Posted inWordPress
Are you in my blocklist?
Is your IP address in my WordPress .htaccess block list? Here are IP addresses I block manually because of comment spamming.
Posted inGNU Linux
Force HSTS in Apache .htaccess
Learn how to enable HSTS (HTTP Strict Transport Security) in Linux Apache .htaccess. I wrote about enabling HTTP Strict Transport Security (HSTS) in IIS earlier. But what about enabling HSTS in Apache .htaccess? Here is how.
Posted inWeb application security
Disallow direct access to PHP files in wp-content/uploads/
It's recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how. Secure your WordPress site with this simple, yet effective, tip!
Posted inWindows Server
Basic Authentication module for Windows Server IIS 10
Basic Authentication managed HTTP module for IIS 10 with virtual users support. In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It's apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual users.
Posted inWeb application security
WordPress .htaccess security best practices in Apache 2.4.6+
Apache Access Control done right in WordPress .htaccess, 'Allow/Deny from all' versus 'Require All Granted/Denied'. Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?
Posted inWeb application security
Protect WordPress from brute-force XML-RPC attacks
Secure WordPress against XML-PRC attacks. This post gives you some insights about how you can create an IP whitelist for xmlrpc.php, on Windows Server and Linux Apache (web.config and .htaccess). And how you can block access to xmlrpc.php file.
Posted inWordPress
SSL in WordPress: how to move WordPress to HTTPS? The definitive guide
Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You'll learn the important steps to move WordPress from http to https
Posted inWindows Server
HackRepair.com’s Bad Bots .htaccess in web.config for IIS
Block bad bots in WIndows Server IIS using web.config. Learn to protect your WordPress website with this web.config file!
Posted inWindows Server
RewriteProxy with .htaccess in IIS
Rewrite and proxy HTTP requests in IIS using a .htaccess. In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn't updated yet. All HTTP requests for the moved website are handled in IIS' Default Web Site; that's the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with IIS URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.
Posted inWindows Server
Mod_evasive on IIS
Website DDoS protection with mod_evasive.Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it's requesting the same page more than 10 times a second. This is configurable.
Posted inWordPress
Huge increase in WordPress xmlrpc.php POST requests
WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites... Secure WordPress xmlprc.php interface and reduce service disruption.
Posted inWindows Server
Remove IIS Server version HTTP Response Header
Windows Server IIS love to tell the world a website runs on IIS. And dito for ASP.NET Framework. But this gives hackers a lot of information, right? Let's remove the IIS Server header and ASP.NET version headers. Security by obscurity as a pro :-)
Posted inWindows Server
How to hide the .php file extension with IIS URL Rewrite Module
How to hide file extensions, such as .php or .asp, with URL Rewrite Module in IIS. This example will hide the .php extension using IIS URL Rewrite Module, in a ready to use web.config & .htaccess example: extension less URLs in IIS.
Posted inWindows Server
WordPress 3.5 on IIS 8.0 is unable to save a web.config file
WordPress 3.5 on IIS 8.0 is unable to save a web.config file because of a hard IIS version check in wp-includes/vars.php. Quick fix available here.
Posted inWindows Server
Create your own PHP based Origin Pull CDN
The advantage of having your website content hosted on a Content Delivery Network (CDN) is having your content distributed and stored across the Globe. Utilizing the network of the Content Delivery Network provider. Hosting your WordPress website on a Content Delivery Network is an important WordPress optimization tip. Here is how to create your own Origin Pull CDN with just a few lines of PHP...