We hear a lot about «denial of Service» attacks where hoards of bots take down your site and leave your server gasping for air. B. J. Keaton explains it beautifully and the following article is entirely his and borrowed from the Elegant Themes blog.
Anyone running any sort of online enterprise should be wary of DDoS attacks. Or distributed denial of service attacks. Which is basically a long way of saying that someone wants to shut down your website or service, so they send floods of traffic from various points to overwhelm you and make it hard to shut down or even track down where the attack is coming from. They bottleneck your servers so that your normal visitors are denied service. It is one of the pettiest and most frustrating things that can happen to an online presence. In this post we’d like to help you protect yourself from them.
Understanding DDoS Attacks
Most DDoS attacks are carried out by botnets, a “group of computers which have been infected by malware and have come under the control of a malicious user.” These machines are then hijacked and used against whatever service the attacker wants denied service.
While the computers that make up the botnet are infected by malware, it is important to note that if your WordPress website is DDoS’d, your website is not being infected with malware. The DDoS simply prevents normal traffic from getting to you. However, if your computer has already been compromised by a security flaw, your servers could become part of a botnet that carries out a DDoS attack on someone else.
DDoS is Not Hacking
As we said above, a DDoS attack is not an attempt at exploiting a vulnerability to gain access to your site. That’s more along the lines of a brute force attack. That’s when a particular party attempts to power their way into your site by repeated login attempts and password resets (to put it mildly).
DDoSers are not trying to get your passwords, take over your site, install malware, or use your computer for nefarious means. If you are being DDoS’d, you are being denied service. No one needs access to your server because they’re bombarding it via public channels. Not the backend like hacks and intrusions and brute force attacks.
Why Are You a DDoS Target?
Why would someone do this to you? Well, one of the most common is the idea of hacktivism, in which a party wants to prevent the spread of ideas or a service they oppose. This could be for any number of reasons, but if you’re putting out something that might be divisive, hacktivists might DDoS you.
Corporate espionage is known to occur, where a competitor shuts you down, as an example, during a big sale or time of year to funnel more profits toward themselves. Or it might be someone wanting to learn cybersecurity and the ins-and-outs of DDoS attacks. Maybe it’s just a bored person somewhere who thinks its funny and wants to watch the world burn. (This happens to online games and services such as the PlayStation Network or Xbox Live or World of Warcraft).
If you can’t see yourself being the target of a hacktivist or corporate sabotage, you’re probably just the unlucky target of someone who wants to cause a bit of havoc to a stranger.
Protecting WordPress from DDoS Attacks
Regardless of the reasons why you may become a DDoS attack target, you should be taking precautions to prevent it from happening to you and your WordPress site. Protecting your WP installation from denial of service attacks isn’t that different from safeguarding against other assaults. At least from your perspective. The underlying protections work considerably differently. But as a WordPress user, you’re lucky to be able to leave that to the developers and specialists and simply reap the rewards of their hard work and expertise.
Update WordPress Regularly
This should be a no-brainer and go without saying. But we want to say it. Make sure your WordPress installation is up to date. If you’re still on version 4.9 and the most current version is 5.3, you’re not only opening yourself up to intruders gaining access to your site, but also DDoS attacks. At least indirectly. If you keep WP updated, you can use the most updated versions of security plugins, plus you have any security holes patched up that prevent your servers from becoming infected and incorporated into a DDoS botnet.
Use Security Plugins
WordFence, iThemes, Sucuri, and so many other free options are out there to keep your WordPress installation safe. Make use of them. Most importantly, you need to install a WAF. Standing for web application firewall, a WAF is your best defense against an incoming botnet.
In general, the firewall sets up a perimeter around your server and determines who can get in and who can’t. The rules (called policies) either work on blacklist or whitelist priorities. WAF developers and teams block (or blacklist) known botnets, their regions, and IPs. This protects your site from known threats, but if a new threat arises from somewhere else, you may still be at risk.
Whitelisting, then, prevents both of those from happening by only allowing known traffic to access your site. You can’t get DDoS’d because you haven’t pre-approved those IP ranges or regions for access to your site in the first place. If your primary business comes from certain countries or regions, this is an effective way to prevent unknown botnets and attackers from accessing your site. DDoS or brute force or anything else, if you haven’t said “come on in,” it’s not getting in.
There are pros and cons to both of these methods with WAFs, but in general, the developers have a strong set of pre-defined policies in place that keep your site secure and running effectively and maybe more importantly, profitably.
WordPress logs are something that most users don’t know or care about. But if you’re at risk of a DDoS attack, keeping logs and seeing where traffic is coming from and any errors that your servers are giving can be invaluable to making sure things stay up and running. Just having a note that at 3:03am 176 login attempts happened from halfway across the world is enough to warrant your attention and going through the update process, making backups, scanning and checking for malware, etc.
Your host should have logs you can check out, and the WordPress Codex has detailed information about debug logs that you can brush up on.
In the end, most WordPress users are probably not at risk of suffering a DDoS attack. But you could be. Anyone could be. That’s why setting up security to handle it is so important. But anytime you put content out there, succeed and are seen by the general public, or get the wrong someone’s attention, there’s a chance that your livelihood will be at stake. It’s fairly easy for folks to hire a DDoS botnet if they really want to, so setting up a WAF and some logging and being prepared is more than worth it.