I have a few WP websites and they are being receiving a huge number of requests (about 20 thousand a minute) like:
www.example.com/adasd-asdasd-asdas-da/
www.example.com/fds-fdsf-dsfds-fds-f/
...
The problem is that it causes my db to check every time if the entry “adasd-asdasd-asdas-da” or “fds-fdsf-dsfds-fds-f” or … exists in my db and it’s consuming a lot of resources.
I’ve been reading hundreds of links in Google and all of them use ip/rate limit which is not a solution to me; I cannot use it. I’ve seen some blogs that when the user hits some wrong page they redirect the user to Google and by doing so they get rid of the attack. But how to they check every request in the database without shutting down the whole system?
It’s really hard to solve this problem cause my legitimate URLs are like:
www.example.com/how-to-buy-a-flow
www.example.com/make-your-dad-happy
...
I have already 19 thousand posts, and every time a user sends a request like www.example.com/fdsfds-fdsfs-dfds I need to check it in the database to know if it exists.
I am already using CloudFlare which is doing a great job but I still cannot discover how to check if the request is not in the database in an easy way.
You can block the attacker IP(s) with iptables or htaccess.
Take a look at fail2ban. You can configure it to monitor your apache log for the resulting 404 errors and ban every IP that exceeds X 404 errors in N seconds automatically via iptables.
It’s pretty easy to set up.
…or, as addition to the proposed above you can install the handy plugin block-bad-queries
Of course modifying the
.htaccessand / or setting upiptablesfirewall is for advanced users and if you have full access to your web server environment.My company’s WordPress site has also been the victim of several DDoS attacks. There are a few strategies that were invaluable to us:
/wp-login.phpand/wp-admin.phpfrom unauthorized IP addresses using .htaccess