You are here: Sysadmins of the North » web.config


You are here: Sysadmins of the North » web.config

Disallow direct access to PHP files in wp-content/uploads/

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

Basic Authentication module for Windows Server IIS 10

HTTP Basic authentication

Basic Authentication managed HTTP module for IIS 10 with virtual users support. In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual users.

Protect WordPress from brute-force XML-RPC attacks

WordPress XMLPRC

The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

HTTPS for WordPress

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post.

IIS URL Rewrite “Rewrite Module error: Expression contains a repeat expression”

How to fix the URL Rewrite Module error “Rewrite error: Expression contains a repeat expression” on Windows Server IIS. The other day, I had to migrate a website from a Linux/Apache web server to Windows Server IIS. The website in question had a lot of sub domains, all pointing to folders within the web root using that same name: would redirect (rewrite) to

RewriteProxy with .htaccess in IIS

Rewrite and proxy HTTP requests in IIS using a .htaccess. In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

My WordPress web.config

Do you host your WordPress website on Windows Server IIS? And are you having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress site. Maybe it’s because I’m a WordPress on Windows Server IIS enthusiast, so here is my web.config for your convenience (really, it’s not that special).

Scroll to Top