The huge brute force attack that took place earlier this month on WordPress sites around the globe is believed to have been the result of a massive “super botnet” conglomerate of computers, distributed across over 90,000 IP addresses.
In the wake of the attack, concerns have been voiced that future use of this “super botnet” could result in increasingly powerful DDoS attacks.
Matthew Prince, CEO of Cloudflare made this post on the topic.
Megaconglomerates of tens of thousands of machines launching coordinated attacks can sound like pretty intimidating stuff – and rightly so. However, there’s also a simple and practical side to this matter for website owners and developers. The simple fact is that if your site is targeted by a Brute Force or DDoS attack to the scope of what is described above, the sheer bandwidth from the traffic will likely be enough to take your site offline. Nonetheless, there are steps you can and should be taking.
First: if you rely on a websites for your livelihood, you should not be using a shared host. There are many reasons for this. Most relevant in this case is that even if you are taking all the right steps to protect your site from the bad guys, there might be someone else sharing the same server with you that isn’t. Under this “bad neighbor” scenario, your server could be taken offline by your host’s other clients’ failure to remain up to date with their security settings. The step up from a Shared Host to a VPS (Virtual Personal Server) is an important one, and the cost isn’t huge. Of course this is all under the assumption that your website is providing your livelihood. If not, you’re probably fine to stick to a shared host.
Second: Limit Login Attempts – for a reason nobody seems to be able to fathom, this feature doesn’t come pre-loaded with WordPress. The good news is that there are heaps of plugins available for it.