htaccess - Sysadmins of the North

Are you in my blocklist?

With just a few manual steps, you create your own little blocklist for WordPress in either a `.htaccess` or `web.config` file. Here are the IP addresses I'm currently blocking. Note, this list can get long (loooonnggg).

Published on Sunday, 12 February 2023

Force HSTS in Apache .htaccess

Learn how to enable HSTS in Apache .htaccess configuration file to start using HTTP Strict Transport Security (HSTS)

Published on Friday, 18 December 2020

Disallow direct access to PHP files in wp-content/uploads/

It's recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with .htaccess on Linux Apache, or `web.config` accesssPolicy in Windows Server IIS. And here is how.

Published on Monday, 16 March 2020

Basic Authentication module for Windows Server IIS 10

Basic Authentication managed HTTP module for IIS 10 with virtual users support. In my pursuit of a basic authentication alternative in IIS, other than the built-in Basic Authentication module or Helicon Ape, I came across Devbridge AzurePowerTools. It's apparently one of few HTTP managed modules for IIS that enables HTTP Basic Authentication with support for virtual users.

Published on Friday, 24 January 2020

WordPress .htaccess security best practices in Apache 2.4.6+

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website.

Published on Monday, 5 November 2018

Protect WordPress from brute-force XML-RPC attacks

The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You'll learn the important steps to move WordPress from http to https in this post.

Published on Friday, 15 July 2016

HackRepair.com's Bad Bots .htaccess in web.config for IIS

Learn to protect your WordPress website with this web.config file

Published on Friday, 19 February 2016

RewriteProxy with .htaccess in IIS

Rewrite and proxy HTTP requests in IIS using a .htaccess. In my case scenario, I had to proxy requests in IIS, because a website was moved from web server A to B, and the DNS wasn't updated yet. All HTTP requests for the moved website are handled in IIS' Default Web Site; that's the wildcard host, and the original host no longer existed there. We needed to match our website and proxy those requests to the new IIS web server. This can either be done using a proxy with URL Rewrite, IIS Application Request Routing (ARR), or a .htaccess file handled by Helicon Ape.

Mod_evasive on IIS

Website DDoS protection with mod_evasive. Mod_evasive is a module for Apache and Windows Server IIS (using Helicon Ape). It provides protection and evasive action in the event of an HTTP DoS-, DDoS or brute force attack. Detection is performed by creating an internal dynamic hash table of IP Addresses and URIs, and denies an IP address access to a website if it's requesting the same page more than 10 times a second. This is configurable.

Published on Thursday, 24 July 2014

Older

windows-server (96) iis (80) powershell (76) php (54) wordpress (45) mysql (36) windows (34) performance (28) linux (23) web.config (23) Website (22) htaccess (20) aspnet (19) url-rewrite-module (19) sql-server (18) bash (18) optimization (18) ssl (17) plugin (13) windows-10 (12) devops (11) monitoring (11) security (10) gnu-linux (10) appcmd (10) wsl (9) smtp (9) wincache (9) wmi (8) zabbix (8) windows-update (8) opcache (8) openssh (7) database (7) dism (7) iis-60 (7) sysops (6) wsus (6) apache (6) hyper-v (6) virtualization (6) spam (6) functions-php (6) classic-asp (6) ddos (6) password (5) email (5) active-directory (5) joomla (5) command-line (5) application-pool (5) blacklist (5) t-sql (4) wql (4) https (4) group-policy (4) backup (4) connector-net (4) debug (4) logparser (4) network-adapter (4) dns (4) query_cache (4) ghost (4) iisnode (4) node-js (4) vbscript (3) umbraco (3) windows-firewall (3) brute-force (3) ftp (3) postfix (3) forensics (3) benchmark (3) xss (3) disk-cleanup (3) disk-space (3) sql-injection (3) openssl (2) net-core (2) visual-studio (2) windows-defender (2) rdp (2) connector-odbc (2) c (2) mysqldump (2) xml-rpc (2) smb (2) cross-site-scripting (2) innodb (2) httpbl (2) centos (2) magento (2) denial-of-service (2) deployment (2) windows-deployment-services (2) mysqli (2) open-xchange (2) waf (2) web-application-firewall (2) windows-11 (1) ipv6 (1) networking (1) sqlce (1) tinymce (1) Prianha-CMS (1) kvm (1) http-3 (1) quic (1) wmsvc (1) database-mirroring (1) service-principal-names (1) spn (1) jetpack (1) api (1) kms (1) elasticsearch (1) red-hat (1) varnish-cache (1) dhcp (1) jquery (1)