16 simple ways to secure your WordPress site

WordPress is a popular target for attackers and currently there are a lot of botnets discovering vulnerable sites and trying to brute force the admin password. If you haven’t hardened your WordPress installation, this is the perfect time to do that.

1. Don’t use the defaults

When installing a new instance of WordPress, make sure you choose other name for the administrator account than admin and change the default table prefix (wp_) to anything else.
Continue reading

How to force IIS/ASP.NET to use assembly from the bin folder instead of GAC

If you have a assembly with the same version number located both in the bin folder for a web site and in the Global Assembly Cache (GAC), ASP.NET will by default use the GAC version of the file. Sometimes that’s not the ideal solution so here’s a workaround.

1. Open web.config in a text editor

2. Add this code to /configuration/runtime/assemblyBinding/dependentAssembly:

<assemblyIdentity name="Your.Assembly.Name" publicKeyToken="31bf3856ad364e35"/>
<codebase version="1.0.0.0" href="/bin/Your.Assembly.Name.dll" />

Continue reading

How to block search engines from indexing all sites in a IIS instance

This can be useful on development sites where you have many IIS sites running but don’t want search engines to index them without creating robots.txt on every site.

To do this we’ll have to add a X-Robots-Tag HTTP Response header which is some search engines including Google as detailed here: http://googleblog.blogspot.com/2007/07/robots-exclusion-protocol-now-with-even.html

Here are the steps:

1. Open Internet Information Services (IIS) Manager
2. Click the server instance name from the left menu
3. Open HTTP Response Headers
4. Click Add… from the action menu
5. In the Name input, type: X-Robots-Tag and in the Value input, type: noindex

How to disable ciphers vulnerable to the BEAST vulnerability on Windows server/IIS

By default the SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or “BEAST”. Continue reading

How to export Exchange 2010 mailbox as pst file

1. Open Exchange Management Shell from the start menu
2. Create a new export request

New-MailboxExportRequest -Mailbox {username} -FilePath \\{server}\{share}\{filename}.pst

Replace {username} with the username of the mailbox you want to export, {server} with the destination server (pst files need to be exported to a share), {share} with the name of the shared folder, {filename} with the filename of the .pst file.

How to disable Receive Window Auto-Tuning Level in Windows 7 / 2008

The Receive Window Auto-Tuning feature lets the operating system continually monitor routing conditions such as bandwidth, network delay, and application delay. Therefore, the operating system can configure connections by scaling the TCP receive window to maximize the network performance. To determine the optimal receive window size, the Receive Window Auto-Tuning feature measures the products that delay bandwidth and the application retrieve rates. Then, the Receive Window Auto-Tuning feature adapts the receive window size of the ongoing transmission to take advantage of any unused bandwidth.

While the feature may improve speed, in some cases it can also cause problems and slow down the network.

To disable the feature, use this command:

netsh interface tcp set global autotuning=disabled

To see if the feature is enabled or disabled, use this command:

netsh interface tcp show global

To enable the Receive Window Auto-Tuning Level, use this command:

netsh interface tcp set global autotuning=normal

Here’s a list of available options for the autotuning parameter:

disabled: Fix the receive window at its default value.
highlyrestricted: Allow the receive window to grow beyond its default value, but do so very conservatively.
restricted: Allow the receive window to grow beyond its default value, but limit such growth in some scenarios.
normal: Allow the receive window to grow to accommodate almost all scenarios.
experimental: Allow the receive window to grow to accommodate extreme scenarios. WARNING: This can dramatically degrade performance in common scenarios and should only be used for research purposes.

How to change the number of dynamic ports

To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000. This is known as MaxUserPort in Windows 2003.

However, this may not be enough for busy servers. To increase this number use this command:

netsh int ipv4 set dynamicportrange tcp start=16384 num=49151

Here we change the number of ports from the default 16.383 to 49.151. You can choose any number but make sure the end port (start + num) is not higher than 65535.

To show the current number of ports, use this command:

netsh int ipv4 show dynamicportrange tcp