web.config Archives - Sysadmins of the North

2 June 20177 July 2017

How to: Protect WordPress from brute-force XML-RPC attacks

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, but still being able to use (some of) its functionality like Jetpack? This post gives you some insight.

Continue reading “How to: Protect WordPress from brute-force XML-RPC attacks”

17 May 201627 June 2017

Ghost on IIS with HTTPS, how to resolve a “Too many redirects” error

When you use iisnode to host the Node.js blogging software Ghost on your IIS web server, and you set up an SSL certificate for your Ghost website, you may run into too many redirect issues when changing Ghost’s config.js file. This happend to me yesterday, and here is the solution.

Continue reading “Ghost on IIS with HTTPS, how to resolve a “Too many redirects” error”

19 February 201627 June 2017

HackRepair.com’s Bad Bots .htaccess in web.config for IIS

Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your website with this web.config file!

Continue reading “HackRepair.com’s Bad Bots .htaccess in web.config for IIS”

17 November 201517 November 2015

WordPress Is the Most Attacked CMS Application

Imperva’s Web Application Attack Report shows spam is WordPress’ largest security threat. Imperva, an international cyber security company founded in 2002, published its 2015 web application attack report. The report includes a thorough analysis of attack data obtained through its Web Application Firewall (or WAF).

Continue reading “WordPress Is the Most Attacked CMS Application”

8 October 201527 June 2017

RewriteProxy with .htaccess in IIS

Rewrite and proxy HTTP requests in IIS. In my case scenario, I had to proxy requests on IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

Continue reading “RewriteProxy with .htaccess in IIS”

22 June 201519 January 2017

My WordPress web.config

Do you host your WordPress website on Windows Server IIS? Having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress website. Maybe it’s because I’m a WordPress on IIS enthusiast, so here is my web.config for your convenience (really, it’s not that special).

Continue reading “My WordPress web.config”

6 June 201527 June 2017

How to enable HTTP Strict-Transport-Security (HSTS) on IIS

Set up HTTP Strict-Transport-Security (HSTS) in Windows Server IIS. Scott Hanselman wrote a great post on how to enable HTTP Strict-Transport-Security (HSTS) on IIS web servers, and here is some more technical information about HSTS in IIS (and other security headers)…

Continue reading “How to enable HTTP Strict-Transport-Security (HSTS) on IIS”

19 April 20158 September 2016

Secure WordPress uploads folder, disable PHP execution

The following PHP function will disable the execution of PHP scripts in WordPress’ wp-content/uploads, on IIS web servers. Securing the WordPress uploads folder is important. In many hacked WordPress sites, a PHP backdoor is found within the WP_CONTENT_DIR/uploads directory. Often because this is the location where uploads are placed automatically. From the backdoor within wp-content/uploads other backdoors are uploaded to various locations, and scripts are injected with malware.

Continue reading “Secure WordPress uploads folder, disable PHP execution”

13 March 201527 June 2017

How to redirect HTTP to HTTPS on IIS

An HTTP to HTTPS redirect on IIS is often better left to the web server, with a simple httpRedirect redirection, than to a resource expensive URL Rewrite. Where possible, use the IIS httpRedirect element for IIS HTTP to HTTPS redirection, and here is how:

Continue reading “How to redirect HTTP to HTTPS on IIS”

7 July 201428 June 2017

Huge increase in WordPress xmlrpc.php POST requests

WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites… Secure WordPress xmlprc.php interface and reduce service disruption.

Continue reading “Huge increase in WordPress xmlrpc.php POST requests”

6 July 201427 June 2017

Remove IIS Server version HTTP Response Header

How to remove HTTP response headers in IIS 7, 7.5, 8.0, 8.5, and ASP.NET. Windows Server IIS loves to tell the world that a website runs on IIS, it does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

Continue reading “Remove IIS Server version HTTP Response Header”

30 November 201328 June 2017

Block WordPress comment spammers manually

The less spammers hit your WordPress blog, the better your blog performs, is one of my opinions. A second is, the less unnecessary plugins you use on your WordPress blog, the better. So, a little while ago I decided to remove plugins like Stop Spammer Registration Plugin and do its work myself. Here is why & how:

Continue reading “Block WordPress comment spammers manually”

19 February 20132 January 2017

WordPress 3.5 on IIS 8.0 is unable to save a web.config file

This website Saotn.org is hosted on Windows Server 2012 with IIS 8.0 with WordPress for a few months now, and everything is running very smooth. And I would never hit this bug because I don’t need to change my permalinks structure, or save any other plugin setting which would want write to a web.config file. One of my colleagues on the other hand, just moved his website to one of our IIS 8.0 web servers and he noticed he couldn’t save his Permalinks structure in the IIS web.config file. This can be pretty annoying ;-) Quick fix attached…

Continue reading “WordPress 3.5 on IIS 8.0 is unable to save a web.config file”

8 February 201321 June 2017

Convert .htaccess to web.config

Convert Apache .htaccess to web.config with help from this post. This post describes some of the IIS URL Rewrite equivalents of commonly used Apache .htaccess settings. This is useful when you want to convert your .htaccess to web.config. The second part of this post outlines how to use Internet Information Services Manager to import and convert .htaccess to web.config.

Continue reading “Convert .htaccess to web.config”

23 September 201210 July 2017

"The length of the URL for this request exceeds the configured maxUrlLength value"

The length of the URL for this request exceeds the configured maxUrlLength value is an IIS error telling you the length of the given URL exceeds a limit. IIS default maximum length for a URL is defined by the HttpRuntimeSection.MaxUrlLength property. Its value is 260 characters. This may cause problems with longer than configured maxUrlLength URL’s, and here is how to resolve this issue…

Continue reading “"The length of the URL for this request exceeds the configured maxUrlLength value"”