Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

Disallow direct access to PHP files in wp-content/uploads/

Secure wp-content/uploads in Linux Apache and Windows Server IIS It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably and without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in…

Continue reading Disallow direct access to PHP files in wp-content/uploads/

HTTP Basic authentication

Basic Authentication module for Windows Server IIS

Basic Authentication managed HTTP module for IIS with virtual users support In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual…

Continue reading Basic Authentication module for Windows Server IIS

Security?

WordPress .htaccess security best practices in Apache 2.4.6+

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’ Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately,…

Continue reading WordPress .htaccess security best practices in Apache 2.4.6+

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post. Jan ReilinkMy…

Continue reading SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Mod_evasive on IIS

Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website…

Continue reading Mod_evasive on IIS

Huge increase in WordPress xmlrpc.php POST requests

WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites… Secure WordPress xmlprc.php interface and reduce service disruption. Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily…

Continue reading Huge increase in WordPress xmlrpc.php POST requests

Convert .htaccess to web.config

This post describes some of the IIS URL Rewrite Module web.config equivalents of commonly used Apache .htaccess settings. This is useful when you want to convert your .htaccess to web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess rules to web.config. Jan ReilinkMy name…

Continue reading Convert .htaccess to web.config

“htaccess files should not be used for security restrictions”

Acunetix’ Bogdan Calin wrote an article explaining why .htaccess files should not be used to secure sensitive data: htaccess files should not be used for security restrictions. Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily thing at Vevida. If you…

Continue reading “htaccess files should not be used for security restrictions”