(Reading time: 4 - 7 minutes)

Mythbusters: Do you need to change htaccess.txt?

1422 hits Updated: 05 April 2022 Blog

You do not need to modify the contents of htaccess.txt

Some people think that it’s important to edit (that is to change the contents of) one, or the other or both of the files htaccess.txt or web.config.txt. That’s a statement of fact. Some people really believe that!

The reason that this issue has recently become a hot discussion topic is because of the advisory notice that shipped as part of J! 3.9.3.  The notice says in part,

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files.  These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.configJ! 3.9.3 announcement, Joomla Forum, 13-Feb-2019

If people think it's important to be able to edit (i.e. change the contents of) either (or both) the files htaccess.txt  and/or web.config.txt then I am not going to dispute that belief.  If it makes people feel better that they can edit either or both of these files when it suits them then so be it.  I don’t want to make people feel unhappy.

If it makes you feel happier, you can even delete one or both of these two files, too.  It won’t make any difference to how your Joomla website continues to operate but we need to unpick the security notice.

btquoteI replied to Brian Teeman to say that I wondered how many Joomla developers have seen the lengthy discussions on the Joomla forum as a result of that notice!

The first part of the notice states that “since Joomla 3.9.3, Joomla is shipped with additional security hardenings”.  That’s not completely a completely true statement.  It is true that Joomla is shipped with pre-configured htaccess file.  It is also a requirement that this file needs to be renamed before the “additional security hardenings” take effect.  The second part of the notice recommends making changes to one or other file that may already exist on your website; the second part does not mention having to change any .txt files.  The problems are that the recommendation is clumsily worded.

There are a few thousand files created on your Joomla website when you first install it.  There are also a few thousand files replaced when you update Joomla from one version to the next.  Between the time when you first create Joomla and when you update it to a later version, if you deleted some files from your website, some files are re-created.

Replacing (or, in some cases, re-creating) some files when you update Joomla from one version to the next is neither a good thing nor a bad thing.  It's just a “thing”. It’s just how the Joomla! Update component works.

As an example of some of the files that are always replaced when you update Joomla from one version to the next, here is a very short list of the ones that are located in the website’s root folder:

  • htaccess.txt
  • index.php
  • LICENSE.txt
  • README.txt
  • robots.txt.dist
  • web.config.txt

Therefore, if you feel the need to edit (that is, change the contents of) one or more of these files then remember that any changes you make to these files will be lost when you update Joomla to a later version. OK?

If you still feel that you must update one or more of these files then don't let me stop you but, please, don’t ask for my help if you want to edit/change the contents of these files.

This article is based on the author's previously published work at the Joomla forum.

About the author:

has worked in the information technology industry since 1971 and, since retiring from the workforce in 2007, is a website hobbyist specialising in Joomla, a former member of the Kunena project for more than 8 years, and contributor on The Joomla Forum™. The opinions expressed in this article are entirely those of the author. View his profile here.

No thoughts on “Mythbusters: Do you need to change htaccess.txt?”

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
Trending now

Some other articles you may be find interesting