How to disable SMBv1 in Windows 10 and Windows Server

Disable SMBv1 to prevent prevent Petya / NotPetya, WannaCry / WanaCrypt0r ransomware spreading through your network. These worm viruses exploit a vulnerability in Windows Server Message Block (SMB) version 1 (SMBv1), and spread like wildfire. It is urged you disable SMBv1 in your Windows variant (Windows 10, 8.1, Server 2016, 2012 R2), and here is…

Continue reading How to disable SMBv1 in Windows 10 and Windows Server

Check WordPress Core files integrity

Verify WordPress Core files md5 checksums against WordPress’ checksums API, using this standalone PHP file. I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed…

Continue reading Check WordPress Core files integrity

WordPress advisory: Akal premium theme XSS vulnerability

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability. Jan ReilinkMy name is…

Continue reading WordPress advisory: Akal premium theme XSS vulnerability

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post. Jan ReilinkMy…

Continue reading SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

17+ Useful WordPress snippets

Here are 17+ valuable WordPress snippets for site-specific plugins and functions.php to provide you a better WordPress experience. Enhance your WordPress site with these small PHP snippets: WordPress filters, actions and functions. Quickly add or extend the functionality you need for your WordPress website! Read on… Jan ReilinkMy name is Jan. I am not a hacker, coder,…

Continue reading 17+ Useful WordPress snippets

Cracking PHP rand()

Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple…

Continue reading Cracking PHP rand()

Summary of file screen properties

Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens

Using Windows Server File Server Resource Manager‘s File Screens you can block vulnerable WordPress plugins from being uploaded to your IIS web server. In the following example, you’ll learn how to block WP DB Backup plugin system-wide on Windows Server, read on… Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or…

Continue reading Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens

My WordPress web.config

Do you host your WordPress website on Windows Server IIS? And are you having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress site. Maybe it’s because I’m a WordPress on IIS enthusiast, so here is…

Continue reading My WordPress web.config

Enable HSTS in IIS website

How to enable HTTP Strict-Transport-Security (HSTS) on IIS

Set up HTTP Strict-Transport-Security (HSTS) in Windows Server IIS. Scott Hanselman wrote a great post on how to enable HTTP Strict-Transport-Security (HSTS) on IIS web servers, and here is some more technical information about HSTS in IIS, and other security headers… Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or guru.…

Continue reading How to enable HTTP Strict-Transport-Security (HSTS) on IIS