in there, then I would add your extended site configuration to .htaccess. This way you do not have to worry about anything in your .htaccess file every overriding your Apache commands. If you have multiple sites running off the same Drupal core I would put your extended site configuration up in your VirtualHost stanza in a directory block, that way these commands are applied to the specific ServerName in your VirtualHost. Please let me know if you have any questions comments or concerns.

Member for

3 years 9 months
Matt Eaton

Long time mobile team lead with a love for network engineering, security, IoT, oss, writing, wireless, and mobile.  Avid runner and determined health nut living in the greater Chicagoland area.



Sat, 11/05/2016 - 04:34 AM


Something is changing my htaccess and make my site unavailable.

In this example see how “RewriteRule ^index\.php$ – [L]RewriteCond %{REQUEST_FILENAME} !-f ” is on one line when is suppose to divide in two:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

This is happening like one time a week. I have wordfence, stop spammers, bruteprotect and anti-malware. I can’t find anything that could be making does changes.

Any ideas? Thanks!


SEO Analyst

The first thing that comes to my mind is the file permissions on the the .htaccess file.  What are the file permissions?  Can someone alter this file remotely?  

The second thing that would come to my mind is if someone has access to your server to change this file internally.  Is there any users on the server that you do not recognize?

I would start there.