web application security

Disable Joomla Contacts component (com_contact) in MySQL / phpMyAdmin

How-to disable Joomla’s built-in contact forms component and its ability to send a copy to the sender, directly in your MySQL database using phpMyAdmin Often the built-in Joomla contact forms component (com_contact) is abused by spammers. These contact forms allow the sender to receive a copy of the form contents. All spammers need to do …

Disable Joomla Contacts component (com_contact) in MySQL / phpMyAdmin Read More »

Show the number of registered WordPress users in the At-a-Glance widget in the Dashboard

Count and display number of WordPress users in your Dashboard

Show the number of registered WordPress users in At-a-Glance widget Often when a WordPress site is compromised, the website owner doesn’t notice anything strange at first. First a lot of users are created, and it’s only later when posts filled with spam are created or existing pages/posts edited. In the time between compromise and creation …

Count and display number of WordPress users in your Dashboard Read More »

source code WordPress security plugin

Find vulnerable WordPress plugin versions fast using PowerShell

On a daily bases, new vulnerabilities are found in WordPress plugins. And when you host thousands of WordPress sites, you can count on the fact you have some customers using that vulnerable version of that particular plugin. So you need to find those vulnerable versions on your servers fast. On Windows Server, PowerShell is a …

Find vulnerable WordPress plugin versions fast using PowerShell Read More »

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

Disallow direct access to PHP files in wp-content/uploads/

Secure wp-content/uploads in Linux Apache and Windows Server IIS It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows …

Disallow direct access to PHP files in wp-content/uploads/ Read More »

HTTP Basic authentication

Basic Authentication module for Windows Server IIS 10

Basic Authentication managed HTTP module for IIS 10 with virtual users support In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for …

Basic Authentication module for Windows Server IIS 10 Read More »

Cracking PHP rand()

Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple …

Cracking PHP rand() Read More »

Mod_evasive on IIS

Learn how to set up website DDoS protection with .htaccess and mod_evasive on Windows Server IIS Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic …

Mod_evasive on IIS Read More »

Show Buttons
Hide Buttons