How to Protect WordPress from DDoS Attacks?

All the hard work you put on your WordPress website could be gone in a second if you don’t take any measures to protect it from DDoS attacks.

All publicly accessible websites are vulnerable to DDoS attacks, and WordPress-based sites are no exception. Fortunately, WordPress is a very flexible platform, and therefore, it supports effective protection measures against attacks. It is just a matter of prevention: to repel an attack or to mitigate its effects; you have to act before it happens.

What is a DDoS attack?

Short for Distributed Denial of Service, a DDoS attack is a coordinated aggressive action carried out by a network of compromised computers or devices (a botnet) that massively sends data to or requests data from one server (the target). The flood of requests overwhelms the server capacity, slowing it down or making it crash due to a lack of resources.

The potential damage of DDoS attack

If your website becomes the target of a DDoS attack, many bad things can happen to it.

For example:

• Your visitors’ experience could be adversely affected. At best, the site’s responses can become slow 🦥; at worst, the entire site will be down and inaccessible.
• If your website is an online store, you can lose sales, and if it just serves content, your visitors may go somewhere else to get what they want.
• Your website reputation may seriously drop 📉, both in terms of perceived brand reputation (i.e., your company is considered not serious) and in terms of authority, relevance, and trust, which are the pillars of any SEO strategy.
• It will cost you to repair the damages. The cost will depend on the duration of the attack, and it is hard to calculate because you must consider plenty of side effects, such as customer support efforts to answer user claims about service disruption, or hiring a security service to clean your website.

Who are the victims of DDoS attacks?

Any website, no matter its size or volume, could be the target of a DDoS attack.

Websites with exposed vulnerabilities are the easiest targets, but an attack can be orchestrated on purpose against any particular website. The attack may be conducted for ideological reasons (a practice called hacktivism); for example, to discredit a site that promotes certain political or religious ideas. Or to blackmail the website’s owner and ask for a ransom. Or it may simply be a hobby of a group of tech-savvy people who want to show off their skills.

An attack can also be hired: a company pays a group of hackers to attack specifically its competitors. Whatever the reason, the bottom line is: any website owner must take precautions to prevent a DDoS attack from damaging his or her site. It is not difficult or expensive, so there are no real reasons not to do it.

How to protect your WordPress from DDoS attacks?

The two necessary security measures you need to take to protect your WordPress site against DDoS attacks:

• Get a good WordPress backup solution.
• Start using a cost-effective, cloud-based anti-DDoS security solution.

The backup solution is something you must-have for many reasons, not just for DDoS protection. There are plenty of free and paid backup solutions in the WordPress plugin catalog, so we’re not digging deeper into this subject at the moment. After an attack, if your website is damaged, restoring it with a safe backup is a quick way to get it back to normal.

In terms of anti-DDoS security solutions, you should ask yourself how much peace of mind you want to have, and how much money you want to pay for it. If you don’t want to pay anything, then you will have to take care of quite a few things by yourself.

DIY 🧰 approach

One of the great things about WordPress is that it has an open architecture that allows for third-party apps to integrate and interact with it. That is achieved with several APIs (Application Programming Interface) available to programmers. The problem is those APIs could be exploited by a DDoS attack to send a flood of requests. So, the first thing to do: disable an exploitable API called XML-RPC.

You need XML-RPC only if your WordPress website interacts with external third-party applications, such as the WordPress app on mobile devices. If you can do without them, then you’d better disable XML-RPC. This can be done simply by editing your website’s .htaccess file to deny access to the xmlrpc.php program. Or, if you don’t think it’s safe to alter your website’s internal files by yourself, you can get a plugin that does the job for you.

Anti-DDoS plugins

There are a few WordPress security plugins that fix other WordPress vulnerabilities.

Protection Against DDoS – this plugin addresses performance issues caused by brute force and DDoS attacks. By doing all checks via the .htaccess file, it stops malicious requests at the web server level, before they can reach the WordPress site.

It also fixes the XML-RPC vulnerability, and its configuration options offer Cloudflare users the ability to deny access to visitors from specific countries.

Disable WP REST API – the WordPress REST API is another exploitable vulnerability of the popular CMS. Fortunately, this vulnerability can be easily fixed with this super-lightweight plugin. It uses only 22 lines of code – less than 2KB – and works by disabling the WP REST API for visitors not logged to WordPress. After installing and activating it, if logged-out visitors make JSON/REST requests to your website, they will get a message telling the REST API is restricted to authenticated users.

