DDoS Attacks, Brute Force Attacks, and Site Security

Sites are being crippled by bot attacks every minute of every day and it’s only going to get worse. A LOT worse. VERY soon. Here’s what you need to know about the different types of attacks and how to protect your site from being down, hacked, or trashed completely. Listen to the podcast

Podcast: Play in new window | Download

Subscribe: Android | RSS

Special Podcast

Because this topic is so important, I’ve also released it as a special podcast because I know so many of you need to multitask. You can come back to the show notes for links.

Use Your Best Judgement

I also want to say that I’ve been buried in research on this since last year, and even more so now that it is radically impacting site performance on BlogAid as well as my bigger client sites. I’ve also participated in very heated and opinionated discussion forums around the escalation of bot attacks and how to protect your site. You can, and will find info to contradict everything I’m about to tell you. And those opinions are held with verve. You will also find plenty of bogus and downright wrong info too. Trust me, I had to sort through mountains of it to get to what works.

I fully expect this post to open a can of worms because that’s what this problem is. I ask that everyone be tactful and respectful in their comments. And I do hope you will comment if you have something to share that you know works and especially if you can provide the documentation to back that up.

In This Post

I’m sharing with you so you’ll have what you need to know to get up to speed and what I’m doing on BlogAid and client sites that’s working. In my reports, I show you the numbers, not just opinions.

On top of that, there is no one-size-fits all solution. I wish there were. You have to choose what’s best for you, your site, and your budget.

In this post I’ll give you links to the bigger attacks we’ve seen, plus info on the different types of bots because some are good bots. And then I’ll give you a brief on the different type of bot attacks and what to do to protect your site.

Okay, let’s get to it.

Bigger, More Frequent Attacks

We’ve already witnessed 6 severe attacks in the last 6 months. And a new tidal wave is coming that’s even bigger and more frequent and will include everything attached to the Internet, such as phones and game consoles.

For an attack history with links, read Bot and Hacker Attacks are Escalating – Protect Your Site It includes links to info on the attacks including 3 attacks that brought down HostGator and other EIG owned hosts, and a link to the largest attack seen to date.

And then add these latest two from last week to that list Meetup.com and Aweber among others. If you know of more, I’d appreciate you sending the link.

Know Your Bots

Bot is short for robot and it’s an automated system that is programmed to carry out a specific task. Most bots return information to their owners about what they find on a site. There are many types of bots.

Google has several bots, as do all search engine indexing companies. They crawl your site gathering information about your content. These are the well-behaved bots that you want to have access to your site. In fact, you can help them by submitting an XML sitemap and configuring your robots.txt and .htaccess files to tell them what to index and what not to index.

Scraper bots are ill-behaved and will not honor the directives on your site. In fact, they will go right for the things you want to keep hidden like PDFs and other downloadable files. They know this content usually has a dollar value associated with it. Once they have a copy, they sell it on torrent sites.

Attack bots are programmed to either disrupt your site’s availability, or hack into it, or both. They can group together in a massive botnet and cause extreme havoc.

The Best Protection

Backup, backup, backup!!! That is your only real security blanket against every type of attack these days. Be sure that you have a backup that gets everything – site, content, database, plugins, theme, core files, every single thing. And that you store those files off site.

Get my free report How to Backup Your WordPress Site with 14 rated backup and storage solutions, plus info on setting your backup intervals and more.

BackupBuddy (aff link) is what I use on BlogAid and all client sites. And I store the files on Amazon S3 (AS3).

Update, update, update – most site updates, including WordPress, plugins, and themes are not for added functionality. They are to patch security holes. Keep them all up-to-date.

Different Attack Types and Protection

There are several different ways that bots attack. It’s important that you know this so you can properly secure your site for each one.

Brute Force

This is the most common hack attack and is happening to every site, every minute, of every day. Bots hit your WordPress login page and admin pages and try to break your login credentials. Once into your site, they can steal your content, take it down, or worse, use it for their own purposes. That includes injecting malware or a virus in an attempt to either take down or gain access to the host server, or spewing spam from your site without you knowing.

