Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

Disallow direct access to PHP files in wp-content/uploads/

Secure wp-content/uploads in Linux Apache and Windows Server IIS It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably and without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in…

Continue reading Disallow direct access to PHP files in wp-content/uploads/

HTTP Basic authentication

Basic Authentication module for Windows Server IIS

Basic Authentication managed HTTP module for IIS with virtual users support In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual…

Continue reading Basic Authentication module for Windows Server IIS

How to: Protect WordPress from brute-force XML-RPC attacks

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able…

Continue reading How to: Protect WordPress from brute-force XML-RPC attacks

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post. Jan ReilinkMy…

Continue reading SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Ghost logo

Ghost on IIS with HTTPS, how to resolve a “Too many redirects” error

When you use iisnode to host the Node.js blogging software Ghost on your IIS web server, and you set up an SSL certificate for your Ghost website, you may run into too many redirect issues when changing Ghost’s config.js file. This happend to me yesterday, and here is the solution. Jan ReilinkMy name is Jan.…

Continue reading Ghost on IIS with HTTPS, how to resolve a “Too many redirects” error

IIS URL Rewrite “Rewrite Module error: Expression contains a repeat expression”

How to fix the URL Rewrite Module error “Rewrite error: Expression contains a repeat expression” on Windows Server IIS. Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily thing at Vevida. If you feel a post has helped solve your problem,…

Continue reading IIS URL Rewrite “Rewrite Module error: Expression contains a repeat expression”

My WordPress web.config

Do you host your WordPress website on Windows Server IIS? And are you having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress site. Maybe it’s because I’m a WordPress on IIS enthusiast, so here is…

Continue reading My WordPress web.config

Enable HSTS in IIS website

How to enable HTTP Strict-Transport-Security (HSTS) on IIS

Set up HTTP Strict-Transport-Security (HSTS) in Windows Server IIS. Scott Hanselman wrote a great post on how to enable HTTP Strict-Transport-Security (HSTS) on IIS web servers, and here is some more technical information about HSTS in IIS, and other security headers… Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or guru.…

Continue reading How to enable HTTP Strict-Transport-Security (HSTS) on IIS

HTTPS for WordPress

Redirect HTTP to HTTPS

In this post I provide you various HTTP to HTTPS redirection methods, for Windows Server IIS and Linux Apache. Use these examples to your advantage to secure the traffic between your visitors and your website. Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator,…

Continue reading Redirect HTTP to HTTPS

Huge increase in WordPress xmlrpc.php POST requests

WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites… Secure WordPress xmlprc.php interface and reduce service disruption. Jan ReilinkMy name is Jan. I am not a hacker, coder, developer or guru. I am merely a systems administrator, doing my daily…

Continue reading Huge increase in WordPress xmlrpc.php POST requests