Force HSTS in Apache .htaccess

WordPress .htaccess security best practices in Apache 2.4.6+

Security?

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’. Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?

RewriteProxy with .htaccess in IIS

Rewrite and proxy HTTP requests in IIS using a .htaccess. In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with IIS URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

Convert .htaccess to web.config

This post describes some of the IIS URL Rewrite Module web.config equivalents of commonly used Apache .htaccess settings. This is useful when you convert your Apache .htaccess to IIS web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess rules to web.config.

How to use .htaccess files on Windows Server IIS

In this post I’ll show you how to install Helicon Ape in Windows Server IIS and how to use .htaccess files for your website. Further this post describes some common uses of .htaccess files by PHP applications like WordPress, Joomla, Drupal or your own coded CMS, for example how to manage subdomains or redirect HTTP to HTTPS.

Install and setup IIS Manager for Remote Administration in Windows Server IIS

IIS Manager for Remote Administration in Windows 10

Learn how to install and configure IIS Manager (InetMgr) for Remote Administration of your Windows Server IIS web server, in Windows 10. You can use IIS Manager to administer various components of your website through a graphical user interface (GUI), if it’s hosted in IIS. This post also shows how to install IIS Web Management Service (WMSVC) on Server Core using PowerShell.

Disallow direct access to PHP files in wp-content/uploads/

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

Reduce Wordfence CPU usage, disable Wordfence “Live Traffic View”

Whenever WordPress is using a lot of CPU and you have Wordfence Security plugin enabled, it is recommended to double check some settings. Unfortunately the Wordfence “Live Traffic Options” (“Traffic logging mode”) feature can cause high CPU usage and load issues for WordPress websites. Therefore, I recommend you disable this feature to improve the performance of your WordPress website.

Protect WordPress from brute-force XML-RPC attacks

WordPress XMLPRC

The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.

Check WordPress Core files integrity

brown wooden blocks on white surface

Check and verify WordPress Core files md5 checksums against WordPress’ checksums API, using this standalone PHP file. WordPress integrity matters, therefore I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.