Force HSTS in Apache .htaccess
Learn how to enable HSTS (HTTP Strict Transport Security) in Linux Apache .htaccess
Search Results for: .htaccess
WordPress .htaccess security best practices in Apache 2.4.6+
Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’. Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?
HackRepair.com’s Bad Bots .htaccess in web.config for IIS
Block bad bots in WIndows Server IIS using web.config. Learn to protect your WordPress website with this web.config file!
RewriteProxy with .htaccess in IIS
Rewrite and proxy HTTP requests in IIS using a .htaccess. In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with IIS URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.
Convert .htaccess to web.config
This post describes some of the IIS URL Rewrite Module web.config equivalents of commonly used Apache .htaccess settings. This is useful when you convert your Apache .htaccess to IIS web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess rules to web.config.
How to use .htaccess files on Windows Server IIS
In this post I’ll show you how to install Helicon Ape in Windows Server IIS and how to use .htaccess files for your website. Further this post describes some common uses of .htaccess files by PHP applications like WordPress, Joomla, Drupal or your own coded CMS, for example how to manage subdomains or redirect HTTP to HTTPS.
7 Snippets to use .htaccess as a Web Application Firewall
Here are 7 .htaccess snippets for you to secure your website, by using .htaccess as a kWeb Application Firewall (WAF). You can use this information to block exploits and rogue HTTP requests on your website.
Install and setup IIS Manager for Remote Administration in Windows Server IIS
Learn how to install and configure IIS Manager (InetMgr) for Remote Administration of your Windows Server IIS web server, in Windows 10. You can use IIS Manager to administer various components of your website through a graphical user interface (GUI), if it’s hosted in IIS. This post also shows how to install IIS Web Management Service (WMSVC) on Server Core using PowerShell.
Disallow direct access to PHP files in wp-content/uploads/
It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.
Reduce Wordfence CPU usage, disable Wordfence “Live Traffic View”
Whenever WordPress is using a lot of CPU and you have Wordfence Security plugin enabled, it is recommended to double check some settings. Unfortunately the Wordfence “Live Traffic Options” (“Traffic logging mode”) feature can cause high CPU usage and load issues for WordPress websites. Therefore, I recommend you disable this feature to improve the performance of your WordPress website.
Protect WordPress from brute-force XML-RPC attacks
The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.
Check WordPress Core files integrity
Check and verify WordPress Core files md5 checksums against WordPress’ checksums API, using this standalone PHP file. WordPress integrity matters, therefore I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.
Tips to speed up WordPress, serve gzip compressed static HTML files
Who said WordPress is slow on Windows Server IIS? Gzip compress and serve WP-Super-Cache or Cache Enabler static HTML files, to supercharge your WordPress blog. … Read More
How to optimize your WordPress hosting – 9+ practical tips
9+ Practical tips to optimize WordPress hosting, or any other PHP web application for that matter. Discover how this very blog has optimized its WordPress hosting environment and how you can too by optimizing MySQL, PHP and server configuration.
WordPress advisory: Akal premium theme XSS vulnerability
This post describes the Akal premium WordPress theme XSS vulnerability that I discovered. The theme suffers from a reflected Cross Site Scripting (XSS) vulnerability that would allow an attacker to steal an admin’s cookie, if WordPress wasn’t secured against that type of attacks.