We – along with nearly every other web hosting or Internet provider – are experiencing brute force attacks on our systems on an ever increasing basis, using ever more sophisticated technology.
We are all now seeing on TV and reading in the news on a daily basis about the noticeable increase in Russian sourced cyberattacks. Most significant of all, The National Cyber Security Centre, which is part of GCHQ, has warned British firms and other organisations to immediately take steps to boost their cyber-resilience in response to the situation.
The simple truth is that these worldwide events are beyond our control and we simply can’t ignore the consequences. We have to urgently take additional steps to protect your website and our overall platform integrity from brute force attacks and other malicious occurrences.
Let’s be clear, it is not that these hackers are necessarily targeting your website specifically, they are just ever trawling the web looking for weak links. Even if your own website is not directly affected by a brute force attack, the sheer intensity of their hammering on the door can generate a temporary knock on effect throughout the entire hosting environment. Servers are loaded – and costed – to provide the resources required – just like the national grid.
Although there are quite a variety of threats out there that your website needs protection from, the most common one is a brute force attack where a large amount of traffic is sent to your website (most often to the login page of your website in the hopes that enough simultaneous attempts would allow a hacker to gain access to your website’s admin area – giving them access to customer information, content & more), which overloads the server and causes your website to go down.
The steps we are taking will do as much is practically possible to solve these kind of threats.
Cloudflare is the first layer of support for our websites, the primary importance of which is blocking bots. Cloudflare’s Machine Learning goes through hundreds of billions of requests per day to create a reliable bot score for every website visit. In other words, it’s known ’troublemaker’ IP addresses that are blocked and patterns of malicious behaviour from a web visitor that are challenged. This stops bots sending masses of traffic to your website. Cloudflare also allows your website to use their caching facility to speed up your website. Caching goes hand in hand with security because if your website is being attacked, i.e. visited many times in a short period, if your website takes a while to load normally anyway, then many visits to your website will cause significant server load, causing the website and the server to load slower or even go down. The main benefit of caching is reducing load times for visitors, so that they can enjoy a faster experience whilst browsing your website.
The next layer of defence for your website is WordFence, the leading WordPress firewall and security scanner. WordFence includes an endpoint firewall and malware scanner built from the ground up to protect WordPress websites. It currently protects over 4 million websites worldwide from attackers targeting WordPress by enabling rate limiting to block people or bots from sending too many requests to your website (ie visiting your website over and over again to cause server load, thus slowing down your website or crashing it). In addition, rules are set up to block people or bots that have tried to log in more than approx 4 times within an hour and have failed or have requested a ‘forgotten password’ email more than 4 times within an hour. WordFence also regularly scans your website’s files for malicious files and vulnerabilities.
It’s primarily aimed at businesses who realise that they can’t afford their websites to go down for any reason.
In short, Cloudflare + WordFence provide two separate firewalls on your website to help block attacks. It is similar to your insurer insisting that you install a metal fence and security cameras to your property – although much easier and cheaper to implement!
WordPress & Plugin Updates
It is also essential that your website is regularly updated to use latest version of WordPress and that any plugins in use on the site are kept up to date or upgraded when necessary.