How to configure a WordPress server under high load or DDOS attack?


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/code-flow.club/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
14 views
You have a dedicated server with Plesk Panel:
Intel Core i7-2600 Quad Core
32 GB DDR3 RAM
2x 3TB SATA III HDD

On the 7.3 server PHP is running on Apache+FPM+Nginx. You can turn the pure NGINX, but I don't want to constantly Tinker with manual configuration for all WordPress (the server has many WordPress sites and need to work .htaccess and all the plugins dependent on them). WordPress installed and configured W3TotalCache.

The problem: under normal load, everything is flying, even with a large attendance. But the sites happens periodically DDOS attack from competitors, as I understand it with bot no networks controlled manually - as soon as I find a way to block the current attack, they change it to another.

The server is fail2ban rules in which I periodically change, to adapt to the changing attack.

Now the sites are on old server with same hardware but older software (Apache, FCGI, PHP5, without Nginx):

Block the usual attempts to "swotting up" with the same easy ip using fail2ban, but the attacks are moving into more and more sophisticated:
1) Begins to hammer with random requests for non-existent pages in WordPress, and since it does not give 404 error (WordPress is trying to find such articles and generate your 404 page), then there is no cache here does not help - each request generates a new cache. Example queries (dozens per second):
domain.com/DSADAJKFJASFJASFLKJ
2) IP change all the time, have virtually ceased to use the repeats (each new request from a new IP).
3) Referrers were fake (all different), there are use the empty, after they have become will be banned my settings.
4) Sometimes hammering just some page in a query (for example sort items by rating).
5) Hammering /wp-admin/admin-ajax.php POST/GET requests is heavily hangs the server. Lock the whole file so can't use the frontend requests from real users. It turns out zablocie through .htaccess if you use blank referrer. If not - it is not clear how differences from normal users.
6) Domain connected to Cloudflare but as I understand with these types of attacks (where all ip are different and to determine what actions questionable hard) he is not going to help.

Actually a question - as I understand to set the ban for such attacks is automatically very difficult (especially once they see that there is a ban immediately change requests, referrers, etc.), so there is another request - how to configure and customize the new server (where I move from the old sites where the attacks), these attacks do not hang the server, and he did to them worked fine? As I understand PHP7 and Apache FPM and NGINX should help with this? What else would you recommend to install and configure? (Acceleratory to PHP, databases?) Much will help the transition to a pure NGINX without Apache?

What settings the Apache/Nginx should indicate (limits, connections, etc.) to a server did not fall, and all things are working? (there was 503/502 errors).

The sites that attack after you create a barely updated with new information (and therefore full of deep caching possible), but have some dynamic functions (for example likes publications) that need to stay and work.

Could you tell me what software bundles should use to make it all bright-eyed despite the load? Enough iron the specified server?
by | 14 views

4 Answers

0 like 0 dislike
On your place I would have completely switched to Nginx + php-fpm.
On nginx it is possible to limit the number of requests per second to the site using this module, but also using Nginx, you can hard to cache the page, and still it is possible to restrict access from unwanted ip addresses (let's say from Africa, China and other similar countries).
by
0 like 0 dislike
if the website allows, set up more aggressive caching. Give everything as static, at least during the attacks.
This can be done by plugins (for example Wp Super Cache), so the nginx settings.

Below, as if you've already set up everything in return statics.

1) Begins to hammer with random requests for non-existent pages in WordPress, and since it does not give 404 error (WordPress is trying to find such articles and generate your 404 page), then there is no cache here does not help - each request generates a new cache. Example queries (dozens per second):
domain.com/DSADAJKFJASFJASFLKJ

and why you are caching these pages separately?
give 404yu one static page for all non-existent pages

5) Hammering /wp-admin/admin-ajax.php POST/GET requests is heavily hangs the server. Lock the whole file so can't use the frontend requests from real users. It turns out zablocie through .htaccess if you use blank referrer. If not - it is not clear how differences from normal users.

a few options:
1 add nounce (and to make it work correctly with cached pages)
2 to stop using admin-ajax.php at the front. replace with REST API/custom endpoint.
Yes, it is not by the standards of WP and will require some rework/code plagio, but it will be more productive, at least due to the triggering of some other set of hooks from the rest API (rest api vs ajax). Plus standard requests to admin-ajax cached poorly
and with a custom endpoint generally only need part of the engine load

6) Domain connected to Cloudflare but as I understand with these types of attacks (where all ip are different and to determine what actions questionable hard) he is not going to help.

at least, leave the country that you want, the rest of the block.
during the attack remove the Basic Protection Level in maximum mode (I don't remember what the tariff plan is available)
by
0 like 0 dislike
Look at haproxy as frontend - there is a very flexible language for ACLs which allows you to do vsevozmojnye ratelimit, reset inactive konakchiev and TD, overn that at least part of the attacks, he will help you to beat.
by
0 like 0 dislike
The problem: under normal load, everything is flying, even with a large attendance. But the sites happens periodically DDOS attack from competitors, as I understand it with bot no networks controlled manually - as soon as I find a way to block the current attack, they change it to another.

The server is fail2ban rules in which I periodically change, to adapt to the changing attack.

Now the sites are on old server with same hardware but older software (Apache, FCGI, PHP5, without Nginx):.....
It is not necessary to mold the ski out of the straw. Get under protection. Bigger than you attacks keep.
by

Related questions

0 like 0 dislike
1 answer
asked May 21, 2019 by 0Err
0 like 0 dislike
1 answer
0 like 0 dislike
2 answers
0 like 0 dislike
1 answer
asked Apr 9, 2019 by dfhusfhgsuo3
0 like 0 dislike
7 answers
asked Mar 22, 2019 by PlatinumArcade
110,608 questions
257,186 answers
0 comments
24,755 users