Increased security is always a good idea, especially for important pages like your WordPress admin login. So this article will show you how to protect the wp-admin directory in a WordPress site hosted on an IIS Server. We’re going to do that by blocking access to the directory to everyone but yourself.
On our IIS servers we allow you to use the IP Address and Domain Restrictions module. In this tutorial you’re going to need to connect to your site via IIS Manager. See our Knowledge Base article: How to connect to your site via IIS Manager. (If you prefer a direct web.config file solution, skip to the end of this article for the necessary code.)
- Once connected to your site via IIS Manager, navigate to your wp-admin directory by double clicking on the folder within IIS Manager. It’s important that you’re in your wp-admin directory – if you create the following rule in the root of your WordPress site, you’ll end up blocking everyone from accessing your site.
- Next, double click on IP Address and Domain Restrictions icon
- Under the Actions panel click on Edit Feature Settings…
- This will pop up the Edit IP and Domain Restrictions Settings Click on the drop down menu under Access for unspecified clients and select Deny. Leave Deny Action Type: as Forbidden. Click on OK button.
Now anyone from around the world will be blocked. This means you will be blocked too but that’s okay. The next steps creates a rule to only allow your IP address to access the wp-admin directory.
- Within the IP Address and Domain Restrictions module under Actions click on Add Allow Entry…
- Enter your IP address into the Specific IP address Click the OK box to save the IP.
Now we blocked everyone in the world but only allowed your IP address to access the wp-admin directory. This also means if your IP address changes you will need to update the rule to allow your new IP address. If you don’t know your outside IP address you can always Google What’s My IP. Google will tell you at the top of the search results. That’s the IP address you want to allow.
If you just want to cut to the chase, simply create a web.config file within the wp-admin directory and enter the following:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <ipSecurity allowUnlisted="false"> <add ipAddress="184.108.40.206" allowed="true" /> </ipSecurity> </security> </system.webServer> </configuration>
Of course you want to replace 220.127.116.11 with your real IP address.
Microsoft has been updating their partner program and raising the bar for the Gold Partner level every year, so we in turn have been making investments annually to meet the requirements of the Gold Partner level. We believe that our partner status is a differentiator and truly demonstrates our commitment to stay on top of Microsoft-related technologies.
Maintaining a strong relationship with Microsoft is one of the things that helped us launch Everleap, our ASP.NET cloud hosting solution, and ensures that DiscountASP.NET remains the premiere .NET host for developers worldwide.
We are aware that ASP.NET 4.6 was officially launched back in July 2015 and typically we are quick to update – but this particular update took us a while to get in – so I wanted to let you know what was going on.
When ASP.NET 4.6 was officially released we had every intention of getting it on to our hosting platform but during our testing phase we saw reports coming out about bugs found in ASP.NET 4.6 with recommendations not to install it in production. Since ASP.NET 4.6 was an in-place update, rather than a side-by-side install, we opted to be cautious. There were some patches and workarounds released to address some bugs – but we did not want to rely on patches and workarounds on our production hosting platform. Therefore we decided to wait until an official update, which came as ASP.NET 4.6.1 in November 2015.
We’ve been using the Windows update and our regular monthly maintenance window to install updates, so in November we expected the latest update to appear in the monthly update, just like other minor versions in the past. However, in the case of ASP.NET 4.6.1 – it wasn’t in Windows Update. We don’t know what goes on within Microsoft as they QA new updates, but if ASP.NET 4.6.1 wasn’t cleared for mass distribution, we figured that we should wait until it made it into Windows Update before putting it into production servers. We thought approval for mass release would come soon – but that was not the case.
Finally, a little over a week ago, we saw that ASP.NET 4.6.1 made it into Windows Update but it was only available for Windows 2012 R2 server. For our Windows 2012 platform, we have a mix of Windows 2012 and Windows 2012 R2 servers. So we updated all of our Windows 2012 R2 servers with ASP.NET 4.6.1 during February’s maintenance window, while our Windows 2012 servers remain at ASP.NET 4.5.2.
It did take us a while to update to ASP.NET 4.6 but when it comes to our production servers that power our customers websites, we want to be careful when making updates that could potentially cause problems for customers.
If you ever want to target a newer ASP.NET version that is not on your current server, please contact our technical support team and we may be able to move your site to the server environment with the ASP.NET version that you want to use.
Here’s my list for 2015.
- Retired Windows 2003
Microsoft announced a while back that Windows 2003 support was ending on July 14, 2015. We launched our hosting services back in 2003 with its foundation on the newly released Windows 2003 – so we had a lot of customers on the O/S and we also had some of our back end infrastructure on Windows 2003 as well. We didn’t want to wait until the last minute to try to deprecate Windows 2003 servers so we actually started working on customer migrations two years ago! We started helping with voluntary migrations and then switched over to migrating sites manually one by one…about 6000 sites. We finally finished up early July, right on schedule. Ray gives the inside scoop on how we retired Windows 2003 – it’s a good ‘behind-the-scene’ read.
