Website hosts and domain providers are struggling to keep your site live in the face of bot and hacker attacks that are increasing in both frequency and intensity. Here’s what you need to know and what you can do to help your site stay available.
The reports are coming in. Bot and hacker attacks are becoming bigger and happening more often. They are taking down major host providers and IP carriers at an alarming rate.
In April of 2013, a botnet attack occurred that was 90,000 computers strong. It specifically targeted WordPress sites. It brought down providers like HostGator and BlueHost.
In August of 2013 there was another major DDoS attack that also brought down several major hosts.
And then on January 1, 2014 there was a massive DDoS attack that brought down several large hosts.
Security providers and plugin developers are playing a cat and mouse game to stay one step ahead of the attack tactics, and they’re loosing.
And all of it is only getting worse.
Change of Tactics
As hosts, IP carries, and developers figure out ways to combat the attacks, the hackers are constantly changing tactics.
Instead of just DDoS attacks, they are now using
DrDoS attacks to amplify the chaos. Let me explain.
A DDoS is a Distributed Denial of Service. Think of it like a narrow road that represents the bandwidth of the two-way traffic coming to and from your site. Visitors make a query to your site. Then the reply to that query is delivered from your site in the form of a page or post.
Now, imagine a wide load coming down the road toward your site. That’s what a botnet attack looks like to the server.
The botnet attack chews up so much bandwidth that nothing else can get in or out.
Eventually, service is denied to all requesters, including individual people trying to access your site.
That’s bad enough. It’s getting scarier.
A DrDoS is a Distributed reflective Denial of Service.
To get around the blocks that hosts, IP carriers, and developers put in place to combat the huge botnets, hackers have found ways to use one computer and one specific weakness in the chain to amplify the affect of an attack.
What’s truly scary about this is that it clogs up the bandwidth and chews up server resources at the same level that it used to take multiple computers to do. Read The New Hacker Tool
More Than Just Computers
And now, anything hooked to the Internet can be used in the attack. That includes mobile phones and, believe it or not, even refrigerators.
Anything that has an unsecured Internet connection is not only open to an attack, it can be turned into a hacker weapon.
And the worst part is, the hackers are now doing it locally.
Some folks in the U.S. have taken to blocking whole countries as a way around the attacks, since most were coming from places like China or Turkey.
Now those same attacks are coming from within the U.S. And no company in the U.S. can block that!
What You Can and Must Do
As a site owner, you do have a responsibility in all this.
That’s especially true if you are on shared hosting. Think of it as living in an apartment complex. If you have 15 locks on your door, none of it matters if a fire breaks out. Everyone is responsible for maintaining security.
There are actions that you can take. In fact, your host and IP services may start insisting that you do.
One way that hosts are getting the attention of site owners on shared hosting is to let their sites hit strictly enforced resource limits.
When your site has too many requests, it causes a massive drain on the server’s CPU and memory resources. Every site on shared hosting has a limit so that one site can’t hog all the resources and make everybody else’s site run slow.
When your site hits the limits, your site becomes unavailable.
A bot attack causes a significant drain on your resources due to the inflated requests. It can easily put your site over the hosting limit if you already have a lot of traffic or page views.
Check Your Resources
Monitor.us is a free online tool to let you see your site’s uptime. There are other monitors, but what I like about this one is that it also gives you a decent indication of the baseline of resources your site uses every day too.
Resource Usage is available on most hosts that offer cPanel too. You can see your CPU, physical memory, and virtual memory usage.
Awstats is also available on most hosts with cPanel. You can use it to see how many hits are bots and what pages they are going after.
Brute Force Attack
Many of the botnet attacks are trying to exploit weaknesses in each site on the server. If they can break into a site, they may be able to use it as a backdoor to break into the whole server. That puts every site on the server at risk.
The wp-login.php page is the favorite attack point for most hackers.
Using a super strong password and a login limiting plugin are two simple, yet very effective defenses.
Read Protect Your WordPress Website with a Strong Login
You need to know if your site has been hacked and has become part of the problem.
Keep in mind that many hackers are not interested in disabling your site. Far from it. They are very much interested in your site staying live and available for them to secretly use for their own purposes, such as distributing spam injection code. That will also drive up your resource use.
Some hosts, like my preferred vendor A2 Hosting (aff link) are being proactive on this front. They routinely run a malware scan on each site for free.
Sucuri also offers a free online scanner.
BackupBuddy (aff link) also offers the same Sucuri scanner so you can run it anytime from within WordPress.
Turn the Bots Away
The best way to keep attack bots from draining your site resources and breaking into your site is to keep them out in the first place.
Installing certain security or caching plugins or CDNs (Content Delivery Network) may help. But there are drawbacks and caveats to all these tactics and you need to have them setup and optimized properly for your site.
Need help with that, contact me for a consult.
Your Only Real Security
Backup, backup, backup. And store the files off site.
No matter what devastation happens to your site, a full backup file stored off the host server will fix it. You can’t say that about anything else.
How to Backup Your WordPress Site is my free report with 14 rated backup solutions and storage options.
BackupBuddy (aff link) is my plugin of choice. I use it on all of my sites and all of my client sites because I know who they’re going to call first if there is a problem. I want a solution I know works. Period.
Some hosting providers are just better than others. But none of them are immune to bot attacks. The real difference is what they do proactively to prevent them, and then what they do to help you help resist them.
They also partner with CloudFlare, one of the few Content Delivery Networks that offers some type of DDoS protection on their free service to help turn bots away in the first place.
And A2 just emailed out helpful tutorials for moving your wp-login file to help decrease hits and resource drains. (I’m not in total agreement that this is a long-term effective solution, but it could help in the short term.)
Move Up to Managed VPS
If you have a site with high traffic, and you’ve done all that you can to optimize and secure it, you might need to consider moving up to managed VPS. (And, yes, A2 has that too.) Not only will you get the resource cap removed, you’ll get some extra features to thwart attacks. It’s not cheap like shared hosting. But, you have to weigh that against the cost of your site being unavailable.
Managed Hosting and Maintenance Agreements
Before you go get expensive managed hosting or sign a site maintenance agreement, I strongly suggest you look before you leap. Check the reviews. Make sure your site can function with the extreme restrictions on plugins and other functions that will be imposed.
See what you’re getting for that maintenance bill. If it’s just updates, you’re not getting any protection that you can’t provide yourself.
Performance and Security Case Studies
I’m putting together a case study with the details of a site I’ve been working on for a couple months that has been getting hammered in the botnet attacks. It also includes the performance optimization I’ve been doing on multiple sites on the account. I’ll have it for you soon.
In the meantime, read the case study for On Sutton Place, where we increased site performance by 1400% (that’s not a typo). And combating the resource drain of the botnet attacks was part of that boost.
Get Your Performance Audit
Contact me to get a 20 point site audit, or go deeper with a full performance audit and see what’s causing issues and resource drains on your site.
Be Part of the Solution
The deeper I’ve dug into the botnet attack sources, including info from the hackers buddies I hang with, I can tell you with certainty that this problem is going to get much worse before it gets better.
One of the reasons for that is because shared hosting vendors can’t openly afford to hassle their clients into properly managing their sites. Nor can they afford for whole server farms to repeatedly go down on a regular basis.
You can either pay attention to your site security and resource usage now, or pay the price of having your site become unavailable.
Get ahead of the coming firestorm and get your site ready. After all, it’s your full-time business partner.