Several years ago I suddenly got an automated message from my web host telling me that my account was using too many resources, and I would soon have to upgrade. This surprised me quite a lot, since the only thing on there was my blog, which was small, and I never wrote, so no-one ever visited.
I contacted support and asked them what had caused the error message to send. As it turns out, a bot was trying to break into my WordPress login form. It was simply trying usernames and passwords in a classic brute force attempt to guess a username and password combination. The problem was that it was trying over 100 times per second. This means that my login page was loading 200 times per second, once for the form, and once for the failed login notice. My server was melting.
Following a suggestion, I got a plugin to move my WordPress login URL to some other location. This worked GREAT. Now there was no way they’d ever be able to break into the form, because they didn’t know where it was! My site was secure again.
The next day I got an automated message from my host saying I was using too many resources again. I contacted support again and they said that the bot wasn’t smart enough to know there wasn’t a login for there anymore, it was still hitting the old login URL 100 times per second, it was simply getting a 404 page now.
The problem with this scenario is that in WordPress, calling the 404 page still requires the web server to fire up PHP, make a bunch of database calls, and build a WordPress template page out of the results. Aside from removing the chance of being hacked, I hadn’t resolved the performance issue at all.
In order to solve the performance issue we put an htaccess rule in place to return a 403 Forbidden error any time the old login page was loaded. This means that PHP never got spun up and the database never even got loaded. This dropped the server load tremendously.
Once we resolved the performance issues, the rest of my site was amazingly faster, and my hosting costs actually went down.
Hooray for BBQ!
In a similar vein, an extremely common attack is for bots to simply try to load files with known security issues. An example would be any .exe file, and another example would be /etc/passwd which is where system passwords are stored. Fortunately, there’s another plugin called Block Bad Queries (BBQ) that looks for nearly 80 bad queries and returns a 403 Forbidden without loading any other files or making any database calls.
This has the exact same effect as above: these failures don’t stress the server, and real traffic doesn’t notice the impact.
A Secure Site Is A Fast Site
Hacking attempts stress a server, and any negative stress detracts from offering your real content to your real visitors. Anything you can do to prevent that stress is a win. In addition to blocking attacks as they come it’s possible to learn the IP addresses of hacking sources and block them altogether, making it so the attacks never even make it to your server.
Furthermore, if you use iThemes Security you can benefit from all sites that use it sharing those IP addresses, so you could learn about and block a bad IP address before it even tries to attack your site.
It’s common to think of performance and security as separate disciplines, but in actuality they’re tightly bound together. Anytime you’re thinking of one, remember to also consider the other.