You are here: Saotn.org » .htaccess

.htaccess

Disallow direct access to PHP files in wp-content/uploads/

Secure wp-content/uploads in Linux Apache and Windows Server IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

Read More »Disallow direct access to PHP files in wp-content/uploads/

Basic Authentication module for Windows Server IIS

Basic Authentication managed HTTP module for IIS with virtual users support

In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual users.

Read More »Basic Authentication module for Windows Server IIS

WordPress .htaccess security best practices in Apache 2.4.6+

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

Read More »WordPress .htaccess security best practices in Apache 2.4.6+

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post.

Read More »SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

RewriteProxy with .htaccess in IIS

Rewrite and proxy HTTP requests in IIS using a .htaccess

In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

Read More »RewriteProxy with .htaccess in IIS

Mod_evasive on IIS

Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable.

Read More »Mod_evasive on IIS

Remove IIS Server version HTTP Response Header

Remove HTTP response headers in Windows Server IIS 10 and ASP.NET

Windows Server IIS loves to tell the world that a website runs on IIS. It does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

Read More »Remove IIS Server version HTTP Response Header

How to hide the .php file extension with IIS URL Rewrite Module

Extensionless URLs in IIS

Sometimes it’s important to remove -or hide- the file extension of scripts you use. Security by obscurity might be that reason, if you don’t want others to know what script language you are using for your website, or for static site hosts. This example will hide the .php extension using the IIS URL Rewrite module, in a ready to use web.config & .htaccess example.

Read More »How to hide the .php file extension with IIS URL Rewrite Module

WordPress 3.5 on IIS 8.0 is unable to save a web.config file

This website Saotn.org is hosted on Windows Server 2012 with IIS 8.0 with WordPress for a few months now, and everything is running very smooth. And I would never hit this bug because I don’t need to change my permalinks structure, or save any other plugin setting which would want write to a web.config file. One of my colleagues on the other hand, just moved his website to one of our IIS 8.0 web servers and he noticed he couldn’t save his Permalinks structure in the IIS web.config file. This can be pretty annoying ;-) Quick fix attached…

Read More »WordPress 3.5 on IIS 8.0 is unable to save a web.config file

Create your own PHP based Origin Pull CDN

The advantage of having your website content hosted on a Content Delivery Network (CDN) is having your content distributed and stored across the Globe. Utilizing the network of the Content Delivery Network provider. Hosting your WordPress website on a Content Delivery Network is an important WordPress optimization tip. Here is how to create your own Origin Pull CDN with just a few lines of PHP…

Read More »Create your own PHP based Origin Pull CDN