Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your website with this web.config file!
Sysadmins of the North
Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security
Tag: .htaccess
Imperva’s Web Application Attack Report shows spam is WordPress’ largest security threat. Imperva, an international cyber security company founded in 2002, published its 2015 web application attack report. The report includes a thorough analysis of attack data obtained through its Web Application Firewall (or WAF).
Rewrite and proxy HTTP requests in IIS. In my case scenario, I had to proxy requests on IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.
Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it’s requesting the same page more than 10 times a second. This is configurable.
Continue readingWordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites… Secure WordPress xmlprc.php interface and reduce service disruption.
How to remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, and ASP.NET. Windows Server IIS loves to tell the world that a website runs on IIS, it does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).
Continue readingHow to hide the .php file extension with URL Rewrite on Windows Server IIS? Sometimes it’s important to hide the file extension of scripts you use. Security by obscurity might be that reason, if you don’t want others to know what script language you are using for your website. This example will hide the .php extension using the IIS URL Rewrite module, in a ready to use web.config & .htaccess example.
This website Saotn.org is hosted on Windows Server 2012 with IIS 8.0 with WordPress for a few months now, and everything is running very smooth. And I would never hit this bug because I don’t need to change my permalinks structure, or save any other plugin setting which would want write to a web.config file. One of my colleagues on the other hand, just moved his website to one of our IIS 8.0 web servers and he noticed he couldn’t save his Permalinks structure in the IIS web.config file. This can be pretty annoying ;-) Quick fix attached…
The advantage of having your website content hosted on a Content Delivery Network (CDN) is having your content distributed and stored across the Globe. Utilizing the network of the Content Delivery Network provider. Hosting your WordPress website on a Content Delivery Network is an important WordPress optimization tip. Here is how to create your own Origin Pull CDN with just a few lines of PHP…
Continue readingThis post describes some of the IIS URL Rewrite equivalents of commonly used Apache .htaccess settings. This is useful when you want to convert your .htaccess to web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess to web.config.
The Internet Storm Center reports that a large number of Joomla sites are currently deploying malicious code and infecting visitors with malware; some WordPress sites are also thought to be affected. The German CERT-Bund Computer Emergency Response Team, which is operated by the German Federal Office for Information Security (BSI), has confirmed that similar attacks on and via Joomla servers have also been observed in Germany.
Acunetix’ Bogdan Calin wrote an article explaining why .htaccess files should not be used to secure sensitive data: htaccess files should not be used for security restrictions.
Block and filter unwanted web HTTP traffic with blacklists, on both IIS and Apache. Protect your website easily with this PHP blacklist class. Let’s create our own HTTP web blacklist filter.
Continue readingLearn how to use .htaccess in Windows Server IIS. In this post I’ll provide you with some useful .htaccess URL rewrite examples. URL rewrite examples that you can use on Window Server IIS for your website.
.htaccess to secure your website
In this post I’ll show you a couple of snippets – e.g parts of .htaccess files – on how to use it as a kind of Web Application Firewall (WAF). You can use these snippets to block out exploit- and rogue HTTP requests, to secure your website.
Continue reading© 2018 Sysadmins of the North
Theme by Anders Noren — Up ↑