DDoS Attacks: What WordPress Users Need to Know

Posted on February 10, 2020 by in WordPress | 5 comments

DDoS Attacks: What WordPress Users Need to Know

Anyone running any sort of online enterprise should be wary of DDoS attacks. Or distributed denial of service attacks. Which is basically a long way of saying that someone wants to shut down your website or service, so they send floods of traffic from various points to overwhelm you and make it hard to shut down or even track down where the attack is coming from. They bottleneck your servers so that your normal visitors are denied service. It is one of the pettiest and most frustrating things that can happen to an online presence. In this post we’d like to help you protect yourself from them.

Understanding DDoS Attacks

Most DDoS attacks are carried out by botnets, a “group of computers which have been infected by malware and have come under the control of a malicious user.” These machines are then hijacked and used against whatever service the attacker wants denied service.

While the computers that make up the botnet are infected by malware, it is important to note that if your WordPress website is DDoS’d, your website is not being infected with malware. The DDoS simply prevents normal traffic from getting to you. However, if your computer has already been compromised by a security flaw, your servers could become part of a botnet that carries out a DDoS attack on someone else.

DDoS is Not Hacking

As we said above, a DDoS attack is not an attempt at exploiting a vulnerability to gain access to your site. That’s more along the lines of a brute force attack. That’s when a particular party attempts to power their way into your site by repeated login attempts and password resets (to put it mildly).

DDoSers are not trying to get your passwords, take over your site, install malware, or use your computer for nefarious means. If you are being DDoS’d, you are being denied service. No one needs access to your server because they’re bombarding it via public channels. Not the backend like hacks and intrusions and brute force attacks.

Why Are You a DDoS Target?

Why would someone do this to you? Well, one of the most common is the idea of hacktivism, in which a party wants to prevent the spread of ideas or a service they oppose. This could be for any number of reasons, but if you’re putting out something that might be divisive, hacktivists might DDoS you.

Corporate espionage is known to occur, where a competitor shuts you down, as an example, during a big sale or time of year to funnel more profits toward themselves. Or it might be someone wanting to learn cybersecurity and the ins-and-outs of DDoS attacks. Maybe it’s just a bored person somewhere who thinks its funny and wants to watch the world burn. (This happens to online games and services such as the PlayStation Network or Xbox Live or World of Warcraft).

If you can’t see yourself being the target of a hacktivist or corporate sabotage, you’re probably just the unlucky target of someone who wants to cause a bit of havoc to a stranger.

Protecting WordPress from DDoS Attacks

Regardless of the reasons why you may become a DDoS attack target, you should be taking precautions to prevent it from happening to you and your WordPress site. Protecting your WP installation from denial of service attacks isn’t that different from safeguarding against other assaults. At least from your perspective. The underlying protections work considerably differently. But as a WordPress user, you’re lucky to be able to leave that to the developers and specialists and simply reap the rewards of their hard work and expertise.

Update WordPress Regularly

This should be a no-brainer and go without saying. But we want to say it. Make sure your WordPress installation is up to date. If you’re still on version 4.9 and the most current version is 5.3, you’re not only opening yourself up to intruders gaining access to your site, but also DDoS attacks. At least indirectly. If you keep WP updated, you can use the most updated versions of security plugins, plus you have any security holes patched up that prevent your servers from becoming infected and incorporated into a DDoS botnet.

Use Security Plugins

WordFence, iThemes, Sucuri, and so many other free options are out there to keep your WordPress installation safe. Make use of them. Most importantly, you need to install a WAF. Standing for web application firewall, a WAF is your best defense against an incoming botnet.

In general, the firewall sets up a perimeter around your server and determines who can get in and who can’t. The rules (called policies) either work on blacklist or whitelist priorities. WAF developers and teams block (or blacklist) known botnets, their regions, and IPs. This protects your site from known threats, but if a new threat arises from somewhere else, you may still be at risk.

Whitelisting, then, prevents both of those from happening by only allowing known traffic to access your site. You can’t get DDoS’d because you haven’t pre-approved those IP ranges or regions for access to your site in the first place. If your primary business comes from certain countries or regions, this is an effective way to prevent unknown botnets and attackers from accessing your site. DDoS or brute force or anything else, if you haven’t said “come on in,” it’s not getting in.

There are pros and cons to both of these methods with WAFs, but in general, the developers have a strong set of pre-defined policies in place that keep your site secure and running effectively and maybe more importantly, profitably.

Check Logs

WordPress logs are something that most users don’t know or care about. But if you’re at risk of a DDoS attack, keeping logs and seeing where traffic is coming from and any errors that your servers are giving can be invaluable to making sure things stay up and running. Just having a note that at 3:03am 176 login attempts happened from halfway across the world is enough to warrant your attention and going through the update process, making backups, scanning and checking for malware, etc.

Your host should have logs you can check out, and the WordPress Codex has detailed information about debug logs that you can brush up on.

Wrapping Up

In the end, most WordPress users are probably not at risk of suffering a DDoS attack. But you could be. Anyone could be. That’s why setting up security to handle it is so important. But anytime you put content out there, succeed and are seen by the general public, or get the wrong someone’s attention, there’s a chance that your livelihood will be at stake. It’s fairly easy for folks to hire a DDoS botnet if they really want to, so setting up a WAF and some logging and being prepared is more than worth it.

Have you ever suffered a DDoS attack?

Article featured image by jossnat / shutterstock.com

Premade Layouts

Check Out These Related Posts

How to Redirect Users after Login in WordPress

How to Redirect Users after Login in WordPress

Posted on March 27, 2020 by in WordPress

WordPress redirection refers to a technique that sends users from a web page to a different location. For example, you can redirect your users to another page if the existing page is unavailable. Another popular reason to use redirects is to redirect users after they login to your WordPress website...

View Full Post
How to Fix the 404 Error for WordPress Websites

How to Fix the 404 Error for WordPress Websites

Posted on March 18, 2020 by in WordPress

One of the worst feelings as a website user is to click a link and be brought to a 404 error page. The 404 is one of the most harmless error codes on the internet, as it simply indicates the requested page is missing. However, it can also be one of the most frustrating and impactful to users...

View Full Post

5 Comments

  1. Also have something in place at the nameserver level. We use Cloudflare DNS because they have DDos redirection services.

    • Indeed. WordPress security plugins do nothing against DDOS. You really need to defer at the highest level. A service like CF is also probably better at deferring those attacks because they mask the real server IP. When the average webhost needs to defer a DDOS, they often respond late to the fact. Most often they will take measures to protect the rest of the network against your attack, but your site will remain offline.

  2. in addition to a WAF like Wordfence and Securi, use Cloudflare as another layer of protection.

  3. Good article, BJ. An excellent follow-up would be an extensive review of the WAF packages available, to include the pros and cons of each, the features and shortfalls of each, and their pricing options (free, one-time-purchase, annual subscription, etc.).

  4. As I understand, for most website owners, even using WP, are entrusting their web hoster with the task of protecting them from DDOS attacks. Their staff is supposed to know better, especially if we remember that there may be thousands of WP and non-WP websites on each server and often DDOSing one website means causing denial of the whole server.

    Nevertheless, the recommendations to counteract DDOS attacks were useful. Thx, guys!

Leave A Reply

Comments are reviewed and must adhere to our comments policy.

Join To Download Today

Pin It on Pinterest