A DDoS attack on your WordPress site can grind it to a halt and, over time, make it inaccessible to your users. They’re a common attack that wreaks havoc on vulnerable WordPress sites.
The good news? DDoS attacks can be prevented if you know how to stop them. As you’ll see, it’s not that difficult, especially with the help of a CDN, our security plugin, Defender, and a dash of good hosting. Plus, you may have a lot of precautions in place already.
These types of attacks are growing. Cisco predicts DDoS attacks will double from what we saw in 2018 of 7.9 million attacks to over 15 million by 2023. So, it’s worth taking precautions now and doing what you can to prevent them.
This article is a tiered security approach of a system that will help prevent DDoS attacks on your WordPress site. We’ll be going over:
- What a DDoS Attack Is and Why They Happen
- Damage that DDos Attacks Can Do
- The Difference Between a Brute Force Attack vs. DDoS Attack
- How to Help Protect Your Site Against DDoS Attacks with Defender by:
- Disabling XML-RPC
- Enable Defender’s Firewall
- Disabling Trackbacks and Pingbacks
- Disabling Rest API with a Plugin
- How to Activate WAF in The Hub
- DoS vs DDoS
- Why You Should Use a Good CDN
By the time you’re done reading this, you’ll be able to put the smackdown on any DDoS attacks, and they’ll be DOA once they try to get to your WordPress site.
famous DDoS attacks. Recently, Google was attacked in 2017, and AWS had a DDoS attack in February of 2020.
So, big or small, attacks happen. They’re on the rise, and it’s vital to protect your WordPress site as much as possible.
DDoS attacks aren’t pretty, and they can leave some devastation. The main thing they can do is make a WordPress site inaccessible or reduce the site’s performance. A DDoS attack can create a loss of business and a poor user experience.
Plus, it can cost a lot of money to mitigate the attack by hiring support or security service.
I’m sure you’ve heard of a brute-force attack. Like DDoS, it’s another form of an ambush on your website. However, they’re both different.
A brute-force attack is a trial and error method where hackers try to guess credentials or encrypted data (e.g. passwords) through a pretty extensive effort to guess correctly. It’s considered one of the most popular attacks out there for hacking a WordPress site.
The key difference between DDoS and a brute-force attack is the goal.
DDoS attacks overwhelm a website intending to devastate it, where a brute-force attack wants to obtain admin access. When accessed, a hacker will often try to steal personal data, redirect legitimate users to fake websites to steal their personal information, or install malicious software to infect customers and administrators’ computers.
WordPress allows unlimited login attempts by default, so it’s crucial to prevent brute-force attacks by limiting the number of attempts a user gets.
And as you’ll see, a lot can be done against DDoS and brute-force attacks with the help of a plugin, like Defender.
Our answer to security, Defender, can help handle DDoS attacks with just a few security modifications that can be done in a few clicks.
Keep in mind that Defender can’t completely stop a sustained or significant DDoS attack. In fact, no plugin can. It’s more suitable for protection against DoS attacks (a much smaller form of attack).
Attack prevention has to happen at the server level. Simply blocking the IP will not prevent the connection to the server. Even with the response of a 403, there was a connection still made to the server and site.
DDoS prevention is sufficient if the server completely ignores the connection request and appears invisible to the machine sending the request.
This is why additional services are required for complete DDoS protection, like a CDN (which we’ll discuss later).
That being said, we’ll be going through several ways Defender can help with the collaboration of other preventative measures, and you’ll see how you can start protecting your WordPress site against DDoS attacks today.
Windows Live Writer. It’s a remote procedure call that uses XML to encode its calls and HTTP as a transport apparatus.
If you’re using a WordPress mobile app and you want to connect to services, such as IFTTT, or if you want to access and publish your blog remotely, then you’ll need XML-RPC enabled. If not, it’s just another way for hackers to target and exploit your site with a DDoS attack by getting access via XML-RPC.
That being said, if you don’t need it active, it’s worth disabling it.
Defender can disable this in one-click. You’ll see whether it’s enabled or not in Security Recommendations. From there, you can view your issues and see if disabling XML RPC is one of them.
Clicking on the dropdown gives you the option to disable XML RPC with a tap of a button.
Once you click on Disable XML-RPC, you’ll see that it’s in the Resolved area.
And just like that, you’ve upped the protection on your site against hackers trying to access your site by way of XML-RPC.
in this article.
