Are you in my blocklist?
Force HSTS in Apache .htaccess
Disallow direct access to PHP files in wp-content/uploads/
Basic Authentication module for Windows Server IIS 10
WordPress .htaccess security best practices in Apache 2.4.6+
Protect WordPress from brute-force XML-RPC attacks
The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.
SSL in WordPress: how to move WordPress to HTTPS? The definitive guide
HackRepair.com's Bad Bots .htaccess in web.config for IIS
RewriteProxy with .htaccess in IIS
Rewrite and proxy HTTP requests in IIS using a .htaccess
. In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn't updated yet. All HTTP requests for the moved website are handled in IIS' Default Web Site; that's the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess
file handled by Helicon Ape.
Mod_evasive on IIS
Website DDoS protection with mod_evasive. Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it's requesting the same page more than 10 times a second. This is configurable.