Protecting Your WordPress Blog From A DDoS Attack

Protecting From DDoS

You could be forgiven for thinking Distributed Denial of Service attacks aren’t really anything to be taken seriously. After all, they’re basically the hacking equivalent of driving a truck into a storefront. Although they can wreak a bit of havoc, they don’t require any real technical skill, and as such they’re pretty easy to defend against, right?

Right?

Well…not exactly. The unpleasant truth is that the tools with which DDoS attacks are being carried out are becoming more complicated; more advanced. As a result, these attacks are growing increasingly difficult to defend against. They are, according to Incapsula, “a growing and ever-changing threat.”

Let’s back up a bit. I think we’re getting a little ahead of ourselves here. How about first, we define precisely what a DDoS is?

We can use that as a decent segue into how you can protect your WordPress blog from one – and why you should. Sound good? Let’s get started.

The Anatomy Of A Typical DDoS

Imagine there are two guys – Larry and Gary. They’re competitors; each one operates an online storefront in the same industry as the other. Gary, he’s a pretty cool dude – business is booming for him, and he’s taking a bunch of customers away from Larry through no fault of his own.

Larry doesn’t like that. Unfortunately, he has no idea how to legitimately compete with Gary, so he instead opts to turn towards rather more…insidious means. He gets himself in touch with a fellow named Jim.

Now, Jim’s a pretty tech-savvy guy, and more than a little amoral with his skills. As a sort of pet project, he’s recently managed to inflict several thousand home routers with a nasty little worm that he’s got total control over. Larry knows this, and approaches him with a proposition – take Gary’s website down.

After receiving payment, Jim directs his botnet to repeatedly connect to Gary’s website. Eventually, it can’t handle the traffic, and crashes. Larry takes full advantage of the lull in business, and begins siphoning Gary’s customers away.

See, at the end of the day, a distributed denial of service attack basically just floods a site or network with bogus requests. Eventually, the system can’t handle the heavy load of traffic, and simply shuts down. Crude, but remarkably effective – it’s one of the oldest attacks in the world.

Now, in the example we gave above, Larry was motivated purely by competition. There are many other reasons someone might execute a DDoS against someone else. It might be a political statement. They might be using it as a cover for a far more serious crime – such as data theft or fraud. Or they might just be a hateful troll, out to wreak havoc on the world. The simple truth is that there’s really no such thing as a typical DDoS attack – every DDoS is a little different from every other; some are even able to change the avenue through which they attack on the fly.

Scary, right?

Let’s Crunch Some Numbers

Now, in case you don’t quite believe me yet that DDoS attacks are bad news, I’d like to offer you a few facts and figures; see if these don’t change your mind. We’ll start with the Incapsula/Imperva study we cited earlier.

According to them, businesses hit by a DDoS attack lose an average of $40,000 per hour of downtime. The lost revenue alone should be enough to make you a bit nervous, even without taking into account what other consequences you might suffer. Just look at what happened back in 2013, when three banks in the US were fleeced for several million dollars during a DDoS.

Anyway, that should be more than enough evidence that DDoS attacks are bad news, and you should protect yourself. Now let’s move to the next step. How exactly do you accomplish that?

Now That You Know Why To Protect Yourself, Let’s Talk About How

First thing’s first, I’d highly advise you to turn off pingback on your blog – reason being that if it’s enabled, you could potentially already have been part of a botnet. Yeah, that’s a pretty glaring vulnerability. I’m not sure why it still exists.

Anyway, once you’ve gotten that out of the way, there are a few different tactics you could use to keep yourself safe. The first is to seek out a plugin designed with DDoS mitigation in mind. Personally, I’d recommend SecSign. You might also consider talking with your host, assuming you’re paying for hosting – the vast majority of hosts already have some form of DDoS protection in place; you might well be protected without even realizing it.

Assuming your host doesn’t come through and you don’t like the selection of anti-DDoS plugins out there, there’s also the option of hooking up with a cloud security provider like Prolexic or DOSarrest. As a last-ditch sort of deal, you could also flirt with the idea of purchasing your own DDoS mitigation system – though I’ll warn you that’s not a choice for people who are a little light in the wallet. You’ll need a big budget for most halfway decent DDoS prevention systems.

In Closing

The distributed denial of service attack is one of the oldest tricks in the book as far as cyber-crime is concerned. It’s aged remarkably well, all things considered – even with today’s technology, DDoS attacks can be some of the most challenging things in the world to mitigate, particularly if you’re going in unprepared. You owe it to yourself to make sure your blog’s properly protected – because you definitely don’t want to face the consequences if you get DDoSed and it’s not.

Image: Flickr/Abode of Chaos