If you want to quickly delete all saved Remote Desktop credentials from your Windows 10 Credentials Manager, here is how:
Read More »Delete saved RDP credentials from Windows 10 Credentials Manager, using cmdkey I wrote about enabling HTTP Strict Transport Security (HSTS) in IIS earlier. But what about enabling HSTS in Apache .htaccess? Here is how.
Read More »Force HSTS in Apache .htaccess Protect your privileged admin credentials!
Microsoft has published guidance on the easiest way to secure privileged access in Windows Server.
Read More »Securing privileged access
Show the number of registered WordPress users in At-a-Glance widget
Often when a WordPress site is compromised, the website owner doesn’t notice anything strange at first. First a lot of users are created, and it’s only later when posts filled with spam are created or existing pages/posts edited. In the time between compromise and creation of spam posts, a website owner might notice an increased number of users. If he has the means to. And that’s what this little plugin does.
Read More »Count and display number of WordPress users in your Dashboard
On a daily bases, new vulnerabilities are found in WordPress plugins. And when you host thousands of WordPress sites, you can count on the fact you have some customers using that vulnerable version of that particular plugin. So you need to find those vulnerable versions on your servers fast. On Windows Server, PowerShell is a perfect tool for the job!
Read More »Find vulnerable WordPress plugin versions fast using PowerShell
Secure wp-content/uploads in Linux Apache and Windows Server IIS
It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.
You can use this Bash function in your .bashrc file to generate a random alphanumeric string. This comes in handy when you need to generate a long, secure password for example. Adjust to your needs.
How to create an IP restrictions allow list for your IIS FTP Server with Powershell.
When you set up a new public facing FTP server in IIS, it is important to properly secure it. Of course there’s authentication and authorization, but in this post I’ll show you how to configure an IP allow list for FTP using PowerShell.
Read More »IIS 10.0 FTP IP Security allow list Whenever WordPress is using a lot of CPU and you have Wordfence Security plugin enabled, it is recommended to double check some settings. Unfortunately the Wordfence “Live Traffic Options” (“Traffic logging mode”) feature can cause high CPU usage and load issues for WordPress websites. Therefore, I recommend you disable this feature to improve the performance of your WordPress website.
Read More »Reduce Wordfence CPU usage, disable Wordfence “Live Traffic View”
Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’
Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…
Read More »WordPress .htaccess security best practices in Apache 2.4.6+ Connect to MySQL with PHP PDO using an SSL encrypted connection
If you want to connect securely to your MySQL database over SSL using PHP Data Objects (PDO), here is how…
Read More »How to use SSL in PHP Data Objects (PDO) mysql Ryan McFarland writes on his blog: “Privilege escalation always comes down to proper enumeration. But to accomplish proper enumeration you need to know what to check and look for. This takes familiarity with systems that normally comes along with experience. At first privilege escalation can seem like a daunting task, but after a while you start to filter through what is normal and what isn’t. It eventually becomes easier to know what to look for rather than digging through everything hoping to find that needle in the haystack. Hopefully this guide will provide a good foundation to build upon and get you started.”
There are a lot of hints & tips out there for troubleshooting SPNs, or Service Principal Names. Listing duplicate SPNs is fairly easy, just use setspn -X on your command-line and you’ll find out. But how do you find out which SPNs are used for which users and computers are used for this?
There is another VERY IMPORTANT THING with Microsoft Meltdown patches like update KB4056892: – Customers will not receive these security updates and will not be protected from security vulnerabilities unless their anti-virus software vendor sets the following registry key
:
A short post for my colleagues at the customer support and anyone else wondering the same: how to disable TLS encryption in FileZilla and turn off the FTP over TLS default setting?
Read More »How to turn off the TLS default in FileZilla?