web.config Archives - Sysadmins of the North

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

Disallow direct access to PHP files in wp-content/uploads/

WordPress / By Jan Reilink / 16 March 2020 24 August 2020

Secure wp-content/uploads in Linux Apache and Windows Server IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

…

Disallow direct access to PHP files in wp-content/uploads/Read More »

Basic Authentication module for Windows Server IIS 10

Windows Server / By Jan Reilink / 24 January 2020 18 April 2021

Basic Authentication managed HTTP module for IIS 10 with virtual users support

In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It’s apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual users.

…

Basic Authentication module for Windows Server IIS 10Read More »

How to: Protect WordPress from brute-force XML-RPC attacks

WordPress / By Jan Reilink / 2 June 2017 27 October 2020

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able to use (some of) its functionality like Jetpack? This post gives you some insight.

…

How to: Protect WordPress from brute-force XML-RPC attacksRead More »

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

WordPress / By Jan Reilink / 15 July 2016 18 December 2020

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post.

…

SSL in WordPress: how to move WordPress to HTTPS? The definitive guideRead More »

Ghost on IIS with HTTPS, how to resolve a “Too many redirects” error

Windows Server / By Jan Reilink / 17 May 2016 19 June 2020

When you use iisnode to host the Node.js blogging software Ghost on your IIS web server, and you set up an SSL certificate for your Ghost website, you may run into too many redirect issues when changing Ghost’s config.js file. This happend to me yesterday, and here is the solution.

…

Ghost on IIS with HTTPS, how to resolve a “Too many redirects” errorRead More »

HackRepair.com’s Bad Bots .htaccess in web.config for IIS

Windows Server / By Jan Reilink / 19 February 2016 30 August 2021

Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your WordPress website with this web.config file!

…

HackRepair.com’s Bad Bots .htaccess in web.config for IISRead More »

IIS URL Rewrite “Rewrite Module error: Expression contains a repeat expression”

Windows Server / By Jan Reilink / 16 February 2016 14 December 2020

How to fix the URL Rewrite Module error “Rewrite error: Expression contains a repeat expression” on Windows Server IIS.

…

IIS URL Rewrite “Rewrite Module error: Expression contains a repeat expression”Read More »

RewriteProxy with .htaccess in IIS

Windows Server / By Jan Reilink / 8 October 2015 18 November 2020

Rewrite and proxy HTTP requests in IIS using a .htaccess

In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn’t updated yet. All HTTP requests for the moved website are handled in IIS’ Default Web Site; that’s the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

…

RewriteProxy with .htaccess in IISRead More »

How to block BaiduSpider bot User-Agent?

Windows Server / By Jan Reilink / 8 August 2015 12 July 2021

The Baidu spider (BaiduSpider user agent) can be a real pain to block, especially since it does not respect a robots.txt as it should. This post shows you how to block Baidu Spider bot, using IIS URL Rewrite Module based on its User-Agent string.

…

How to block BaiduSpider bot User-Agent?Read More »

My WordPress web.config

WordPress / By Jan Reilink / 22 June 2015 24 September 2020

Do you host your WordPress website on Windows Server IIS? And are you having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress site. Maybe it’s because I’m a WordPress on Windows Server IIS enthusiast, so here is my web.config for your convenience (really, it’s not that special).

…

My WordPress web.configRead More »

How to enable HTTP Strict-Transport-Security (HSTS) on IIS

Windows Server / By Jan Reilink / 6 June 2015 6 September 2021

Easy wp_options table optimization for WordPress

Set up HTTP Strict-Transport-Security (HSTS) in Windows Server IIS 10. Scott Hanselman wrote a great post on how to enable HTTP Strict-Transport-Security (HSTS) on IIS web servers, and here is some more technical information about HSTS in IIS, and other security headers…

…

How to enable HTTP Strict-Transport-Security (HSTS) on IISRead More »

Secure WordPress uploads folder, disable PHP execution

Security / By Jan Reilink / 19 April 2015 16 January 2020

Deny direct access to PHP files in wp-content/uploads/

The following PHP function secures your WordPress website by disabling the execution of PHP scripts in wp-content/uploads, on Windows Server IIS web servers. It creates a web.config file for this purpose.

…

Secure WordPress uploads folder, disable PHP executionRead More »

Redirect HTTP to HTTPS

GNU Linux, Windows Server / By Jan Reilink / 13 March 2015 4 December 2020

In this post I provide you various HTTP to HTTPS redirection methods, for Windows Server IIS and Linux Apache. Use these examples to your advantage to secure the traffic between your visitors and your website.

…

Redirect HTTP to HTTPSRead More »

Huge increase in WordPress xmlrpc.php POST requests

WordPress / By Jan Reilink / 7 July 2014 23 December 2020

WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites… Secure WordPress xmlprc.php interface and reduce service disruption.

…

Huge increase in WordPress xmlrpc.php POST requestsRead More »

Remove IIS Server version HTTP Response Header

Windows Server / By Jan Reilink / 6 July 2014 10 September 2021

Remove HTTP response headers in Windows Server IIS 10 and ASP.NET

Windows Server IIS loves to tell the world that a website runs on IIS. It does so with the Server header in the HTTP response, as shown below. In this post I’ll show you how to remove response server headers in IIS. You don’t want to give hackers too much information about your servers, heh? ;-).

…

Remove IIS Server version HTTP Response HeaderRead More »