web.config

Access blocked

3 Ways of blocking sendmail.php on IIS webserver

Here are 3 ways of blocking access to a PHP sendmail.php script on your Windows Server IIS webserver. This comes in handy if a websites on your webserver sends out spam and you need to block access to a script on a specific website or globally in IIS. You can use a web.config file for this purpose, and here is how.

Umbraco logo blue

How to add a trailing slash in Umbraco 8

This article shows you how to add a trailing slash to URL’s in Umbraco 8, using IIS URL Rewrite Module, without breaking the Umbraco backend. Forcing one particular URL avoids duplicate content, which is important for SEO.

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

Disallow direct access to PHP files in wp-content/uploads/

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

HTTP Basic authentication

Basic Authentication module for Windows Server IIS 10

Basic Authentication managed HTTP module for IIS 10 with virtual users support. In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual users.

WordPress XMLPRC

Protect WordPress from brute-force XML-RPC attacks

The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.

IIS URL Rewrite “Rewrite Module error: Expression contains a repeat expression”

The other day, I had to migrate a website from a Linux/Apache web server to Windows Server IIS. The website in question had a lot of sub domains, all pointing to folders within the web root using that same name. For this to happen we usually use an IIS URL Rewrite Module rule for one sub domain in a web.config file. However, this would mean I had to add and use that same rule some fifty times… Not good! This post describes how I simplified IIS URL Rewrite Module rewrites and used the value of the first condition as input for the second rewrite condition.

RewriteProxy with .htaccess in IIS

Rewrite and proxy HTTP requests in IIS using a .htaccess. In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with IIS URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

grayscale photography of spider

How to block BaiduSpider bot User-Agent?

The Baidu spider (BaiduSpider user agent) can be a real pain to block, especially since it does not respect a robots.txt as it should. This post shows you how to block Baidu Spider bot, using IIS URL Rewrite Module based on its User-Agent string.

Secure WordPress uploads folder, disable PHP execution

Deny direct access to PHP files in wp-content/uploads/. The following PHP function secures your WordPress website by disabling the execution of PHP scripts in wp-content/uploads, on Windows Server IIS web servers. It creates a web.config file for this purpose.