OSI model. It’s where common internet requests (e.g. HTTP GET) occurs.
REST is an acronym for Representational State Transfer. It uses HTTP requests to access and use data. That data can get used to GET, PUT, DELETE, AND POST data types, which refers to the updating, reading, creating, and deleting of operations concerning resources.
API, in regards to a website, is code that allows two software programs to communicate with each other. The API lays out the correct way for a developer to write a program requesting services from an application or operating system.
So, REST tech is generally preferred over similar technologies. This is due to REST using less bandwidth, which in return makes it more suitable for efficient internet usage.
By disabling REST API temporarily until the DDoS attack ends, it can help stop it.
REST API can be used by some active plugins. Even if there are no plugins, it can be disabled completely, or temporarily.
A plugin like Disable REST API can help.
It will disable the use of the REST API on your WordPress site to unauthenticated users. Once you activate it, REST API will be inaccessible to your site visitors.
Like with the suggested precautions without Defender plugin, keep in mind that disabling REST API provides only limited protection against DDoS attacks. Your WordPress site is still open to regular HTTP requests.
Also, disabling REST API (and XML-RPC) helps prevent an incoming DDoS attack and helps prevent your site from being compromised and used as a botnet itself to instigate a DDoS attack against other servers.
Just be aware that there can be some risks when it comes to disabling REST API, such as disturbing API services.
host their sites with us. If you don’t host with us, WAF should be featured in your current hosting provider.
With that being said, I’ll show you where to access our WAF.
All the WAF features are managed in The Hub. The Hub is where you can manage all of your site’s security and easily access Defender’s dashboard.
In the Security dashboard, you can see what type of WAF you currently have.
We automatically have our WAF enabled. However, if you need to activate it, it can be done in one-click.
Once activated, you have the options of:
- Entering IPs in the Allowlist and Blocklist
- Enter User Agent in an Allowlist and Blocklist
- Adding URLs to an Allowlist
- Disabling Rule IDs
Here, you have more options you can customize.
WAF is like your own personal security guard for your WordPress site. It can help protect and mitigate you from DDoS attacks — and much more.
For detailed information about WAF, check out our article on what WAF is. Also, get a detailed look at what’s included in our WAF that comes with WPMU DEV hosting.
our own CDN here for WPMU DEV members via Smush for images and Hummingbird for theme resources. It leverages the StackPath network complete with 65Tbps total capacity, which is 50x bigger than the largest DDoS attack publicly reported to date. Enabling our CDN provides built-in, always-on Layer 3-4 protection on files the CDN serves, in every edge location.
With the 10s of thousands of websites we host, larger DDoS attacks that would require a CDN or Proxy service is rare. But when it happens, to mitigate in the middle of an attack is significantly harder than being fully prepared.
For this reason, high traffic and eCommerce sites will need increased levels of protection than small business sites or blogs.
Like anything, you have to judge the actual risk with the costs.
So, for medium to high DDoS prevention, a paid service like Cloudflare can work by acting as a proxy.
When it identifies a DDoS attack, it reroutes the normal traffic to your server and prevents the DDoS connections from ever reaching it. They have an unmetered 51 Tbps capacity to overwhelm from a DDoS attack.
Cloudflare has the most number of ‘High’ ratings compared to the other six DDoS vendors across 23 assessment criteria in the 2020 Gartner’s ‘Solution Comparison for DDoS Cloud Scrubbing Centers’ report, so it’s rated up there in our book as a good solution.
For more on CDNs, check out our guide on picking the best CDN for WordPress.
Don’t Lack Protecting Your WordPress Site From a DDoS Attack
As you can see, DDoS attacks can be less of a threat with the right precautions in place. Simple measures can help prevent them, such as a security plugin like Defender, hosting, and a CDN like Cloudflare.
With all of these tools, you won’t lack protection from any DDoS attack that a hacker tries to attempt on your WordPress site.
And with this being #SecurityMonth you can currently get 35% off your first year of our Security & Backups Pack featuring Defender Pro, Snapshot Pro, Shipper Pro, and Automate. Click on the coupon below to unlock the exclusive deal.
35% Off Security & Backups Pack
Whether the person trying a DDoS attack is just having fun or trying to annoy you, stop the mayhem before it starts.
For more security tips, check out our Ultimate Guide to WordPress Security and How to Easily Secure Your WordPress Site for Free.