Posts

Secure wp-content/uploads in Linux Apache and Windows Server IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably and in my opinion without the use of a security plugin. Denying access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config on Windows Server IIS, and here is how.

Read more

You can use this Bash function in your .bashrc file to generate a random alphanumeric string. This comes in handy when you need to generate a long, secure password for example. Adjust to your needs.

Read more

How to create an IP restrictions whitelist for your IIS FTP Server with Powershell.

When you set up a new public facing FTP server in IIS, it is important to properly secure it. Of course there’s authentication and authorization, but in this post I’ll show you how to configure an IP whitelist for FTP using PowerShell.

Read more

Whenever WordPress is using a lot of CPU and you have Wordfence Security plugin enabled, it is recommended to double check some settings. Unfortunately the Wordfence “Live Traffic Options” (“Traffic logging mode”) feature can cause high CPU usage and load issues for WordPress websites. Therefore, I recommend you disable this feature to improve the performance of your WordPress website.

Read more

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1903 (a.k.a., “19H1”), and for Windows Server version 1903.

Read more

Since WannaCry and Petya ransomware were spreading through Windows systems in 2017, it’s recommended to have Server Message Block version 1 (SMBv1) disabled in Windows clients and Windows Server. Now SMBv1 is not installed by default in Windows 10 1709 and Windows Server, version 1709 and later, but how can you be sure it is disabled in older Windows versions? Easy, use PowerShell.

Read more
Security?

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

Read more

Connect to MySQL from PHP PDO using an SSL encrypted connection

If you want to connect securely to your MySQL database over SSL using PHP Data Objects (PDO), here is how…

Read more

Ryan McFarland writes on his blog: “Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start to filter through what is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through everything hoping to find that needle in the haystack. Hopefully this guide will provide a good foundation to build upon and get you started.”

Read more

There are a lot of hints & tips out there for troubleshooting SPNs, or Service Principal Names. Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out. But how do you find out which SPNs are used for which users and computers are used for this?

Read more

There is another VERY IMPORTANT THING with Microsoft Meltdown patches like update KB4056892: – Customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets the following registry key:

Read more
Help Net Security reviewed Acunetix 11

Acunetix 11 Review by Help Net Security. Acunetix is one of the biggest players in the web security arena. The European-based company released the first version of their product back in 2005, and thousands of clients around the globe use it to analyze the security of their web applications. They recently unveiled Acunetix version 11, so Help Net Security decided to take it for a spin.

A short post for my colleagues at the customer support and anyone else wondering the same: how to disable TLS encryption in FileZilla and turn off the FTP over TLS default setting?

Read more

When you have just installed your new Windows Server, with or without IIS as web server, it is important to take a few extra security measurements. Securing your server is important to keep hackers out and your data safe. This article shows 3 4 key steps in securing your Windows Server web (IIS) or file server.

Read more
Windows Server logo small

Disable SMBv1 to prevent prevent Petya / NotPetya, WannaCry / WanaCrypt0r ransomware spreading through your network. These worm viruses exploit a vulnerability in Windows Server Message Block (SMB) version 1 (SMBv1), and spread like wildfire. It is urged you disable SMBv1 in your Windows variant (Windows 10, 8.1, Server 2016, 2012 R2), and here is how if you haven’t done so yet.

Read more