Hackers use DDoS attacks to slow down websites and eventually make them inaccessible to users. These attacks can target both small and large websites.
Now, you might be wondering how a small business website using WordPress can prevent such DDoS attacks with limited resources.
In this guide, we will show you how to effectively stop and prevent a DDoS attack on WordPress. Our goal is to help you learn how to manage your website's security against a DDoS attack like a pro.
What is a DDoS attack?
DDoS (Distributed Denial of Service) is a type of cyber attack that uses compromised computers and devices to send or request data from a hosting server (WordPress). The purpose of these requests is to slow down and eventually crash the targeted server.
DDoS attacks evolved from DoS (Denial of Service) attacks. Unlike a DoS attack, they exploit multiple compromised machines or servers that are scattered in different regions.
These compromised machines form a network, sometimes called a botnet. Each infected machine acts as a bot and launches attacks on the target system or server. This allows them to go unnoticed for a while and deal maximum damage before being blocked.
Even the largest internet companies are vulnerable to DDoS attacks.
DDoS FAQs
Here are some answers to frequently asked questions about DDoS attacks.
Why do DDoS attacks happen?
What is the difference between a brute force attack and a DDoS attack?
Brute force attacks attempt to obtain unauthorized access in a code guessing system access or trying random combinations.
DDoS attacks are used purely to crash the target system, making it slow or inaccessible.
What damage can a DDoS attack cause?
DDoS attacks can slow down a website's performance or make it inaccessible. This results in poor user experience, lost business, and attack mitigation costs that can run into the thousands of dollars.
Here's a breakdown of those costs:
- Loss of business due to web site inaccessibility
- Cost supportof customers to answer questions related to the service interruption
- Cost of attack by recruiting services security or support
- The biggest cost is the bad user experience and the company's reputation
How can I stop and prevent DDoS attacks on WordPress?
DDoS attacks can be cleverly disguised and difficult to counter. However, with some basic security best practices, you can easily prevent and stop DDoS attacks from affecting your WordPress site.
Brute force attacks attempt to gain unauthorized access to a system by guessing passwords or trying random combinations.
DDoS attacks are used purely to crash the target system, making it slow or inaccessible.
Avoiding Brute force / DDoS attacks
The best thing about WordPress is that it is extremely flexible. WordPress allows plugins and third-party tools to be integrated into your website and add new features.
To do this, WordPress provides various APIs to developers. These APIs are methods by which third-party WordPress plugins and services can interact with WordPress.
However, some of these APIs can also be leveraged during duration of a DDoS attack by sending a mass of requests. You can safely disable them to reduce these requests.
Disable XML RPC in WordPress
XML-RPC allows third-party applications to interact with your WordPress site. For example, you need XML-RPC to use the WordPress app on your mobile device.
If you're like the vast majority of users who don't use the mobile app to run their website, then you can disable XML-RPC by simply adding the following code to your website's .htaccess file.
|
2
3
4
5
|
# Block WordPress xmlrpc.php requestsorder deny,allowdeny from all |
Disable the REST API in WordPress
The WordPress JSON REST API allows plugins and tools the ability to access WordPress data, update content, and/or delete it.
Here's how you can disable the REST API in WordPress.
The first thing you need to do is install and activate the Disable WP Rest API plugin.
The plugin works out of the box and will disable the REST API for all non-logged in users.
Enable a WAF (Website Application Firewall)
Disabling attack vectors such as REST API and XML-RPC provides limited protection against DDoS attacks. Your site is still vulnerable to normal HTTP requests.
While you can mitigate a small DDoS attack by trying to catch the IPs of the bad machines and block them manually, this approach is less effective when it comes to a large attack.
The easiest way to block suspicious requests is to enable a website application firewall (firewall).
A firewall acts as an intermediary between your website and all incoming traffic. It uses a smart algorithm to catch all suspicious requests and block them before they reach your website's server.
What to do during a DDoS attack
DDoS attacks can happen even if you have a web application firewall and other protections in place. Companies like CloudFlare and Sucuri deal with these attacks on a regular basis and most of the time you will never hear about them as they can be easily mitigated.
However, in some cases, when these attacks are large, they can affect you. In this case, it is best to be prepared to mitigate the problems that may arise during and after the DDoS attack.
Here are some things you can do to minimize the effects of a DDoS attack.
- Notify your team members
If you have a team, then you need to inform your colleagues about the issue.
This will help them prepare for customer support queries, watch out for potential issues, and help during or after the attack.
- Notify customers about the attack
A DDoS attack can affect the user experience on your website. If you manage a WooCommerce store, then your customers may not be able to place an order or log in to their accounts.
You can announce through your social media accounts that your website is experiencing technical difficulties and that everything will be back to normal soon.
If the attack is big, then you can also use your email marketing service to contact customers and ask them to follow your social media updates.
If you have VIP customers, then you may want to use your business phone service to make individual phone calls and let them know how you are working to restore service.
Communication during these difficult times makes a huge difference in maintaining your company's reputation.
- Contact hosting and security support
Contact your WordPress hosting provider. The attack on your site may be part of a larger attack on their systems. In this case, they will be able to provide you with the latest updates on the situation.
Contact your firewall service and inform them that your website is under DDoS attack. They may be able to alleviate the situation even faster and provide you with more information.
On firewall providers like Sucuri, you can also set your settings to be in “Paranoid Mode”, which helps to block many requests and make your website accessible to normal users.
How to keep your WordPress site secure
WordPress is pretty secure to begin with. However, as the most popular website builder in the world, it is often targeted by hackers.
Fortunately, there are many security best practices you can implement on your website to make it even more secure.
We have compiled one complete step-by-step WordPress security guide for beginners. It will guide you through the best WordPress security settings to protect your site and its data from common threats.
We hope this article helped you learn how to block and prevent a DDoS attack on WordPress.