Protection from Brute Force

1. Create a strong password!! This is where protection starts. Read Protect Your WordPress Website with a Strong Login It will give you ideas for creating strong passwords you can remember plus a link to test its strength. Hint – it will take 5 trillion years for a bot to break the ones I use.

2. Get the Login Lockdown plugin. It’s super lightweight and locks out rapid fire attacks on the login after three attempts. An alternate plugin is Limit Login Attempts, but is not as lightweight and gives back too much info to human hackers, in my opinion. You can also use a plugin to move your wp-login.php file and/or rename it. But honestly, many bots are wise to this and will eventually find it again. It will help in the short term, but then it becomes a cat and mouse game you have to constantly play. However, it may be worth it. See the caveat below.

Other resources – There are plenty of other security plugins like WordFence, that have login protection (so be careful that you don’t use both and create a plugin conflict). They have lots of configuration settings, including a notification system that will scare you to death with all of the attacks it is fending off, if you’re not used to monitoring that sort of thing.

But, ALL you need to fend off a Brute Force attack is to protect your login from being hacked.

Caveat – There is a side effect to Brute Force attacks and that is a drain on your hosting resources. If you’re on shared hosting, this is especially problematic. Every time a bot tries a login, it uses CPU and memory resources, plus it puts in a request to and from the database to see if the login credentials succeed or fail. When your site hits the resource limits it will be unavailable. And that’s precisely the point of the next type of attack.

DDoS

A Distributed Denial of Service is when a large botnet attacks a single target and cripples it. Think of it like a narrow road where site traffic goes in and out of a server. The bots are like a semi with a wide load and it clogs up the whole road with incoming requests so that nothing else can get in or out. Many times the attack is a rouse to mask a hack attempt on the server. And it may be going through your site to do it, or just making the network admins focus entirely on keeping your site live and the server up.

Protection from DDoS – How much protection you need depends on how vital it is that your site stay available 100% of the time. How much protection you can afford to accomplish that goal is another matter.

The best protection is to stop the bots from ever getting to the server. CloudFlare is the only CDN (Content Delivery Network) that I know of that has beefed up DDoS protection in its free plan. There are other significant benefits to using a CDN. Read the summary for my full case study on WordPress Site Performance 300% Improvement in 3 Easy Steps In the free plan, you won’t find mention of DDoS protection specifically. Just set your protection level to High and it will be included. CloudFlare has paid plans with more options, including “I’m under attack” which you can turn on and off when needed. But then, you have to be available and remember to turn it on and then back off.

There are plugins and CDNs that allow you to block countries. That is particularly helpful if you can identify the origin of the attack, and it is outside your usual client base. The problem is, the new bots are using proxies, which mask the country of origin and now most attacks seem to be generated from within the U.S. You can’t block that!

You can also block specific IP addresses. There are blacklists of them out on the web. And plugins that incorporate them. But again, that becomes something you have to constantly keep up with.

There are several services that specialize in DDoS protection. They usually cater to enterprise-level clients and the prices range from $50/mo to $1000/mo.

On shared hosting, your other options are quite limited.

Get a better host. Some big-name hosts are also big targets for DDoS attacks. Read Massive DDoS Attack Takes Down HostGator BlueHost and Other Major Hosts and EIG Servers Under DDoS Attack Affecting HostGator and BlueHost

But here’s the truth. No host is immune to a DDoS attack.

It’s just that some hosts handle them better than others when possible. A tidal wave level attack is going to take a server down. That’s it. So, stop being mad at your host if it happens occasionally. It’s going to, trust me. If it happens too much, then it’s time to move.

Another move you can make is going up to Managed VPS. There’s only so much a host can do on shared hosting because it affects everyone. On Managed VPS, it only affects your site. Some hosts offer more personalized service than others, but to do that, they will likely require that you help monitor your stats and report where the attacks are coming from.

If you want them to totally handle it all and guarantee 100% uptime, be prepared to shell out big bucks that ranges anywhere from $60/mo. to $1000/mo.

