This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.
Distributed denial of service (DDoS) attacks are rapidly ramping in scale. They’ve been on the radar since at least 2000, and 2017 may be the year they become your biggest security concern. If you don’t have a DDoS strategy in place, it’s time to choose one.
Based on current trends, industry experts predict that this may be a crisis year. That’s reflected in recent headlines like these:
- DDoS in 2017: Strap yourself in for a bumpy ride, The Register.
- DDoS attacks up 380% in Q1 2017, CIO Dive
- The 2017 DDoS tsunami will cost companies millions, TechRepublic
- Hackers take no holidays: 2017 DDoS attacks rise fivefold, SiliconANGLE
- Expect an increase in ransomware and DDoS attack combos in 2017, Enterprise Innovation
- 2017 may be crisis year for DDoS attacks, ComputerWeekly.
The more popular a platform is, the more likely it will become a target for attacks, and WordPress is the most popular platform on the internet. In a previous post we outlined 48 ways to keep your WordPress site secure. By all means keep your WordPress patched and updated, but that won’t protect you from the zombie hoards. You need a targeted DDoS solution you can trust.
How do DDoS attacks work? And what is the most effective way to guard your WordPress site?
The Rapid Growth of the DDoS Threat
DDoS attacks use your site’s bandwidth limitations against you. How many visitors can it handle at once? Too many, and it will become overwhelmed and unresponsive, just like when hundreds of customers walk into a physical shop at the same time. A DDoS attack simulates exactly that.
A DDoS attack is equivalent to hundreds of thousands of fake customers converging on a traditional shop at the same time. The shop quickly becomes overwhelmed. The genuine customers cannot get in and the shop is unable to trade as it cannot serve them. (Deloitte Predictions 2017)
For an online store or website, those fake visitors are often members of a botnet—a network of hundreds of thousands of compromised devices that are being controlled by a third party. Those devices may include:
- older PCs running less secure, unpatched operating systems like Windows XP
- compromised smartphones and other mobile, internet-connected devices
- smart devices such as thermostats, TVs, refrigerators, cameras and even light bulbs—commonly referred to as IoT (“the internet of things”)
- and fake IP addresses spoofed by compromised servers.
Combined, these devices can send gigabits of garbage data to your server each second, and right now the scale of the onslaught is exploding. Late last year The Hacker News site reported the first 1 Tbps DDoS attack powered by 150,000 hacked IoT devices, and Deloitte predicts there will be ten similar attacks this year.
Why is 2017 such a turning point? Several trends are converging to create the perfect storm:
- There are more IoT devices than ever, and they’re easy to incorporate into botnets.
- There is more bandwidth available than ever, and it can be used to spew junk data at your website.
- New DDoS strategies cause more damage with less bandwidth by hitting web applications, and there’s more of them than ever.
- Malware tools, like Mirai, are easier to use than ever, and DDoS-for-hire services are more accessible than ever, costing as little as $5.
DDoS-for-hire is going to ramp up. The IoT botnets, combined with an easy money-making opportunity, will bring more of this kind of thing in 2017. Sceptical? Well, there’s already a 400,000 strong IoT zombie army for rent, using the Mirai malware. (The Register)
How can you protect your site from a massive attack of unwanted visitors? Take a lesson from the nightclubs, and call in a bouncer. The key is to deal with the threat before it reaches your door.
The post How to Secure Your WordPress Site from the DDoS Attack Onslaught appeared first on SitePoint.