This article was sponsored by Incapsula. Thank you for supporting the partners who make SitePoint possible.
Distributed denial of service (DDoS) attacks are increasingly a fact of life for any business with a web presence. For any company, large or small, it’s no longer a matter of “if” you will get hit with a DDoS attack, but “when.” And without a third party provider like Incapsula, WordPress sites are increasingly vulnerable to bots delivering DDoS attacks.
The more popular a platform is, the more likely it’ll become a target for attacks. And WordPress is by far the most popular platform on the Internet. The CMS accounts for nearly 60 percent of market share and comprises a staggering 25 percent of all sites across the web. Of all those millions of sites, 60 percent are running older version of WordPress, or newer, but unpatched versions that are vulnerable to becoming bots to participate in an attack.
Based on industry reports and current trends, the prevalence of DDoS assaults is increasing at a rapid pace and recovering from the damage of an attack can also take months or years. Over half of the respondents in an Incapsula survey (52 percent) reported their organization had to replace software/hardware, or that it had lost revenue. An additional 43 percent confirmed that their organization lost consumer trust.
Patching WordPress Won’t Stop a DDoS Attack
“The biggest security vulnerability is an outdated WordPress component,” says Eric Murphy, Director of Security at WP Engine. “The most important thing people should be doing is ensuring their WordPress core, themes and plugins are all kept up-to-date. Understanding the OWASP Top 10 further enables users, developers and engineers to protect their WordPress assets.”
Murphy’s right. Patching your WordPress site will keep your site stable and prevent a lot of attacks. But it can’t stop a determined DDoS attack. Even if you employ the most diligent WordPress admin to stare at a screen, who tests and applies patches as soon as they’re released, and tirelessly keeps the site up-to-date, your site can still be brought to its knees by a DDoS attack — costing your business sales, resources and reputation.
Another reason your site is vulnerable to DDoS attacks is because they’re sourced from a growing matrix of unpatched IoT devices that span the Internet. Many (most?) vendors who are bringing devices online aren’t prioritizing security and instead opt for customers’ ease-of-use. The reasoning is that whenever an extra layer of security is required, it could potentially affect sales.
Yet another reason that security is an afterthought for IoT devices — even in the age of the DDoS hack — is that vendors are bringing their products to market as quickly as possible. If they get it to market first, they can win or even dominate market share. So the product is dropped with an immature or even non-existent security framework with a plan to fix the security issues later. But in the meantime, your WordPress site is hit again by another attack vector.
The Trouble with IoT
The proliferation of IoT devices is directly increasing the number and strength of DDoS attacks. Nearly any smart device can be leveraged in a DDoS attack. A couple of white hat hackers demonstrated how a Nest thermostat could be used to extort money from its users. Nest is owned by Google and can afford to patch the vulnerabilities, yet many smaller companies with IoT devices cannot afford to regularly patch them.
The IoT denial of service can take almost any form. In February of 2017, the faculty and students at an American university were denied Internet access because its vending machines and light bulbs were pinging seafood-related web sites.
Wait, what? Light bulbs? Yes, even light bulbs can now be used in DDoS attacks. Those cool Philips Hue lights were recently made to flash S-O-S in Morse code in a building after being infected by a virus delivered from a drone hovering outside. See it here. And researchers say that’s only the beginning. Soon the vulnerability in your light’s operating system could be used in a massive DDoS attack.
Then there’s the IoT devices that don’t have vendors at all. Built on freeware, Raspberry Pi computers can do almost anything. A maker’s dream, these inexpensive computers can be built to stream movies, check the contents of your refrigerator, order stuff from Amazon — really anything you can think of. But that flexibility also comes at a price. The latest generation of Raspberry Pi computers are wirelessly connected to the Internet, so there will be a lot more in the wild.
These cheap computers were created to teach computing. Like the vendors releasing a new product, security really isn’t the top concern when a student is building a birdhouse webcam or Kobi device, making the proliferation of these little PCs the next front for cyber warriors.
Add to that, the vulnerability of good old unpatched Windows PCs, like XP, and you’ve got a tech cocktail ready to be built for attacks. Over the last year, an Imperva 2013-2014 DDoS Threat Landscape report points to a 240 percent increase in botnet (i.e. network of zombie computers used by offenders to launch DDoS attacks) attack activity. In Q4 2013, the number of such assaults rose by 42 percent, according to Verizon’s 2014 Data Breach Investigations Report.
Incapsula Protects Your WordPress Sites
Cleaning up after a DDoS is nothing short of painful. The entire business is affected by the DDoS attack. It moves from an IT/ InfoSec problem to a company-wide problem. Execs, sales, marketing, and support, all have to re-script and manage the damage that an attack will bring.
Knowing that a fully patched WordPress site residing on a fully patched hardware and software platform will do little to mitigate a DDoS attack, the next step is to look at what can mitigate an attack. It’s a different approach. The traffic needs to be inspected before it reaches your site. How? Incapsula acts as a reverse proxy so all incoming connections to your website first pass through an Incapsula server where the the traffic is inspected. If the attack ramps up, Incapsula dedicates more resources to ensure that legitimate traffic gets to your site. This is something that’s hard to do on your own. Incapsula will also ensure that you continue to see the real originating IP of your website visitors so there is no lost value.
Incapsula gives your website the security and performance that was previously only available to the high-end website CMS sites. Through a simple DNS settings change along with the Incapsula plugin, website traffic is seamlessly routed through the Incapsula global network of high-powered servers. Incoming traffic is intelligently profiled in real-time, blocking even the latest web threats from sophisticated SQL injection attacks to malicious bots and intruding comment spammers. Meanwhile, outgoing traffic is accelerated and optimized for faster load times, keeping welcome visitors speeding through.
Another advantage of filtering the incoming traffic through Incapsula is that it applies what it has learned from other attacks in real time. If it sees a cross-scripting attack vulnerability against one of its clients, it can immediately apply that solution to all its clients.
There is no alternative to this real-time dynamic solution. The closest alternative is waiting for, and eventually applying a WordPress plugin update.
Dino works for a multinational law firm as an information security engineer. He writes for Dice, and has written for Information Week and Dark Reading.