Search Results for: .htaccess

WordPress .htaccess security best practices in Apache 2.4.6+

Jan Reilink
WordPress
5 November 20181 September 2020

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

Jan Reilink
Windows Server
19 February 201622 January 2020

Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your WordPress website with this web.config file!

Jan Reilink
Windows Server
8 October 201522 January 2020

Rewrite and proxy HTTP requests in IIS using a .htaccess

In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

Jan Reilink
Windows Server
8 February 201327 December 2019

This post describes some of the IIS URL Rewrite Module web.config equivalents of commonly used Apache .htaccess settings. This is useful when you want to convert your .htaccess to web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess rules to web.config.

Jan Reilink
Windows Server
28 December 20117 February 2019

Learn how to use .htaccess in Windows Server IIS. In this post I’ll provide you with some useful .htaccess URL rewrite examples. URL rewrite examples that you can use on Window Server IIS for your website.

Jan Reilink
Windows Server
3 August 20116 April 2020

.htaccess to secure your website

Here are 7 .htaccess snippets for you to secure your website, by using .htaccess as a kind of Web Application Firewall (WAF). You can use this information to block exploits and rogue HTTP requests on your website.

Jan Reilink
WordPress
16 March 202024 August 2020

Secure wp-content/uploads in Linux Apache and Windows Server IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

Jan Reilink
WordPress
2 June 201724 September 2020

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able to use (some of) its functionality like Jetpack? This post gives you some insight.

Jan Reilink
WordPress
5 September 201630 January 2020

Who said WordPress is slow on Windows Server IIS? Gzip compress and serve WP-Super-Cache or Cache Enabler static HTML files, to supercharge your WordPress blog. Here is how to serve gzip compressed HTML files through Windows Server IIS: create smaller, compressed, static HTML files, that are downloaded faster. This works with WP-Super-Cache and Cache Enabler on IIS!

Jan Reilink
WordPress
31 August 20162 July 2020

Optimized WordPress hosting is a subject on which a lot is written about. And therefore, this post is not about where to host your WordPress blog, or who offers the best WordPress hosting. This post is for you developers, what you can do to optimize your WordPress hosting. Or for any other PHP web application for that matter. This post is not about setting up high-availability, fail-over, clustering, IIS versus Nginx versus Apache, RAID 1, 5, 6, 10, different types of storage, and so on. It’s about solving performance issues.

Jan Reilink
WordPress
22 August 201624 October 2019

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

Jan Reilink
WordPress
15 July 201619 August 2020

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post.

Jan Reilink
WordPress
30 May 201614 January 2020

Here are 17+ valuable WordPress snippets for site-specific plugins and functions.php to provide you a better WordPress experience. Enhance your WordPress site with these small PHP snippets: WordPress filters, actions and functions. Quickly add or extend the functionality you need for your WordPress website! Read on…

Jan Reilink
WordPress
22 June 201524 September 2020

Do you host your WordPress website on Windows Server IIS? And are you having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress site. Maybe it’s because I’m a WordPress on Windows Server IIS enthusiast, so here is my web.config for your convenience (really, it’s not that special).

Jan Reilink
Security
19 April 201516 January 2020

Deny direct access to PHP files in wp-content/uploads/

The following PHP function secures your WordPress website by disabling the execution of PHP scripts in wp-content/uploads, on Windows Server IIS web servers. It creates a web.config file for this purpose.

Search Results for: .htaccess

WordPress .htaccess security best practices in Apache 2.4.6+

HackRepair.com’s Bad Bots .htaccess in web.config for IIS

RewriteProxy with .htaccess in IIS

Convert .htaccess to web.config

How to use .htaccess files on Windows Server IIS

7 Snippets to use .htaccess as a Web Application Firewall

Disallow direct access to PHP files in wp-content/uploads/

How to: Protect WordPress from brute-force XML-RPC attacks

Tips to speed up WordPress, serve gzip compressed static HTML files

Optimize(d) WordPress hosting (9+ practical tips)

WordPress advisory: Akal premium theme XSS vulnerability

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

17+ Useful WordPress snippets

My WordPress web.config

Secure WordPress uploads folder, disable PHP execution