Imagine you take all the effort to optimize your site, ensure that no extra scripts are loading, and that you’ve asynchronized all everything you can. You get a nice page speed score and are happy. Then one day you check out your site speed reports in Google Analytics, and you find that your pages are taking 5+ seconds to load? If you analyze your logs, you may find the following:
- Hundreds or thousands of requests from a single IP
- TONS of comments spam
- Contact page spam
Chances are that the above useless traffic is coming at the expense of your regular pages. You could always go on a “blacklist” spree and filter out the IPs, but that’s a short-term solution. IPs change. Tactics change. Spam networks are evolving all the time, so identifying specific ones are difficult. Here are three solid ways to help you combat DDoS attacks in a reliable manner that should work all the time.
Precaution 1: Hide your Login Page
I’ve written before about keeping bots away from your login page, and hiding it using a special URL is particularly effective. There are some in the community who feel that “security through obfuscation” is a bad idea, but I disagree. Anything that makes life harder for attackers is not wasted. You’re not lowering the security if your site – just introducing an additional barrier.
WordPress login pages are particularly dangerous because attackers can place a tremendous load on your database and systems. Because it ends with a “.php” extension, these pages are not cached and are generated by the system at each turn. So even if the attackers end up getting the username/password combinations wrong, they’re still draining your resources merely by viewing the page.
Not to mention the background database access for wrong attempts. But if you just redirect your default login page to a nice “404” error page, you’re golden!
Precaution 2: Rely on Google Captcha for Spam
Comment spam tools like Akismet are effective, but they still require database processing on your site. What we’re looking for is a solution that doesn’t strain your servers. For this, Google captchas are a great mechanism. With it, comment spam doesn’t affect your site’s performance.
I’d written earlier about using re-CAPTCHA v2 for spam comments, so you can check out how to set it up for your WordPress site. Most visitors will just need to click the checkbox, and suspicious visitors will need to solve the image captchas which really spoils a spammer’s mojo!
Precaution 3: Don’t Forget Captchas on Contact Pages!
It’s surprising to see how many people leave their contact forms unprotected. The popular plugin Contact Form 7 uses the Google re-CAPTCHA v3, which doesn’t include a checkbox, but provides a “score” instead. They retired the v2 code a while back. I’m still trying to decide if that’s a good thing or not!
Bottom line: Contact pages are as vulnerable to spam as comment sections. Anything that an anonymous visitor can use to hammer your database at will is a dangerous vector.
Precaution 4: Go Nuclear with Cloudflare
If you’re in deep trouble and your site is being hammered, you can outright block IP addresses using Cloudflare if you’re integrated with them as shown here:
Moreover, Cloudflare has an “I’m Under Attack” mode that you can activate to temporarily show a captcha to all users. This should stop DDoS attacks in their tracks. But the solution is a bit extreme, and should only be used as a temporary measure while you solve the real problem either using blacklists, or something else.
In short, these best practices should block more than 80% of all spam DDoS attacks on your site. Use Cloudflare to route your traffic and you should have an extra layer of protection in case the worst comes to pass!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!