apache – Is Checking For mod_write Really Necessary?

No, most of the time, checking for mod_rewrite is not necessary. In fact, it is often preferable to remove this check.

If the mod_rewrite directives are required by your site then you should not wrap them in a <IfModule mod_rewrite.c> container. Because if they are required and mod_rewrite is not available then the directives simply fail silently and your site continues to break in some other way (masking the underlying cause) and possibly exposing something you weren’t expecting. Without the <IfModule> wrapper then the site would break instantly (and completely) with an easily identifiable error and nothing unexpected is exposed.

The only times when the <IfModule mod_rewrite.c> wrapper should be used is either:

  1. The site is designed to work with or without mod_rewrite. This is the case with WordPress. Without mod_rewrite the site still “works”, you just don’t get the “pretty” URLs.

Or

  1. You have directives from another module that are dependent on mod_rewrite having executed successfully. So, in this case you would wrap these other directives in a <IfModule mod_rewrite.c> wrapper. For example, setting an HTTP response header (with mod_headers) based on some property of the request that you have determined using mod_rewrite. In this case you might wrap the Headers directive in a <IfModule mod_rewrite.c> container.

Most of the time, if you know your server, then you don’t need the <IfModule mod_rewrite.c> check – since you already know whether mod_rewrite is enabled or not. The only time when you do need it is if you are writing portable code to work on multiple servers and either condition #1 and/or #2 above are met.

Sometimes this even appears several times in the file!

And most of the time this is completely unnecessary. However, in defence of this behaviour, this often occurs when you have different plugins that edit .htaccess automatically and independently. The same is true for multiple RewriteEngine and RewriteBase directives.

For hand-written code you should never see this. For hand-written code this generally occurs through mindless copy/paste (which unfortunately seems to happen a lot with .htaccess directives).

Is there an advantage in having the <IfModule mod_rewrite.c> fail rather than the RewriteRule statements below it?

Only in the case of #1 or #2 above. Most of the time, no.

mod_write now is so essential and ubiquitous that I do not check for it anymore. Might this cause a vulnerability of some kind?

If it’s essential for your site then there is no need to check for it. No vulnerability.

In fact, the opposite could even be true… if the mod_rewrite directives are essential then checking for the presence of mod_rewrite could even cause you more problems if mod_rewrite suddenly become unavailable for whatever reason. As mentioned above, your mod_rewrite directives would now silently fail (stress “silent” – no error), but the website may still continue to function without a server error being triggered but returning nonsense to the user (and search engine bots) with a 200 OK status. If the <IfModule> wrapper had been omitted then you would have been notified immediately of the problem. However, if this error was silenced it may be some time before the problem is discovered, by which time more serious damage may have already been done.