- Launched CloudBackup solution
A great example of a hybrid hosting service, we launched a solution to help automate off-site website and MySQL database backups where the files/data are stored on the Amazon cloud. The service includes an intuitive web-based portal to manage backup scheduling, versioning and restorations. And the backup solution starts at $1.75/mo. More information on CloudBackup here.
- Enhanced CloudBackup with automated MS SQL backup
One of the things the original CloudBackup solution lacked was a solution for backing up MS SQL databases. Automated SQL backup has been a big ‘ask’ from customers for many years, so we enhanced the solution to back up SQL 2012 and SQL 2014 databases. (And fear not, we are working on SQL 2008 backups which should be coming just around the corner! Stay tuned for announcements.) As a bonus, we also slipped in Blacklist Monitoring. This is where we continually monitor Google and should your site ever become blacklisted due to hacking activities, we’ll immediately suspend the backup schedule so that CloudBackup doesn’t continue to backup your compromised website files and databases. With the Blacklist Monitoring feature, customers should be able to get to their clean backups more easily and not have to wade through useless backup copies. More information on CloudBackup here.
- Launched ASP.NET 4.5.2 hosting
Keeping up to date with new ASP.NET versions is becoming more important as Microsoft announced that they will only support the last two minor versions. So we updated both our Windows 2008 and Windows 2012 hosting platform with ASP.NET 4.5.2.
- Launched Shared and Managed TFS 2015
Microsoft launched TFS 2015 so we launched both Shared and Managed TFS 2015 hosting in both the US and UK datacenter locations. The newest version of Team Foundation Server finally allows the renaming of team projects. Other enhancements include the ability to display bugs in the task board and quick code editing through the web portal. More info on TFS Hosting here.
- We migrated our Data Center location
We needed more breathing room in our data center, so we moved locations within our USA-based data center to a larger space. This was no trivial task. It took a lot of planning and we moved hundreds of servers.
- Enhanced the control panel with a PHP version chooser
For our hosting services we do focus on ASP.NET hosting but we also realize that many .NET developers use PHP applications, such as WordPress. To strengthen our PHP hosting service, we introduced a PHP version chooser that works similar to our ASP.NET version chooser tool.
- Expanded SiteLock services with Trueshield CDN and Web Application Firewall
We launched a Content Delivery Network (CDN) service through our partner, SiteLock. This service will cache customer content (both static and dynamic depending on the plan) in edge servers located in over 25 data centers around the world and also includes features like content minification and image compression. The CDN service increases the website speed as visitors can pull content off servers closer to their location. The enhancement also includes a Web Application Firewall service to help prevent hack attempts and exploits, especially targeting popular open source apps like WordPress, DNN or nopCommerce. Because millions of websites use the SiteLock service, they “see” the signatures of common hacking attempts so they can stop such activities dead in its track before the malicious traffic hits your site on our servers.
- Launched Managed SQL solutions at Everleap
Yes, this item is a feature that is not at our DiscountASP.NET brand, but I include it here as an example of an upgrade path for customers that need larger SQL storage, or customized SQL database solutions, or customers needing many smaller SQL databases for a SaaS application. We cannot accommodate such SQL requirements at DiscountASP.NET but with Managed SQL hosting at our cloud hosting brand, Everleap, we provide a solution for special SQL needs. Here is more information on Managed SQL hosting at Everleap.com.
- Renewed our Microsoft Gold Partner status
We successfully renewed our Microsoft Gold Partner status for the 10th year. I know, I know, I keep mentioning this every year. But it is a big deal because it’s getting harder to maintain every year and it’s an investment on our part that many other hosting providers are no longer keeping up with.
Thank you for making it through this long post and we look forward to an exciting 2016!
Have a happy and safe holiday.
You may have noticed that there were a couple of outages last week, related to moving all of the hardware in our network to a new, larger space in the Los Angeles data center (and if you didn’t notice, forget I said anything).
A large-scale move like that is a major, unusual occurrence, and probably (hopefully!) a one-time thing. For a major move like that, you may have expected some brief periods of downtime related to it.
But we’ve been successfully preventing and avoiding other types of global outages for some time now (not to jinx anything), though individual server outages are still something that happens from time to time. In fact they’re scheduled to happen every month when we do Windows updates.
I know that a lot of you notice when there is an outage, because I talk to you about it here, on Twitter, Google+, Facebook, in the helpdesk, standing in line at the movie theater, at stop lights on my way in to the office…
I hear what you’re saying, no one likes an outage, and we take them very seriously around here. I know that many of you rely on us to provide service to your clients, and when there’s a problem, they rattle your cage, not ours.
