DDoS Attacks on WordPress: Are You Ready?

Written By Sam on 24 July 2017

Distributed denial-of-service attacks are nothing new, but they’ve recently become more and more of a threat to the everyday site owner. WordPress site owners need to be prepared.

Why WordPress?

WordPress has become a tempting target for attackers of all stripes, simply because it’s so popular. WordPress installations are very common nowadays; by 2015, 25 percent of all websites were built using WordPress. This makes it very worthwhile for attackers to seek out vulnerabilities in the platform. WordPress installations also tend to include pages with similar URLs, making them attractive to attackers who want to target multiple sites easily.

DDoS and the Internet of Things

By repeatedly requesting access to a particular URL on a website, it’s possible to overload the server hosting the website so that it becomes inaccessible. A denial-of-service attack (DoS) involves hitting a website with spurious traffic from a single source. These days, all but the smallest-scale sites are likely to be able to withstand such an attack. Once the source is blocked, the attack will stop.

distributed denial-of-service attack (DDoS) is much harder to tackle. In a DDoS attack the traffic comes from multiple sources, sometimes numbering in the hundreds or even thousands. By using automated botnets, it’s now possible for attackers to take down the Internet of a small country. The Internet of Things (IoT) has made huge DDoS attacks even easier to implement. Virtually any internet-connected device that’s not properly secured can be taken over and turned into part of a botnet for DDoS attacks.

A DDoS attack can have very serious consequences for your organization. By making your site unavailable, DDoS attacks don’t just lose you business for the duration of the attack. They may potentially alienate your customers and can require major cleanup work to address. For this reason, DDoS attacks are sometimes used to extort money or valuable data from site owners.

WordPress Vulnerabilities

The biggest vulnerability for any WordPress site is having an unpatched component, whether it’s in the core installation, the website’s theme, or one of the plugins used to add functionality. The core installation of a WordPress site is sometimes left unsecured because the user neglects to finish up the configuration, while themes and plugins need to be regularly updated to address any security flaws. Managed WordPress hosting is one solution to the problem of constant security upgrades.

Yet, even a securely patched and updated WordPress installation can be subjected to a DDoS. One method used by attackers, according to the WordPress Codex, is to repeatedly hit the wp-login.php fileuntil the server can no longer cope with the volume of traffic. This type of attack is often used to break into the WordPress account itself, but it can also be used to take the site offline by overloading the server. It’s entirely possible for the kind of botnet used to hack WordPress sites en masse to be re-deployed simply to make repeated calls on wp-login.php, or other similarly-named WordPress files across the web, and thus potentially take millions of sites offline.

Avoiding DDoS attacks takes some planning. You can install anti-DDoS plugins on your site; WordPress has a number of these, ranging from simple free software to more sophisticated subscription-only plugins. Even better might be to invest in a third-party DDoS protection service, which can filter traffic so the bots can’t bring down your site. A DDoS protection service looks at incoming hits to your website and is able to detect attempts to break into or overload your WordPress server. These hits are blocked, while legitimate traffic is allowed through.

Leave your response!