.htaccess Generator

Joomla .htaccess Generator — Complete Configuration Guide

Every Joomla installation ships with an htaccess.txt file that must be renamed to .htaccess before it takes effect. This generator extends the default Joomla rewrite rules with hardened security, caching, and performance sections — all wrapped in <IfModule> guards that degrade gracefully on hosts where Apache modules are not loaded.

SEF URL Rewrites

Joomla's Search Engine Friendly (SEF) URL system depends on mod_rewrite. The standard rules route all requests through index.php while passing the original URI as a parameter. Enable Use URL Rewriting in Joomla's Global Configuration (System > Settings > SEO Settings) alongside this setting.

Security Sections Explained

• Force HTTPS — Redirects all HTTP requests to HTTPS with a 301 permanent redirect. Required for securing login sessions and protecting the administrator area.
• Security Headers — Adds HTTP response headers: X-Content-Type-Options prevents MIME sniffing, X-Frame-Options blocks clickjacking, X-XSS-Protection enables browser XSS filters, Referrer-Policy controls referrer leakage, and Strict-Transport-Security enforces HTTPS for future visits.
• Block Exploits — Denies direct HTTP access to sensitive Joomla paths including /administrator/logs/, /tmp/, /cache/, /cli/, configuration.php, and .htpasswd. These files should never be publicly accessible.
• Disable Directory Browsing — The Options -Indexes directive prevents Apache from generating a file listing when no index file exists in a directory, hiding your installation structure from attackers.
• Block Bad Bots — Blocks known scraper and spam bot user-agent strings. Reduces server load and prevents content theft by automated tools.

Performance Sections Explained

• Gzip Compression — Uses mod_deflate to compress HTML, CSS, JavaScript, XML, and JSON responses. Typically reduces transfer sizes by 60–80%, improving page load times and Core Web Vitals scores.
• Browser Caching — Sets Expires headers via mod_expires so browsers cache static assets locally. Images and fonts get one-year TTLs; CSS and JS get one-year TTLs. HTML pages are excluded to ensure fresh content delivery.
• PHP Settings — Sets common PHP runtime values via php_value: upload limits, post size, and execution time. These directives only work on Apache with mod_php — on PHP-FPM setups, configure these in php.ini or a pool configuration file instead.

Deployment Notes

Always back up your existing .htaccess before overwriting it. After deploying, test your site's front end, administrator login, and image uploads immediately. If you see a 500 Internal Server Error, re-upload your backup — a syntax error in .htaccess will take down the entire site.