But our goal here is to be honest in all of our communication with you, and honestly, things are going to fail. We’re going to have occasional problems. Some small, some large. And as a result, your web site will not be up 100% of the time.
Yes, I said it.
And while it may be a little strange to see someone from an established website hosting company saying it, it really shouldn’t be too surprising. It’s the reality of the situation. Hardware fails, networks fail and humans fail.
For what it’s worth, I think we do provide nearly perfect service
Nearly. But it can’t work 100% of the time because there are a million variables at work here every minute of every day, and we can only control about 999,000 of them.
I’m speaking for us, here at DiscountASP.NET, but what I’m talking about applies to every service that you use. All of them. On the Internet (it’s difficult to think of a single online service or utility that hasn’t had an outage in the past six months), in your home, in your car, on the train – pretty much everything you rely on to always be there – it’s all going to fail at some point.
Considering the complexity of the network that is the Internet, and the interconnectedness of thousands of different kinds of hardware and software, it’s really kind of a minor miracle that it works as well as it does. But no one – ourselves included – likes an interruption, even in their miracles.
Whenever there is an incident that affects a lot of you (or all of you – like a major DDoS), we spend a lot of time after the fact analyzing what went wrong and determining how we can prevent or better react to something similar in the future. That’s time well spent, because every improvement we make, large or small, has a positive impact on the quality of the nearly perfect service we provide to you.
We also spend a considerable amount of time and money preventing and mitigating problems before you even know they’re happening. Network monitoring, intrusion and exploit detection, hardware and software retirement and migration – it’s an ongoing process, and we constantly tweak and improve all of our processes. And by “constantly,” I mean every single day.
But the major improvement we’ve made isn’t actually on the DiscountASP.NET platform
It’s the introduction of a completely new platform at Everleap.
That’s our cloud hosting system built on Windows Azure Pack. It’s all of the good parts of the big cloud combined with the good parts of traditional hosting. Meaning the resilience, redundancy and flexibility of the big cloud, but with the inclusion of a lot of traditional hosting services that you’ve come to expect, but cost extra at the large cloud hosts: email, databases, SQL Reporting Service, usage stats, SSL, DNS, expert, in-house tech support, etc.
What makes Everleap different is that it is much more fault-tolerant than a traditional server set up like we have here at DiscountASP.NET. If an Everleap server goes down, all of the traffic for those sites is routed to a healthy server within seconds. That technology also allows us to do Windows server updates with no web server downtime. Something that’s impossible on a traditional Windows server.
That alone is pretty cool, but you can also run your site simultaneously on multiple servers that are automatically load balanced, increase resources like memory and CPU much more easily, and even get Reserved Cloud Servers and Managed SQL servers – all the resources of a web or SQL server dedicated to a single user. Reserved Cloud and Managed SQL are like having your own server – no unruly neighbors to drag you down – but without any of the maintenance headaches that come with a VPS or dedicated server.
If all of that sounds like a sales pitch, it is! A little bit. We really believe that Everleap is the future of web hosting, and we want everyone to benefit from the advances. Now I know that some of you are probably wondering, “If you believe in it so much, why didn’t you just replace the DiscountASP.NET platform with the Everleap technology?”
And the answer is, we seriously considered it. But it would have been unnecessarily disruptive for a lot of folks, and we feel that there’s still a place for a traditional hosting platform. So ultimately we decided to offer Everleap on its own so that everyone who enjoys DiscountASP.NET just the way it is, thank you, can remain right where they are. Choice is always good.
But if you’re outgrowing the traditional hosting platform, or you just want the speed, flexibility and greatly improved uptime of the new platform, you may want to give Everleap a try. It’s free for 30 days, so you’ve got nothing to lose. If you like it, we’ll even help you move and apply any credit remaining on your DiscountASP.NET account to your new Everleap account.
The future is now! Come on over and see it for yourself.
In this tutorial we will be reinstalling WordPress after it’s been compromised or “hacked.” The tutorial assumes three things: 1) The MySQL database your WordPress site was using wasn’t compromised, 2) The WordPress files were the only thing modified, and, 3) You have no other web applications installed in your site’s root directory.
These instructions are specifically for WordPress installations running on IIS, but you can use the same basic steps to reinstall WordPress on any platform.
Quick overview of the steps we’re about to take
- Creating a two different directories locally on your computer.
- One containing your hacked WordPress site.
- The other containing your clean WordPress site.
- Before changing anything we will be making a backup of your current WordPress site by downloading it via FTP. Yes, the current compromised WordPress site.
- Downloading a clean copy of WordPress
- Re-downloading your themes folder
- Re-downloading your plugins folder
- Copying your web.config and wp-config.php files from the old WordPress site to the root directory of your clean WordPress site
- Restoring your images/upload files
Step 1 – Create two different directories on your computer
Create two different empty directories on your local computer.
