.htaccess Archives - Sysadmins of the North

On 15 July 2016

In WordPress

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post.

HackRepair.com’s Bad Bots .htaccess in web.config for IIS

On 19 February 2016

In IIS

Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your website with this web.config file!

WordPress Is the Most Attacked CMS Application

On 17 November 2015

Imperva’s Web Application Attack Report shows spam is WordPress’ largest security threat. Imperva, an international cyber security company founded in 2002, published its 2015 web application attack report. The report includes a thorough analysis of attack data obtained through its Web Application Firewall (or WAF).

RewriteProxy with .htaccess in IIS

On 8 October 2015

In IIS

Rewrite and proxy HTTP requests in IIS. In my case scenario, I had to proxy requests on IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

Mod_evasive on IIS

On 24 July 2014

In IIS

Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable.

Huge increase in WordPress xmlrpc.php POST requests

On 7 July 2014

In WordPress Security

WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites… Secure WordPress xmlprc.php interface and reduce service disruption.

Remove IIS Server version HTTP Response Header

On 6 July 2014

In IIS

Remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, 10 and ASP.NET

Windows Server IIS loves to tell the world that a website runs on IIS. It does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

How to hide the .php file extension with IIS URL Rewrite Module

On 23 May 2014

How to hide the .php file extension with URL Rewrite on Windows Server IIS? Sometimes it’s important to hide the file extension of scripts you use. Security by obscurity might be that reason, if you don’t want others to know what script language you are using for your website. This example will hide the .php extension using the IIS URL Rewrite module, in a ready to use web.config & .htaccess example.

WordPress 3.5 on IIS 8.0 is unable to save a web.config file

On 19 February 2013

This website Saotn.org is hosted on Windows Server 2012 with IIS 8.0 with WordPress for a few months now, and everything is running very smooth. And I would never hit this bug because I don’t need to change my permalinks structure, or save any other plugin setting which would want write to a web.config file. One of my colleagues on the other hand, just moved his website to one of our IIS 8.0 web servers and he noticed he couldn’t save his Permalinks structure in the IIS web.config file. This can be pretty annoying 😉 Quick fix attached…

Create your own PHP based Origin Pull CDN

On 17 February 2013

The advantage of having your website content hosted on a Content Delivery Network (CDN) is having your content distributed and stored across the Globe. Utilizing the network of the Content Delivery Network provider. Hosting your WordPress website on a Content Delivery Network is an important WordPress optimization tip. Here is how to create your own Origin Pull CDN with just a few lines of PHP…

Convert .htaccess to web.config

On 8 February 2013

This post describes some of the IIS URL Rewrite equivalents of commonly used Apache .htaccess settings. This is useful when you want to convert your .htaccess to web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess to web.config.

“Joomla sites misused to deploy malware” – Update

On 14 December 2012

The Internet Storm Center reports that a large number of Joomla sites are currently deploying malicious code and infecting visitors with malware; some WordPress sites are also thought to be affected. The German CERT-Bund⁠ Computer Emergency Response Team, which is operated by the German Federal Office for Information Security (BSI), has confirmed that similar attacks on and via Joomla servers have also been observed in Germany.

“htaccess files should not be used for security restrictions”

On 8 August 2012

Acunetix’ Bogdan Calin wrote an article explaining why .htaccess files should not be used to secure sensitive data: htaccess files should not be used for security restrictions.

How to filter web traffic with blacklists

On 27 May 2012