Disable XML-RPC Pingback – with more than 80,000 installations and a 4.5-star rating; this plugin eliminates all exploitable methods from the XML-RPC interface. Also, it removes X-Pingback from HTTP headers, which stops bots from reaching the xmlrpc.php file.

Security Suites

If you want to completely forget about DDoS and other security concerns to put all your efforts into your business, then you want a solution that covers all bases.

Such a solution must include:

• A web application firewall. The firewall stands between your website and the internet, detecting hostile traffic and blocking it.
• A website antivirus package. It should scan periodically and automatically your website to detect any trace of malware and remove it.
• Server scan for non-infectious hacks, such as banner ads from unknown sites.
• Site auditing/monitoring to detect any suspicious activity, such as file changes, new posts, new users, failed login attempts, and more.

Let’s explore the following solutions which offer comprehensive WordPress site security.

Sucuri

Sucuri is a renowned web security company with a lot of experience in WordPress websites.

The moment you enable Sucuri on your site, they install a cloud proxy firewall between your website and the internet, filtering all traffic directed to your hosting server. The firewall allows only legitimate visitors to reach your WordPress website. As a side effect, your website will have a faster response, thanks to the Sucuri cloud, and you could save hosting money by reducing the traffic volume your server needs to handle.

The full Sucuri solution adds to the mixture an antivirus package that scans and monitors your website regularly to keep it free from all kinds of malware: malicious JavaScript snippets, suspicious redirections, code injections, etc.

It also checks that your site doesn’t get blacklisted by reputation assessment services. By browsing the site audit log, you will be informed about everything that happens on your WordPress website, including new users, failed login attempts, file changes, and more.

Sucuri pricing plans start around $199 per year for a basic service — which is not so basic, since it only lacks a couple of enterprise-oriented goodies. The included features more than justify the price, but if that’s not enough to convince you, consider that they also offer a malware cleanup service, along with blacklist removal.

If you have your website protected, it’s unlikely that you will ever need this service, but consider that a security expert could easily charge you $250 an hour to remove a malware infection from your site.

Cloudflare

Cloudflare uses its huge CDN (content distribution network) to protect your WordPress website from DDoS attacks, which makes your site faster, besides securing it. With more than 200 data centers distributed worldwide, the CDN is big enough to absorb and deflect even the most potent attacks, so you don’t need to worry about its mitigation capacity being overflooded.

A proactive mitigation approach allows Cloudflare to anticipate attacks by leveraging shared intelligence, curated from behavioral analysis of signatures and IPs across more than 20M websites. The protection detects and blocks layers 3, 4, and 7 attacks at the edge, stopping them from reaching your website.

Also, all TCP ports in your infrastructure get protected, by employing Spectrum to proxy traffic through Cloudflare’s data center.

The service is free for individuals and small (non-business critical) websites. The free plan includes DDoS attack mitigation, global CDN, and supports via email. Paid plans start at $20 per month, adding a web application firewall, cache analytics, mobile optimization, among other benefits.

For business-critical websites, the enterprise plan adds 24x7x365 chat/phone support, 100% uptime SLA, solutions engineer support, among other benefits.

StackPath

A global network with 65Tbps of total capacity allows StackPath’s solution to mitigate the largest and most sophisticated DDoS attacks, addressing the full range of attack methods, including HTTP, SYN, and UDP floods. StackPath’s platform collects and analyzes intelligence about DDoS attacks all along with its edge locations, allowing it to block all malicious attempts, regardless of where they come from.

To protect your WordPress website on the network layer, StackPath global network employs network equipment that protects against layers 3 and 4 DDoS attacks at the device. Meanwhile, a smart web application firewall mitigates sophisticated layer 7 DDoS attacks in less than a second by using unique JavaScript validation techniques that detect and block automated bots and providing advanced tools to configure DDoS thresholds to fit your specific needs.

StackPath’s DDoS protection is part of an edge services suite that starts at $20 per month and includes CDN, WAF (web application firewall), DNS, and monitoring services. These four services can be hired individually, costing $10 a month each. Prices scale according to the volume; for instance, if you require a 100TB/mo CDN and a 50M/mo requests WAF, you’ll have to pay $2000 per month.

No excuse!

If your website goes down, or gets blacklisted, or loses reputation, don’t give an excuse. You have all the resources at your fingertips to prevent a disaster from ruining your beloved WordPress site. If you haven’t done it already, take action and do something before it’s too late.