There are a few places here in the library: [webmasterworld.com...] and a specific topic where your question is addressed: [webmasterworld.com...] is a good place to start. There is other helpful reading there as well, it does not look like your htaccess file is doing as much for you as it could.

The code is mostly from
[a nonauthoritative source giving bad examples ]

[edited by: phranque at 9:31 pm (utc) on Jan 18, 2015]
[edit reason] URLs snipped [/edit]

Does htaccess code order makes a difference?

Yes and no.

Each module is an island, so it doesn't matter which module's directives come first. You can even mix directives from two or more different mods at random; each one will read its own lines and ignore all others. Do not try this at home. I once intentionally tried mixing-and-matching on my test site just to see what would happen.

Within each module, order is significant-- unless the module contains instructions that override line-by-line order (notably the "Order" directive itself).

<If> envelopes in and of themselves have no effect. If the condition is true (if you have the mod, etcetera) the lines within the envelope are read; if not, the lines are ignored. See above about test site.

Should deny IP be First or Last?

For some odd reason Anti-Hotlinking likes to be above the deny IPs?

Should deny IP be First or Last?

It makes no difference at all whatsoever. Lines beginning in "Allow" and "Deny"-- along with the single "Order" line-- are mod_authzthingummy. (Its exact name varies by Apache version, but syntax and behavior are the same.) It's normally one of the last mods to execute-- but it will execute, even if some earlier mod has already issued a flat 403.

Anti-hotlinking rules by their nature involve some other mod, most likely mod_rewrite. You could theoretically do it with the mod_setenvif-plus-mod_authzzzz combination, but I doubt anyone really does.

Arrange your htaccess in the order that's easiest for you to read and track.

Some things depend on your individual setup. For example: I've got several sites sharing a single "userspace". So all the basic mod_setenvif and mod_authwhatsit directives are in an htaccess file shared by all sites, because a robot is a robot is a robot. All this stuff is inherited. The different sites then get individual htaccess files that concentrate on mod_rewrite (which normally isn't inherited).

:: shuffling papers ::

Part of a longer slab of boilerplate:

Step 1: Organize. Collect all the directives for each module in one place. The server doesn't care, but you-- and anyone who comes along after you-- will appreciate it.

Tip: Use a text editor with a "Find All" window to pull up all lines beginning with the element "Rewrite..." That takes care of mod_rewrite; dump them all at the end for now.

Step 2: Get rid of all <IfModule> envelopes. Not their contents, just the envelopes themselves. These envelopes are hallmarks of mass-produced htaccess files that have to work anywhere, on any server. You are now on your own site. Any given mod is either available to you or it isn't.

Exception: If you use a standard CMS such as WordPress, your htaccess file will contain a group of lines beginning and ending with #comments saying something like "begin WordPress" and "end WordPress". Leave everything in this package unchanged unless you know what you are doing.

Step 3: Sort by module. The server doesn't care what order the directives are listed in, or even if rules from different modules are all garbled together. Each module works separately, seeing only its own directives. But humans need to be able to find things.

For most people it will be most practical to group one-liners at the beginning:

Options -Indexes

is a good start. If your htaccess file contains only one line, that's probably it. Other quick directives are ones starting with words like AddCharset or Expires. Then list your error documents.

If you have any very short Files or FilesMatch envelopes, put them near the top too. For example:

<Files "robots.txt">
Order Allow,Deny
Allow from all
</Files>

<FilesMatch "\.(css|js)">
Header set X-Robots-Tag "noindex"
</Files>

Be sure to have an "Allow from all" envelope for your custom 403 page. If you are on shared hosting and they provide default error-document names such as "forbidden.html", this has probably already been done in the config file. But it does no harm to repeat it.

---

and a specific topic where your question is addressed

Hey, thanks, not2easy, I don't think I'd ever seen that thread before. It was interesting to find the grownup wording (courtesy jdMorgan) where I've been accustomed to simply saying "List RewriteRules in order of severity".

Thanks for the info & tips.

I do use the <IfModule> envelopes because I'm on a shared host.

I do use the <IfModule> envelopes because I'm on a shared host.

It is still possible to find out if you have a specific module, so you can code accordingly. Perversely, my own host won't tell * -- but they will happily share a little function involving mod_setenvif that easily gives you the information.


* I think technically what they won't disclose is the exact Apache version number. But it ends up being the same thing.

apache_get_version [php.net] and apache_get_modules [php.net] might be informative here.