Managed VPS on A2 Hosting (aff link) starts at $32.99/mo. And that’s where I’ll be moving BlogAid and my bigger clients.

The nice thing about Managed VPS is that the resource limits are far higher, so the only time you may hit them is due to an extreme DDoS attack. (That can also mask other performance issues your site has.)

Now, this is different from WordPress Managed Hosting from companies like WPEngine. They have shared and VPS servers too. And they manage everything for you on both. But, they also have pretty severe restrictions on the types of plugins and such that you can use, sort of like WordPress.com sites. They have to. It’s the only way that they can keep resources and threats in check. Before you jump over to a service like this, I strongly suggest you seek out all reviews and testimonials. They are not all glowing.

Caveat to CDN – If some bots already have your original site IP address, then they will run end around your new CDN URL. So, this method of protection can be somewhat limited in a huge attack. It just depends on whether the bots currently attacking have the IP or not.

DrDoS

This is a Distributed reflective Denial of Service attack. And this is where everything gets really scary.

One computer can now act like 100 computers in a DDoS attack. They find one weakness on a site or server and amplify the affect to create a massive attack.

How to do it is posted on multiple hacker sites. Here’s just one.

While I can’t prove it, I suspect that some of the recent attacks we are seeing are hackers checking out the new tool.

Prevention for DrDoS is the same as for a DDoS attack. The rest is up to the host to find and fix the weaknesses these new attack tools are using. That’s so much easier said than done.

Check Your Site Now

You need to know if your site has already been hacked. And then check again on a regular basis, especially after a large-scale attack.

Malware Scan – Sucuri offers a free online malware scanner. The same scanner is also included with BackupBuddy (aff link). Neither of these options is automated. You have to remember to run the scans manually.

Automated Malware Scan – My prefered vendor, A2 Hosting (aff link) is being proactive by offering HackScan to all accounts where they routinely do free security scans to check for malware.

Virus Scan – some hosts, like A2, offer free virus scan software through the control panel (cPanel). Again, it’s not automated. You’ll have to do it manually. But it checks your site, root directory, and email.

Warnings – Check your Google Webmaster Tools account for warnings of malware or spam injection code.

Stats – most hosts offer both raw site logs and then apps for reading them, like AWStats. You’ll find them in your hosting control panel. You can see exactly what pages are getting hit.

Resources – most hosts offer a way for you to see your most recent system resource usage including CPU, bandwidth, and both physical and virtual memory. You’ll likely find that in your control panel as well.

Monitor – you can easily set up free monitoring for your site’s uptime with online services like Monitor.us And you can have the daily results and alerts emailed to you. It will give you a good way to know when your host server is being hit with a bot attack. Also keep in mind that down time can be the result of hitting resource limits due to poor site performance, bot attacks, or just super high traffic. So, take all of that into consideration when viewing the reports. Monitor.us also has paid services with more features.

What Else is Affected

The coming DDoS attacks are going to affect more than your site. I’m going to quote the really scary part of this post on the DDoSPro site titled Seven Million Unsecured NTP Servers Prime Targets for DDoS

“DDoS for Hire services, that take advantage of unsecured NTP servers, are cheap and available on peer to peer Internet job sites and forums, as mentioned already. Any disgruntled and angry ex-employee, ex-spouse, customer, competitor, or cyber bully can spend a few dollars and cause their target or enemy to lose money, clients and reputation when their websites and services stop working or crash from the attacks. The scripts and services are set up to request a huge amount of “date send to the host.”

That’s really scary folks. But it’s very much a reality now.

Other Devices

DDoS attacks do not just affect websites and hosts. They can infiltrate smart phones, iPods, TomToms, Fitbits, Nintendo and other gaming consoles, digital camcorders, and Blue-Ray DVD recorders.

Cyber security on all of your devices is now serious business. Do what you need to do and follow the first two steps in this post, which are to backup and create strong logins. And use good judgment with any device connected to, or on, the Internet.

Need Help?

I stand ready to help you with your site. Contact me and let’s have a chat to map out a plan for you.