WordPress .htaccess security best practices in Apache 2.4.6+

Security?

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’ Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, …

Read more

HackRepair.com’s Bad Bots .htaccess in web.config for IIS

Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your WordPress website with this web.config file!

RewriteProxy with .htaccess in IIS

Rewrite and proxy HTTP requests in IIS using a .htaccess In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard …

Read more

Convert .htaccess to web.config

This post describes some of the IIS URL Rewrite Module web.config equivalents of commonly used Apache .htaccess settings. This is useful when you convert your .htaccess to web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess rules to web.config.

7 Snippets to use .htaccess as a Web Application Firewall

.htaccess to secure your website Here are 7 .htaccess snippets for you to secure your website, by using .htaccess as a kind of Web Application Firewall (WAF). You can use this information to block exploits and rogue HTTP requests on your website.

Install and setup IIS Manager for Remote Administration in Windows Server IIS

IIS Manager for Remote Administration in Windows 10

Learn how to install and configure IIS Manager for Remote Administration of your Windows Server IIS web server, in Windows 10. You can use IIS Manager to administer various components of your website through a graphical user interface (GUI), if it’s hosted in IIS.

Disallow direct access to PHP files in wp-content/uploads/

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

Secure wp-content/uploads in Linux Apache and Windows Server IIS It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows …

Read more

Reduce Wordfence CPU usage, disable Wordfence “Live Traffic View”

Whenever WordPress is using a lot of CPU and you have Wordfence Security plugin enabled, it is recommended to double check some settings. Unfortunately the Wordfence “Live Traffic Options” (“Traffic logging mode”) feature can cause high CPU usage and load issues for WordPress websites. Therefore, I recommend you disable this feature to improve the performance …

Read more

How to: Protect WordPress from brute-force XML-RPC attacks

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able …

Read more

Check WordPress Core files integrity

Check WordPress integrity, verify WordPress Core files md5 checksums against WordPress’ checksums API, using this standalone PHP file. I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be …

Read more

Tips to speed up WordPress, serve gzip compressed static HTML files

Who said WordPress is slow on Windows Server IIS? Gzip compress and serve WP-Super-Cache or Cache Enabler static HTML files, to supercharge your WordPress blog. Here is how to serve gzip compressed HTML files through Windows Server IIS: create smaller, compressed, static HTML files, that are downloaded faster. This works with WP-Super-Cache and Cache Enabler …

Read more

Optimize(d) WordPress hosting (9+ practical tips)

Your WordPress hosting at Warp Speed - img. credits: Christian Daryanto Limas @ flickr

This post is for you developers, what you can do to optimize your WordPress hosting stack. Or for any other PHP web application for that matter. This post is not about setting up high-availability, fail-over, clustering, IIS versus Nginx versus Apache, RAID 1, 5, 6, 10, different types of storage, and so on. It’s about solving performance issues.

WordPress advisory: Akal premium theme XSS vulnerability

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

Show Buttons
Hide Buttons