WPBeginner was founded by Syed Balkhi as an effort to educate anyone who is new to the WordPress platform. The site focuses on the "how" and "why" of using the WordPress content management system. Powering more than 25% of all websites-worldwide, WordPress has quickly become the world’s most popular CMS. The far reaching appeal of WordPress likely stems from the platform’s flexibility and accessibility for beginners. Anyone can find free themes that span from photography to eCommerce, the dashboard is easy to use, and SEO friendliness is built in.
These features work in concert to provide high value along with low barriers to entry for sole proprietors and small, medium, and large scale business ventures alike. Similarly, WPBeginner derives its purpose from helping a wide range of people and businesses succeed online. The organization works to minimize entry level confusion and truly empower visitors to take advantage of the WordPress open source community. By offering tips, tricks, warnings, widgets, plugins, reviews and how-to's, WPBeginner illuminates the path to a functional WordPress-based web presence. In 2013, WPBeginner put out a review of Sucuri detailing the benefits our WordPress plugin. Though the statistics are difficult to track, it could easily be stated that WPBeginner has helped launch and or save thousands of websites and businesses.
Having assisted so many, it is no surprise WPBeginner has grown to its current vast reach. As one of the most popular sites online, understandably receives a high volume of daily traffic. The site currently serves more than 300,000 page views daily (on average) and a monthly total exceeding 9 million. It is no simple task to build an infrastructure able to sustain a site as popular as WPBeginner. Maintaining functionality, speed and availability in the face of attacks is a separate set of hurdles altogether.
WPBeginner.com was no exception to the rule. Over time, the site’s traffic began to present its own share of challenges. Serious challenges.
We would get a lot of feed attacks, which is aggressive DDoS-style attacks where bots would hit our feed and scrape it. We would try to block the caches, but there were times we would get 10s of 1000s of people with requests coming from just one IP address trying to get feed access, trying to bust the cache. Anytime they were able to bust the cache, they could DDoS the site.
In addition to suffering DDoS attacks, there was the issue of brute force attempts. The issue is so prevalent among the WordPress community that WPBeginner published a blog post about the malicious attempts years ago. To offer perspective, during one month (from August 2015 to September 2015) Sucuri tracked more than 1 billion brute force attempts on WordPress websites. The increased server load and consistent attacks weighed heavily on the site and caused performance problems that required the attention of a specialist and a large amount of Syed’s valuable time in direct management. When presented with this problem, Syed turned to a recommended.
The young entrepreneur, Syed (who is also the founder of OptinMoster and List25) always had both an appreciation for and an understanding of website security. However, a few years ago, Syed entrusted his personal website security with Sucuri in a move to maximize his time. The experience was greatly successful. Following several challenges with his other venture, Syed moved List25.com behind Sucuri’s Web Application Firewall (WAF) in early 2015. In the first few months after the move, he took note of a few important facts. The site had logged nearly 180,000 blocked malicious attempts.
From May 2015 to Mid-August, the top 5 blocked occurrences were: Spam Comments, ~70,986 (39%); DDOS attempts, ~27,907 (15%); Bad Bot access, ~18,565 (10%); Brute Force attempts, ~15,047 (8%); Evasion attempts ~10,575 (5.8%). All attempts were successfully thwarted, yet none of these attempts required Syed’s direct input or management or any significant involvement from his team. This consistent result lead Syed to include WPBeginner.com in his Sucuri account.
The issues we’ve experienced in the past motivated this move. After I tested the Sucuri service on List25 and my personal site, I just committed to get additional sites added to my account.
Drawing from previous experience, Syed established high expectations from Sucuri security services, notably the Web Application Firewall. To be successful, the firewall needed to successfully mitigate potential attacks (regardless of size or complexity) and reduce the amount of time Syed and his team spent engaging in security space for WPBeginner. Within weeks, the statistics showed that the expectation had both been met and exceeded.
Within the first three months, WPBeginner.com saw more that 450,000 blocked attacks. That is more than double the number of blocked attacks List25 saw in its first 3 months on the firewall.
The top 11 frequent types of blocked attacks were:
The top 11 frequent types of blocked attacks were
|1. Exploit blocked by virtual patching||84,011|
|2. Blacklisted IP address||72,495|
|3. Bad bot access denied||72,495|
|4. Backdoor location denied||29,690|
|5. DDOS attempt blocked||29,676|
|6. Fake bot access||29,571|
|7. Evasion attempt denied||21,887|
|8. Exploit blocked by virtual patching||17,078|
|9. Exploit blocked by virtual patching||14,857|
|10. Spam request blocked||14,857|
|11. Scanning tool blocked||13,842|
Though definitely a positive result, there was yet another equally intriguing fact. An often overlooked benefit of Sucuri’s WAF became blatantly obvious in the months following WPBeginner’s move onto CloudProxy. Syed states, plainly:
Our server load has come down on WPBeginner - insanely! Security is a big thing and is the primary reason we use Sucuri, but the added benefit is the speed aspect - because everything goes through the WAF and it’s that much faster.
Managing more than 9 million site visits per month is not a simple task. Maintaining site availability, especially at WPBeginner’s level of popularity, requires thoughtfulness in many different areas. Still, page load time and overall server load can easily become impactful issues. In this instance, WPBeginner’s server core use had previously peaked north of 3 cores and could quickly become overwhelmed in the event a DDOS or Brute Force attempt was made. After taking advantage of Sucuri’s Web Application Firewall, the situation was remedied.
For me, the biggest advantage of using Sucuri is I don’t have to get a server admin anymore. I don’t need a 5th admin, because before the 5th admin’s job was to monitor the server and recognize and mitigate any attacks. I had a 5th admin, part-time and I was paying $2,500/month to keep him on retainer.