How To Survive A Denial Of Service (DDOS) Attack On A WordPress Site


My business partner called me a few months ago. “We’ve been hacked” he said, and “the hosting company has shut down our hosting account”. Wow I thought, it can happen to us … Hackers can really make you have a bad day !

It took a couple of weeks to fully resolve the problems, and in the process Greengeeks are no longer our hosting company. They’ve been complete crap since we signed up with them, I wrote about Greengeek’s crapness recently …

Prior to all this happening I’d been playing around with setting up WordPress sites on DigitalOcean. I didn’t realise at the time, that this was a vital preparation step for what was to come.

Our main site DonCharisma.com was doubly hacked. From what I understand the hackers had installed a proxy on our site and were using it for “god knows what” and to download “god knows what”. We were also told by Greengeeks that a Distributed Denial of Service (DDOS) attack had been mounted, and they’d shut our hosting down because it was slowing other user’s sites down. Long story short, Greengeeks were UNABLE to resolve the problem and in the end, we migrated everything to Digital Ocean.

So why Digital Ocean ?

  1. They have VERY well written guides on how to setup just about anything you could wish for on their servers. Often these installations are “one click”.
  2. Economical – a “droplet”, that is a machine on their system that’ll run WordPress costs (from) $5 per month. Compare this with Amazon AWS who’re $15 per month for their smallest machines.

How did we do it ?

Well, I had a look around on what other people had posted about surviving their DDOS attacks. The suggestions were :

  1. Use Nginx instead of Apache for the webserver – many “serious” websites use Nginx in preference to Apache, for technical reasons which aren’t all that interesting ! WordPress.com use Nginx, for instance.
  2. Use CloudFlare. CloudFlare provide a free Content Delivery Network (CDN) Basically they send your webpage quicker to any visitor of your site usally from multiple locations, and they pick the one geographically closest to your visitor. Additionally they provide a level of protection, for free, from DDOS attacks.
  3. Take care of our own security locally on our DigitalOcean machine. Which means some tech stuff that non techies might find cumbersome and arcane. Not a problem for us, both my business partner and I were/are technically trained.

Nginx on Digital Ocean

There’s more than one way to do this, I chose a slightly harder way because I prefer Debian to Ubuntu for the “Operating system”. Debian is what I learnt Linux on, so it’s just easier for me.

So, how to setup Debian 8 with LEMP (Linux-Nginx-MySQL-PHP) … pretty easy really :

  1. Optional, but recommend – create ssh public and private keys – “How To Set Up SSH Keys”
  2. Create the Digital Ocean droplet with Debian 8 x64 (it’s a one click affair in their dashboard !)
  3. Install LEMP – “How To Install Linux, Nginx, MySQL, PHP (LEMP) Stack on Debian 7” (note instructions are same for Debian 7 as Debian 8 I believe)
  4. Install WordPress – “How To Install WordPress on Debian 7”

If you prefer Ubuntu (which is very similar to Debian), then it’s even easier :

 

  1. Optional, but recommend – create ssh public and private keys – “How To Set Up SSH Keys”
  2. Create the Digital Ocean droplet with “LEMP on 14.04” (it’s a one click affair in their dashboard ! … listed under “Applications”)
  3. Install WordPress – “How To Install WordPress on Ubuntu 14.04”

 

CloudFlare

You’ll need to signup with them for a free account – https://www.cloudflare.com/

You’ll also need to change you DNS for your domain(s) to use CloudFlare as DNS and not whoever you’re using now.

Everything is configurable via their website.

 

Charisma-Geek-DonCharisma.org-660x

Hardening Our DigitalOcean WordPress Machine Against Hackers

So this is a several pronged approach :

  1. Operating system level security (ie it’s at the “Linux” level)
  2. Web server level security (ie it’s at the “Nginx” level)
  3. CMS level security (ie it’s in WordPress)

At The Linux Level

Firewall, in a nutshell. I first tried iptables and found that overcomplicated, then switched to ufw (uncomplicated firewall), which is actually just an easier way to use iptables. Guide for installing – “How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server”

fail2ban – is an extension of the Firewall. It provides the facility to block unwanted visitors based on thing like number of attempts to login with incorrect password, temporarily, so hackers get bored and hack GreenGeeks or HostGator instead of you. Digital Ocean’s guide – “How To Protect SSH with fail2ban on Debian 7”

At The Nginx Level

Nginx can detect suspicious requests like page after page being requested with only milliseconds in between from the same IP address, which isn’t usually “normal traffic”, coming into your web sever, Nginx. It works in conjunction with fail2ban.

John Chadda has a great guide on this – “Using Fail2ban with Nginx and UFW”

If you’re using CloudFlare, you may also need to setup Nginx’s module – “ngx_http_realip_module”. The reason for this is that if you don’t then Nginx will see mostly IP addresses of CloudFlare and not the real visitor’s IP address (which is expected as CloudFlare are acting as a CDN)

At The WordPress Level

There are a number of popular plugins that could help to make your site more secure and less vulnerable to hacker attacks. But first start with the basics, there’s a WordPress.org guide – “Hardening WordPress” . Of particular note is adequately protecting your wp-config.php file, which can have plain text passwords in it for your database …

A couple of recommended plugins :

Limit Login Attempts by Johan Eenfeldt

and if you have an iPhone, or other smartphone, there’s two factor authentication using “Clef” – Clef Two-Factor Authentication

Further Notes

Passwords – I tend to (these days) use automatically generated (LONG) passwords, so something like “Secure Password Generator” However if you’re really “paranoid” then you should obviously not trust an external site to make passwords for you !

Obviously make sure your passwords are different for the root login for your MySQL database than your wordpress user.

Upgrades – Personally I hate upgrades, they are always breaking things. However, WordPress do regularly fix security vulnerabilities, so if you want the best chance of keeping hackers out, then best to keep with the latest versions.

Testing – it’s possible to “stress test” your installation, there are several tools and at least one website to do this. I used “Xenu’s Link Sleuth” to test my fail2ban/firewall, it’s actually a Windows program to find broken links on a website, but it fires off requests really quickly so similar to “odd traffic”.

Migrating WordPress blogs/sites from old host to the new host – this is a lot simpler if you’re not using WordPress multisite, however we managed it transferring multisite – multisite, so it is possible. There are a few export/import plugins listed in WordPress.org. One you can try is – “WordPress Importer”

Other guides I found helpful :

“Top 20 Nginx WebServer Best Security Practices”

“Survive DDOS attack with Nginx’s and fail2ban”

“CloudFlare IP Ranges”

“How To Mitigate DDoS Attacks Against Your Website with CloudFlare”

Conclusion

So, there you have it. How to setup a WordPress on a $60 a year webhost, with security that’s likely to make hackers move onto an easier target – Like the millions of WordPress blogs on Greengeeks or Hostgator that keep getting hacked, for instance.

Digital Ocean we found very easy to use, and setup as we wanted, largely because they keep it AS SIMPLE AS POSSIBLE. If you want to sign up with Digital Ocean, you can use our referrer code, which will give YOU $10 free credit to get you started. Just click on the Digital Ocean logo below.

DO_Logo_Vertical_Blue

I’ve provided this guide, partly to help others who’re trying to sort out an attack, and partly it’s “self-documentation”.

If you’re needing help resolving a hacked WordPress site or DDOS attack, please contact us at our commercial site and we’ll provide you with estimated costs to resolve.

Cheers

Don Charisma