Step 2 – Create a backup of your hacked WordPress Site
First you will need to establish an FTP connection to your site. Instructions on how to connect to your site via FTP can be found in this knowledge base article.
Once the FTP connection has been made, navigate to your local directory within FileZilla where you wish to place your backup.
Highlight all of the files and directories within your WordPress site and right click on Download to copy them to your local environment.
Important: We’re putting the files here for safe keeping, don’t open any of the files unless specified in this article.
Step 3 – Download a clean copy of WordPress
Go to WordPress Downloads and download the zip file.
Next you want to extract the clean files to the clean folder directory on your local computer.
Step 4 – Re-Download your theme files
Everyone uses a different theme for their WordPress site, so everyone’s case is going to be unique. If you remember where you downloaded your theme then go ahead and download it from the source and and skip to section Step 4 B.
If you are unsure which theme you were using, navigate your \wp-content\themes directory in the hacked backup WordPress files.
WARNING: Don’t use the theme from the hacked WordPress site, it’s important to download a new copy from the source.
Within the \wp-content\themes\ directory you will see different directories. You will most likely see some of the default themes that come with WordPress:
But the other themes that are located in the \wp-content\themes\ directory will be the themes you downloaded for your WordPress site before it was compromised.
In my case I forgot the name of the theme I was using. From the list I see in the \wp-content\themes\ directory I can see that I was using the “rendition” theme.
My next step was to Google “rendition wordpress theme,” and I was able to locate the source of the theme.
Download and extract the clean theme files into the clean WordPress directory locally on your computer.
Once you have downloaded the zip copy of your theme locally on your computer, extract it to a location where you can simply copy and paste the clean theme into the \wp-content\themes\ directory within the clean copy of your WordPress file structure.
Step 5 Re-download your plugins
The plugins folder will be in the \wp-content\plugins directory.
If you don’t recall which plugins you had installed, you can always go into the hacked WordPress file structure to see which plugins were installed.
Make a list of the plugins you need to download and download them manually from the WordPress plugins site.
Extract the clean plugins you just downloaded into an empty file on your computer.
Copy and paste them into the clean copy of the WordPress site’s \wp-content\plugins directory.
Step 6 Copy web.config & wp-config.php file
We have to copy and paste the old web.config and wp-config.php file into the clean copy of the WordPress site’s root directory.
The web.config file contains the URL Rewrite rules for your WordPress permalinks links to work correctly on the IIS server.
The wp-config.php file contains the settings needed to reestablish a MySQL database connection to the original MySQL database.
Go to the hacked WordPress site root directory where your wp-config.php file is located and open it in a text editor like Notepad. You want to check for malicious code that you don’t recognize. Basically, you just want to make sure your old wp-config.php file is clean. You can compare it against the sample wp-config.php file. If you’re not sure what it’s supposed to look like. You can always check the clean version by checking the Github sample page of the wp-config file.
Once you have confirmed it’s clean, you’re going to want to change the password for your MySQL database.
Log into Control Panel and change the password for your MySQL database within the MySQL Manage section:
Click Manage next to the MySQL database.
Click Update Password.
Next you’re going to need to update the following line in your wp-config file with the new password.
Replace it with:
Save the wp-config.php file and place it into the root directory of your clean copy of WordPress.
Next you want to simply copy and paste your old web.config file from the compromised WordPress site to the root of the clean WordPress site. web.config is not a file targeted in the typical WordPress compromise, so it’s usually safe to use the old version. You may want to take a look at it in any case, just to make sure it hasn’t been altered.
Step 7 – Delete your old WordPress files and upload the clean WordPress site
Connect to your site via FTP and delete everything from the root of the site.
You want to make sure you have an empty root since you will be uploading a clean copy of your WordPress site.
Once your root directory is clean go ahead and upload the clean copy of the WordPress site located on your local computer to the root of the site.
Your site should work now. Visit the site to verify that you did everything correctly.
Step 8 – Restore your old image and upload files
The last step is restoring your image files from your old installation of WordPress to your clean WordPress site.
First, browse your site to make sure you don’t have any missing images. If you do find that some images aren’t displaying correctly, you can use Google Chrome’s Developer tools to troubleshoot. By using the network tab you can see which images are missing and which directory they need to be uploaded to.
Once you find the image that is missing in the copy of your hacked WordPress backup, you can upload each image one by one.
In the image above we can see where our missing image file will need to go into our file directory structure. Simply locate the missing file from your compromised site backup and upload it via FTP to your clean site.
An important next step is to make sure you update any outdated plugins and themes from within your WordPress admin section. You should also update the password for your WordPress admin user.