web.config Archives - Sysadmins of the North

How to optimize Umbraco 8 performance

Learn how to optimize a site running Umbraco 8 with a Microsoft SQL Server database back-end.

Out of the box, Umbraco is a well built and pretty fast content management system. However, it is important you perform some steps to further optimize Umbraco’s performance and loading speed. Here on Sysadmins of the North, I wrote about “11+ tips to optimize Umbraco CMS” earlier, and in this post I write about implementing them. On a just installed and running website.

3 Ways of blocking sendmail.php on IIS webserver

1 Comment / Web application security / By Jan Reilink

Here are 3 ways of blocking access to a PHP sendmail.php script on your Windows Server IIS webserver. This comes in handy if a websites on your webserver sends out spam and you need to block access to a script on a specific website or globally in IIS. You can use a web.config file for …

3 Ways of blocking sendmail.php on IIS webserver Read More »

How to add a trailing slash in Umbraco 8

Umbraco / By Jan Reilink

This article shows you how to add a trailing slash to URL’s in Umbraco 8, using IIS URL Rewrite Module, without breaking the Umbraco backend. Forcing one particular URL avoids duplicate content, which is important for SEO.

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

Disallow direct access to PHP files in wp-content/uploads/

1 Comment / Web application security / By Jan Reilink

Secure wp-content/uploads in Linux Apache and Windows Server IIS It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows …

Disallow direct access to PHP files in wp-content/uploads/ Read More »

Basic Authentication module for Windows Server IIS 10

Windows Server / By Jan Reilink

Basic Authentication managed HTTP module for IIS 10 with virtual users support In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for …

Basic Authentication module for Windows Server IIS 10 Read More »

How to: Protect WordPress from brute-force XML-RPC attacks

3 Comments / Web application security / By Jan Reilink

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able …

How to: Protect WordPress from brute-force XML-RPC attacks Read More »

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

6 Comments / WordPress / By Jan Reilink

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post.

Ghost on IIS with HTTPS, how to resolve a “Too many redirects” error

Windows Server / By Jan Reilink

When you use iisnode to host the Node.js blogging software Ghost on your IIS web server, and you set up an SSL certificate for your Ghost website, you may run into too many redirect issues when changing Ghost’s config.js file. This happend to me yesterday, and here is the solution.

HackRepair.com’s Bad Bots .htaccess in web.config for IIS

13 Comments / Windows Server / By Jan Reilink

Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your WordPress website with this web.config file!

IIS URL Rewrite “Rewrite Module error: Expression contains a repeat expression”

1 Comment / Windows Server / By Jan Reilink

How to fix the URL Rewrite Module error “Rewrite error: Expression contains a repeat expression” on Windows Server IIS.

RewriteProxy with .htaccess in IIS

Windows Server / By Jan Reilink

Rewrite and proxy HTTP requests in IIS using a .htaccess In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard …

RewriteProxy with .htaccess in IIS Read More »

How to block BaiduSpider bot User-Agent?

2 Comments / Windows Server / By Jan Reilink

The Baidu spider (BaiduSpider user agent) can be a real pain to block, especially since it does not respect a robots.txt as it should. This post shows you how to block Baidu Spider bot, using IIS URL Rewrite Module based on its User-Agent string.

My WordPress web.config

23 Comments / WordPress / By Jan Reilink

Do you host your WordPress website on Windows Server IIS? And are you having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress site. Maybe it’s because I’m a WordPress on Windows Server IIS enthusiast, so …

My WordPress web.config Read More »

How to enable HTTP Strict-Transport-Security (HSTS) on IIS

3 Comments / Windows Server / By Jan Reilink

Set up HTTP Strict-Transport-Security (HSTS) in Windows Server IIS 10. Scott Hanselman wrote a great post on how to enable HTTP Strict-Transport-Security (HSTS) on IIS web servers, and here is some more technical information about HSTS in IIS, and other security headers…

Secure WordPress uploads folder, disable PHP execution

1 Comment / Windows Server / By Jan Reilink

Deny direct access to PHP files in wp-content/uploads/ The following PHP function secures your WordPress website by disabling the execution of PHP scripts in wp-content/uploads, on Windows Server IIS web servers. It creates a web.config file for this purpose.