DEV Community

Cover image for What You Should Know About PHP Mod_Rewrite And Mod_Security.
Emmanuel C. Okolie
Emmanuel C. Okolie

Posted on

What You Should Know About PHP Mod_Rewrite And Mod_Security.

The image Was Gotten From DALL-E


In this tutorial, we'll examine two topics simultaneously. Mod_rewrite and Mod_Security will become necessary as you advance as a PHP developer, and you'll need to use them on your web applications.

You can learn a lot about Mod_rewrite and Mod_Security by reading this lesson, and it will also broaden your understanding of what Mod rewrite is capable of. The mod rewrite module is an Apache engine that rewrites URLs according to rules. Several apps have functionality like proxy fetching and page redirection.

Let's get right into this tutorial without wasting much time!


Below are the things you need to get ready before you can use Mod rewrite and Mod security in php.

  • First, you will need to have Apache installed in your server and Mod rewrite enabled

  • You will need to have access to the Apache Configuration files, which are located in the /etc/httpd/conf or /etc/apache2/ directory on a Linux Server. But if you’re using Xammp you can find the Apache Configuration file like this C:\xampp\apache\conf\original etc. Note, the Apache Configuration file contains both Mod rewrite and Mod security.

  • You will also need to make sure that the AllowOverride directive is set to All for the directory where you want to use mod_rewrite. if AllowOverride is set to None the mod_rewrite Won’t work.

  • Finally, you will need to create a .htaccess file in the directory where you want to use mod_rewrite and include the rewrite rules in this file.

What is Mod_Rewrite

mod_rewrite is an Apache module that allows you to rewrite URLs cleanly and flexibly. It can perform various tasks, such as redirecting requests to a different page, allowing you to use shorter and more user-friendly URLs, and more. Note, another name for the Mod_rewrite is the Rewrite module

What Is Mod_Security

mod_security, also known as ModSecurity, is an Apache module that protects a range of web-based attacks. It can be used to block malicious requests, filter input, and log activity for further analysis. ModSecurity can help protect your website from a variety of threats, including cross-site scripting (XSS) attacks, SQL injection attacks, and more.

How To Set up Mod_Rewrite And Mod_Security

In the following sections, we will discuss how to set up mod rewrite and mod security.

You must have access to the Apache configuration files on your web server to configure mod_rewrite and mod_security in a PHP project. Although they are often pre-installed with Apache, certain modules might not always be active. You may activate and set up these modules as follows:

  1. Launch a text editor and open the httpd.conf or apache2.conf configuration file for Apache.

  2. Search for mod_rewrite LoadModule directive. Remove the # character to uncomment it if it is commented out (i.e., is preceded by a # character). The mod_rewrite module will then be enabled.

  3. Search for mod security LoadModule directive. Remove the # to uncomment it if it has been commented out. With this, the mod_security module will be enabled.

  4. To make the changes effective, save the configuration file and restart Apache.

  5. To utilize mod_rewrite in your PHP project, you must create a .htaccess file in the project's root directory. The RewriteRule directives in this file define the URL rewriting rules for your project.

  6. You must write a configuration file (often called mod security.conf) that details the security policies for your project to utilize mod_security. The Apache configuration directory should contain this file (often /etc/apache2/ on Ubuntu or /etc/httpd/ on CentOS).

How You Can Use Mod_Rewrite and Mod_security

Two Apache modules, mod rewrite and mod security, can be combined to improve a website's functionality and security.

An effective tool for changing URLs and rerouting traffic is mod rewrite. Incoming requests may be redirected to various pages using it, URLs can be masked to make them more user-friendly, and it can even stop some attacks by denying requests that include harmful characters.

Mod rewrite, for instance, may be used to route all traffic from an outdated URL to a new one or to route all requests for a page that isn't there to a unique 404 error page.
Additionally, you may use it to redirect requests to a different URL or to prohibit particular requests that follow a specific pattern.

A web application firewall called mod security, on the other hand, may be used to stop dangerous requests before they even reach your website. It may be set up to recognize and stop frequent attack types including SQL injection and cross-site scripting (XSS) assaults.

For instance, you may use mod security to stop all requests from coming from IP addresses or ranges that are known to be used by attackers, or to stop all requests that include specific terms or patterns that are linked to harmful attacks.

