Blog Post

Improving security leads to better website performance

Dev4Press server started experiencing occasional problems with overload in back in July. The problems started getting worse in August and September. And, the investigation lead to some interesting findings.

Since July, Dev4Press server had occasional downtime every few days. It was not long, few minutes at the time, in few cases up to an hour. Nothing too serious, but it was an annoying problem. With the help of Siteground support staff, analyzing the access logs, I had the complete picture of what was going on.

Downtime periods were caused by 3 contributing factors:

  • Rogue search engine (geolocated in Russia). This search engine visited the website from time to time, but, unlike normal search engines, it doesn’t have throttle control to limit the number of requests sent over a period of time. So, it was sending thousands of requests in a period of few minutes, overloading the server, and the server was running out of memory.
  • Spam bots. Many spam bots are attempting to send spam comments all the time. But, in this case, few spam bots (same IP’s or IP range) were doing so without limiting the number of requests, and they were attempting to send a large number of comments at the same time. This was happening every few weeks, resulting is overload similar to the previously found search engine.
  • Use of outdated Dev4Press Updater by third party website. This was the very unusual problem, but a website was using very old, and very outdated version of our own Dev4Press Updater plugin. That particular version was over 3 years old, and it was not tested with WordPress since version 3.8. And, something is obviously wrong with that website, since it was sending requests for update information once every 2 to 3 seconds! This started 2 months ago, so it is most likely related to serious issues with the website using the plugin.

Identifying problems were only the first step, now, I had to solve these permanently and stop the downtimes. Well, the solution for all these was to finally start using the full power of our own GD Security Toolbox Pro plugin.

GD Security Toolbox Pro was released back in March, but I was only using some of its features since then. Now, the time has come to use this plugin the way it was intended to be used. Also, in the past 3 weeks I have expanded the scope of plugin features to include few more tools that are now also in use.

Here is the overview of the tools used:

  • Antispam addon. All antispam tools are in use, including checks against 2 DNSBL databases, hidden field, and various antispam filters. Each IP that breaks antispam rules 3 times was put on the blacklist, and was not able to access the website for a period of 2 days.
  • Content Security Policy addon. I have created full CSP rule and plugin added it to the .htaccess file. Any time CSP was broken, it was logged into the events log.
  • DNSBL Blacklisting. Any URL attempting to access the website with high threat level was automatically blocked for the period of 14 days.
  • Username Trap addon. Any time user attempts to log in with the username from the banned username list, the attempt is blocked and IP banned for a period of 2 days. These are usernames that don’t exist but they are commonly used by attackers – admin, administrator, webmaster.
  • Login Honeypot addon. A simple security measure, any time it is triggered, it will ban IP for a period of 2 days.
  • Login Limit addon. Too many failed logins get the IP banned, first for a few hours, and after that permanently.
  • Registration control. All filters available for registration control are in use. IP caught in any of the filters is banned for a period of 7 days.

As soon as these measures were enacted, things started to change. In the first few hours, more than 20 IP’s were banned. And, it went on. For the past 2 weeks, Dev4Press had only 3 downtimes, 6 minutes total. But, the most important thing that happened is the improved performance of the server.

Security measures contributed to banning a great many attackers and spam bots, rogue search engines or spiders. As it turns, they make more than 50% of all visits to any website, and they take significant server resources to process and serve. By improving security, I managed to bring down CPU and memory usage and to make the server stable for legitimate visitors and users. All the measures also managed to bring down spam from 800 spam comments a day to 20.

Please wait...
GD Security Toolbox Pro plugin for WordPress
Proactive protection and security hardening

A collection of many security related tools for .htaccess hardening with security events log, ReCaptcha, firewall, and tweaks collection, login and registration control and more.

About the author

Milan Petrovic
Milan Petrovic

CEO and Lead developer of Dev4Press Web Development company, working with WordPress since 2008, first as a freelancer, later founding own development company. Author of more than 250 plugins and more than 20 themes.

Subscribe to Dev4Press Newsletter

Get the latest announcements, release digests, promotions and exclusive discounts, and general Dev4Press-related news straight into your mailbox.

This form collects your email (optionally your name) for the purpose of sending you newsletters. Check out our Privacy Policy for more information on how we store and manage your data. We will not send you any spam. Newsletters are sent 2 to 4 times every month.

Latest From The Blog

plugins release sweeppress pro 5 2

SweepPress Pro 5.2

Version 5.2 is a minor scope update that brings a new shared library, expanded lists of values for CRON, options, metadata detections, improvements to the CRON panel filtering, and a few fixes.
plugins relase gd topic prefix pro 4.0

GD Topic Prefix Pro 4.0 for bbPress

A brand new major update for GD Topic Prefix Pro for bbPress is released, and version 4.0 is a smaller scope update that completes all the previous development plans, updates the shared library, and more.
plugins relase gd power search pro 2 6 lite 2 0

GD Power Search Lite 2.0 & Pro 2.6 for bbPress

The fully updated Lite version overhaul is finally ready and available as version 2.0, based on fully updated Pro version 2.6, also available now. This includes various updates and improvements and the latest version of the new shared library.

Leave a Comment

WP Rocket - Make WordPress Load Fast in a Few Clicks
SiteGround - Managed WordPress Hosting