Is it possible to host WordPress on IIS? Yes. And it works well, very well even. Not all WP-plugins work well with IIS though. But most do.

IIS does not support .htaccess. But this web.config does the job instead. It relies on the IIS rewriting module, which is optional in IIS. It also includes a rule to forward http to https-requests. You may want to remove that rule if not needed.

It also denies access to xmlrpc.php - an outdated WordPress security protocol.

But... there are some important things to keep in mind when hosting WordPress websites on Windows Servers (IIS):

• Even for relatively small websites (for any website actually) you'll need a performance/caching plugin. WP Fastest Cache is a good choice, and it works well with IIS. It brings down page load time down to 200ms for most pages.
   
• You'll need a security plugin to counter brute force attacks. Limit Login Attempts Reloaded is free and helps a lot. But these plugins do not protect you against aggressive bot attacks (often requesting non-existing files and folders). The WP-404 page takes between 400 and 700ms to load (and it's typically not cached, not even by caching plugins). That is a disaster in case dozens of brute force 404-requests are coming in simultaneously.
   
• WordPress on IIS uses a lot of RAM and CPU. While Classic ASP/VBScript runs pretty well on a modest Windows server with 2 vCPU's and 8GB of RAM, a Windows server that hosts a few WP-sites needs at least twice as much. So be prepared for a more expensive hosting bill.
   
• Do you use WooCommerce? You'll need at least 4 vCPU's and 16GB of RAM to run only 5 busy WordPress sites with Woo installed. In case you expect 10 users simultaneously working in the WP admin panel (with Woo installed), you'll need 8 vCPU's.
   
• You should disable CRON -> define('DISABLE_WP_CRON', true); (add that to your wp-config.php). Run CRON on a regular basis from a scheduled task in Windows. You can run it twice or three times a day. No need to run it on every page load. It will crash your server CPU in case multiple (>5) WP-sites simultaneously execute CRON.

I am currently hosting 213 WP-sites (all of them have Woo installed) on this server. These are student-sites that barely cause any traffic. In total, these sites use 42GB of disk space, plus 6GB in MySQL databases. There are 2.600.000 files and 360.000 folders involved. In idle mode - when the students are not working in the WP admin panel (or if only a handful are) - 4 vCPU with 16GB of RAM does the job. During class (classes of 30 students each), I need to upsize this server to a 32 vCPU instance, at 6USD/hour. And we then still face some delays when we simultaneously open specific pages in the WordPress admin panel. WordPress is a resource-heavy kind of app when working in the admin panel.

What could WordPress do to facilitate small Windows hosting companies who do not have large budgets for extended firewalls and 24/7 monitoring?

1. Provide built-in protection against brute force attacks (and also cache 404 responses). Not just for wp-login.php or xmlrpc.php. Also index.php. It cannot be too difficult to autoban IP addresses that bomb a website with dozens of fake or malicious requests per second. Even if these IP addresses are banned for only 5 minutes, this would make a huge difference. I recently added such autoban to my hosted QuickerSites. This immediately had a huge impact on my CPU usage, keeping it available for real website visitors.
    
2. Clean up the codebase. A 70MB codebase is huge. In QuickerSite I always redistributed a compressed (minified) codebase: ASP files without comments, and without unnecessary tabs, linebreaks and spaces. This can be done for both the WordPress JS and PHP files rather easily. This can easily reduce the codebase to 50MB and improve performance by 10%. There could be a development and production codebase. Even if that only gives a 10% performance boost, it would help.

But anyway, if you're into hosting many WP sites on a Windows Server (IIS), be prepared for expensive hosting bills. Long live QuickerSite...