When combined, mod rewrite and mod security can assist you in building a strong, secure website that is better equipped to fend off threats and improve user experience. But keep in mind that setting mod security to stop all fraudulent requests is a difficult operation, and it is simple to err. As a result, it can wind up blocking traffic from genuine sources or valid requests. It's better to get advice from an expert if you don't know how to accomplish this.

How To Check If Mod_Rewrite Is Enabled In The PHP You’re Using

There is a built-in function in PHP called phpinfo. This function allows us to print all currently loaded modules and check whether or not mod_rewrite is enabled.

  1. Note that XAMPP is the local server in use here.

Write the following code in the check.php file (You can Call your file whatever name you wish). you just created it in the **c:/xampp/htdocs** directory, then save the file.

  echo phpinfo();
Enter fullscreen mode Exit fullscreen mode

The process above will help you check if the **mod_rewrite** load module is enabled or not in your PHP version, by writing out the code snippet above in your Code editor opened for this project.

  1. Now launch the XAMPP Control Panel and launch the Apache server.
    Sample of Xampp I’m Using

  2. Open a web browser of your choice and enter the URL localhost/check.php. It will show information about the PHP version and the configuration of Apache.
    Here’s the PHP Version I’m using

You will see your version of PHP after the PHP info has been echoed in your code. and when you scroll down you will section a section called configuration with a sub-heading **apache2handler**

Here’s is  Configuration section that contains PHP Modules

Note, the configuration section contains a lot of essential tools in PHP. The **Mod** in **Mod_rewrite** means Modules, and PHP has a lot of Inbuild modules loaded inside of it. But What we will be looking at is the **mod_rewrite**. Below is where you can find the mod_rewrite in the configuration section.

The Highlight of this image is Where the mod_rewrite

The highlighted text is the mod_rewrite and it’s installed inside the loaded modules under configuration section. The steps above is one of the most easy way to check if php mod_rewrite is is enabled in the version of PHP you’re using.

How You Can On/Off Mod_Rewrite And Mod_security From Your .htaccess file

Most developers don’t know that you can Turn Mod_rewrite off and on, some may know but don’t know the particular place that enables you to turn your mod_rewrite and mod_security on/off. I have an answer that will be of help to you which is the .htaccess file is what enables you to turn on/off your mod_rewrite and mod_security. Note, mod_rewrite and mod_security may be enabled and disabled in your .htaccess file by adding or removing particular lines of code.

Add the following code to your .htaccess file to enable mod rewrite:

RewriteEngine On
Enter fullscreen mode Exit fullscreen mode

To turn off mod_rewrite, add the following line to your .htaccess file:

  RewriteEngine Off
Enter fullscreen mode Exit fullscreen mode

Mod security cannot be turned on or off at will; instead, this must be done in the Apache Server Configuration. However, you may customize various rules and settings in your.htaccess file, such as turning off specific rules or changing how they behave:

SecRuleEngine Off
Enter fullscreen mode Exit fullscreen mode

This will turn off the rule engine for mod_security so that no rules will be enforced. And to turn it back on

SecRuleEngine On
Enter fullscreen mode Exit fullscreen mode

It is worth noting that it is highly recommended to not turn off mod_security in a production environment as it can leave your website vulnerable to attacks. Instead, you should carefully configure the rules to match your specific needs.
Also you may need to restart the Apache server for the changes to take effect.


The end of this Tutorial is here hopefully, you’ve learned so much from this tutorial. So far we’ve learned a lot of things about PHP mod_rewrite and mod_security.

We’ve known that we can set up mod_rewrite and mod_security and how to use it. We’ve also learned how to check if mod_rewrite is enabled in your PHP version.

And we also saw how we can turn Mod_rewrite and Mod_security on/off from our .htaccess file you’re free to drop a comment! And pls follow me for more tutorials.

Till next time, have a wonderful day!

About The Author

Emmanuel Okolie is a full-stack laravel developer with 2+ years of experience in the software development industry.
He has grown full-blown skills in combining Software Development, Writing, and Teaching others what he does. His stacks include JavaScript, PHP, ReactJs, Laravel, and more.

He is currently freelancing, building websites for clients, and writing technical tutorials teaching others how to do what he does.

Emmanuel Okolie is open and available to hear from you. Kindly visit and follow him on Linked-In, Facebook, Github, Twitter, or his Website.

Top comments (0)