Hackers and Cyberattacks can lead to massive performance problems for servers, if not outright failures. Many people have no idea how often servers are attacked because they never see the logs. Every server is attacked several thousand times every month (sometimes within an hour). Maybe your website is even being attacked right now, but you don’t know it.
Safeguarding against these attacks requires a delicate balance. You don’t want a server that allows Hackers to bombard your ports and resources unhindered. But you also don’t want a server that is too secure and overly controls all traffic so that it slows down your users or worse (it blocks legitimate users).
1. Shutdown Unnecessary Server Services
You can think about unused services as unused phones or email accounts. They sit around consuming resources (MEMORY) and taking up your time with unwanted connections (SPAM, Hacker).
Whatever you are not using, disable it on your server!
- DNS – disable it if you use an external DNS server (Cloudflare, DNSME, etc.)
- Email – disable if you use third-party email (G-Suite, MXroute, etc.)
- FTP/SFTP – disable if not used.
- Other proxies – like Varnish
A lot of these services are enabled by default in your server stack or control panel. See the relevant documentation for a list. For services that absolutely must run, you can limit the exposure to horrible traffic with firewalls.
2. Server firewall configuration
Most standard firewall configurations are set too lax not to cause problems. You should intervene here and block as much as possible.
Below are some logical examples:
- Ports used by certain people (SSH, FTP) – just you or a few others.
- Create an IP safelist and block the rest.
- Ports used by certain countries (POP3, IMAP, FTP) – if some services are only used from one country, you can block all other nations. Be careful, however, as someone traveling can lose access!
- Ports that are only attacked from certain countries – if you have a lot of attacks from certain countries or regions, you can block by country or whole IP ranges.
There are many server firewalls, and each has its advantages and disadvantages and is recommended for different use cases. You can read online how others use and configure them. The easiest way is to start with the default firewall that comes with your stack.
3. Server brute force Protection
Brute force protection is like an intelligent firewall, and it leaves services and ports open but automatically blocks the apparent offenders.
- It automatically blocks anyone who authenticates incorrectly or uses blocklisted generic usernames, and so on.
They are easy to set up and very powerful. Just make sure they don’t block legitimate users/traffic. You can check what brute force or DDOS protection came with your server and enable it. You might not want to set it so strictly if you have a lot of users on that server.
4. Brute-Force Protection on wp-login.php
The WordPress login page is often bombarded by bots trying to get in with random usernames and passwords. Even though they may not get in, their constant attempts eat up a lot of resources.
There are several ways to prevent them, each with its advantages and disadvantages.
- Server-level brute force protection – efficient and straightforward but can lock out legitimate users on busy servers with websites that use Cloudflare. The problem is that brute force blocks by IP and visitors coming through Cloudflare all use the same (proxy) IP. Of course, you can configure the real client IP to be routed through Cloudflare headers, but that slows down page loading!
- Application-level brute force protection – many WordPress security plugins can do this.
- They secure the login page by blocking users with false credentials.
- Some plugins hide the login page by moving it to a different URL. Ensure the default login URL is blocked or cached to prevent visits to that page from consuming resources.
- Other plugins protect the login form by including a captcha and excluding certain robots, crawlers and devices. This can work well but can annoy or mislead legitimate users.
The only server I know of with native brute force protection on wp-login.
php is LiteSpeed. All other servers (Apache & NGINX) have to enable it with a security plugin or HTTP-Auth.
5. HTTP Authentication
Are you bombarded with specific pages and have no convenient way to block access to them? HTTP AUTH is a quick and easy way to block all users, and the only problem is that it is a bit annoying for legitimate users.
Most guides show you how to protect the wp-admin directory, but you can also protect other frequently visited directories.
- Set up HTTP
- Set up HTTP AUTH on NGINX
- Set up HTTP AUTH password generator
6. Disable XML-RPC Protocol
The XML-RPC protocol allows external applications (such as mobile apps) to log into your WordPress and edit content or view WooCommerce sales. Unfortunately, it is often exploited by Hackers and bots to make their way onto your website.
- If you don’t use it, disabling XML-RPC will prevent thousands of XML-RPC hack requests from slowing down your server.
- If you need to keep it on, you can safelist your IPs (also for Jetpack if you use it).
7. Security Plugin Configuration
If you don’t have access to your server, you can use security plugins. Yes, security is more efficient at the server level (closer to raw processing power) than at the application level (slower PHP processing)..
. but sometimes it’s hard to set global security rules when you have many clients/sites, and everyone needs something different.
Nevertheless, a software-level security plugin like WordFence is a valuable option to block attacks that the server cannot fend off and prevent hacked sites from further damage.
- IMO, the essential function of security plugins is to scan for malware. Perform the scan manually or schedule it for low-traffic times.
- This function does not necessarily improve website speed but detects system exploits and prevents them from consuming resources (hosting spam sites or attacking other servers).
- The firewall functions of the security plugins are probably not needed if you already have a server firewall. Firewalls enabled at the PHP level slow down all incoming requests.
The performance problem with security plugins is due to A) filtering all incoming traffic too aggressively and B) scanning too frequently. Both of these consume a lot of resources, especially on large websites with many pages and visitors. I recommend not using a software firewall and also setting the malware scans to a lower speed
8. DNS Edge-Level Security Configuration
Keep in mind just how I said that security is more efficiently done at the server level than at the application level? Well, doing it at the edge level (DNS-level) can be much more effective than at your server level, considering that it’s making use of someone else’s servers. There are some performance implications between dealing with security at the edge VS on your server, and you can decide what works best for your use case.
- Dealing with security on your server can be more convenient, considering that you have more control.
- You can optimize for your specific use. The only downside is it uses your server resources and also that you need admin skills.
- Dealing with security via another server (like DNS proxy, Cloudflare) or security service (Sucuri) saves your precious server resources. Still, it might add slight load delay issues since visitors pass through a different proxy before reaching your web server.
The weaker your server and server-admin skills, the more likely a security service are more efficient at blocking DDOS requests.
Then again, for a smaller size, you might not have so many security problems. Whatever you do, don’t try to put overly aggressive DDOS security at both levels (DNS & server). This can cause false positives where legit visitors are blocked because all visitors (good and bad) share the same IP when coming through a proxy.
- A lot of people don’t have to worry about DDOS attacks, ok?
- Your server easily handles most lower-level DDOS attacks.
- The highest-level DDOS attacks are the ones that overwhelm servers (even with good security). However, they cost money and concentrated effort from Hackers. Unless someone is specifically targeting you, you don’t have to worry about them.
- The easiest way to deal with high-level DDOS attacks is to immediately sign up with a dedicated security company like Sucuri (when it happens).
I don’t recommend paying for fancy security services that you mostly won’t need.
9. HTTPS and HTTPS Redirect
- It would help if you used HTTPS. (This is the only way you can take advantage of the HTTP/2 protocol).
- 301-HTTPS redirects on your server so that visitors are quickly redirected to the correct HTTPS protocol and domain version of your website (with or without “www”). Without these server redirects, WordPress can do this too, but it takes a little longer.
Also, don’t forget to ensure that all your internal URLs use HTTPS.
Don’t rely on SSL plugins (unnecessary) or WordPress (slow) to redirect you. Set the redirects from the server!
- Bonus tip: If you use Cloudflare, set a page rule to do your HTTPS 301 redirects from there too. (Even faster than from a local server!)
Have you checked out our Ultimate Website Speed And Security Optimization?
It helps ensure your website is in tip-top shape. Check it out now here: Ultimate Website Speed And Security Optimization