It’s becoming more common for small business websites to be swamped by huge amounts of traffic, a denial of service (DoS) or distributed denial of service (DDoS) attack. More frequently than ever, I’m seeing people apply inappropriate solutions that cause other problems. After reading this post, you’ll understand some guidelines for what to do when.
tl;dr: First make sure what you think is an attack actually is. Don’t block an attack from within the website; no PHP plugin or .htaccess editing. Block it at the server firewall, or install one of the many programs that detect and block attacks before they reach the website software. If the attack’s too large for that, use a third party, off-site solution such as Cloudflare or Sucuri.
Story of a typical DoS attack
Attacks on a website can take many forms. In this post I’m not discussing website breakins such as those that install malware or phishing pages. Those attacks try to launch an attack on someone else via your website.
The type of attack I’m discussing here is called a Denial of Service or DoS attack. It occurs when an attacker sends so much traffic to your website that the web server can’t cope, and legitimate visitors can’t get through.
You usually discover your website is under attack when you find you can’t access your website, so you contact your web designer or developer. They investigate, and respond with the unwelcome news that someone is attacking your website. You ask them to solve the problem, and they do their best.
But most web designers, developers and administrators have little to no experience in dealing with DoS attacks. Clearly they aren’t network engineers, so most also do not understand the pros and cons of different approaches to dealing with an attack. And that’s perfectly reasonable: the website is their area of expertise, not the network.
So your web expert does some research. They find someone else who had the same problem and solved it. Lacking the relevant technical knowledge, they expect the same solution will work for them. They make the recommended changes to your website, and now you can access the front page of your website again.
Or is it?
Over the last year or so I’ve started meeting more and more people who are having website problems, which are eventually traced back to the "solution" I describe above. The symptoms have varied:
website too slow
not easily visible on Google
lots of visitors, but few conversions
intermittent unexplained website outages
complaints from users that the website keeps blocking them (this one manifests in lots of different ways)
So what should you do?
Is it really a DoS Attack?
First you should confirm it really is a DoS attack.
I know this sounds a bit strange. You’ve been told it is, so it must be, right? Maybe not. Most web designers for smaller businesses have heard of DoS attacks, but have never seen a genuine one. There are several website issues that may look like a DoS attack to someone who hasn’t seen one before.
Remember I said before I’ve been seeing badly fixed DoS attacks on websites? Turns out most of them weren’t actually DoS attacks after all: not only did they implement the wrong response to a DoS attack, they didn’t even need the right response.
The most common culprits I’ve seen are:
a handful of people trying to break in to the website (the most common)
a misbehaving bot 
a genuine bot the web designer’s not heard of
a sharing plugin the designer’s installed
a successful marketing campaign
What makes these visits look like an attack?
They often request multiple items per second from the website
The set of items requested may not match what you’d expect a human to request
They may identify themselves as something your web designer’s not heard of
Some of these are probably unwanted traffic, and you might consider blocking them (I’ll discuss how later), but if any of these visits are adversely affecting your website, you’ve already got a bigger problem you need to solve first.
Dealing with non-DoS "Attacks"
When you first make your website live, the only visitors you’ll have are you and people you know. Which means there’ll normally be, at most, one person at a time looking at the website.
As you promote your website, and Google indexes it, the number of people viewing your website will slowly grow. Once in a while, you’ll have multiple people viewing the website at the same time. As your success grows further, you’ll have more simultaneous visitors more often.
This is good. You want lots of interested people looking at your website. You want them all to find your website fast and reliable.
But if your website cannot cope with a few people trying to break in, or a bot or two, then it’s unlikely to cope with multiple genuine visitors. And that’s a bigger problem than the unwanted traffic.
A typical website that’s fast when there’s only one visitor may also be just as fast for two visitors. And three. And four. But all websites will suddenly slow down when their capacity is reached. Maybe it behaves as well for 90 simultaneous visitors as for 1 visitor, but suddenly grinds to a halt when the number of simultaneous visitors nears 100. If so, that’s pretty good for a small business website. You won’t even notice these non-DoS attacks.
But if your website struggles to cope with a few people trying to break in, its capacity might be closer to 3 simultaneous visitors than 100. That’s not good enough for any business website owner who wants to grow the genuine traffic to their website.
Forget about the "attack". Fix the capacity issue. Blocking the "attack" instead just temporarily hides the real problem.
There is no single best approach to increasing your website’s capacity to respond to simultaneous visitors. Typically there are multiple changes that are needed: increasing the capacity is a very technical task. You (or the person you hire) will need to deal with complex technical settings and jargon: unfortunately there’s no other option.
Here are some of the things you may need to add, move, replace or reconfigure:
caching on the server (at multiple levels)
caching off the server
your website’s code (especially plugins)
your web server’s configuration
your hosting plan
your hosting company
multiple servers, for example one server for the website, a second for the database
While you’re making these changes, don’t block the "attacker" unless there’s a potential security issue. They’re actually doing you a favour, letting you confirm your website will cope when it achieves genuine success.
Dealing with genuine DoS Attacks
A genuine DoS attack is easy to deal with, if it’s small. However if it’s big, or it’s a full DDoS attack, then you’ll need to call in some professional assistance.
A DDoS attack is a Distributed Denial of Service attack. Whereas all the traffic in a DoS attack comes from the one place, the traffic during a full DDoS attack comes from many places all over the world. The key difference between an attack you can deal with yourself and one you can’t is how many different places (IP addresses) the traffic’s coming from and how often those places change.
Blocking small DoS attacks
Once you’ve determined the attack is small enough that you can deal with it yourself, you need to make sure you do so in a way that won’t impede your website. Don’t do either of these:
install a PHP-based plugin into your website
add blocking rules to .htaccess
These are the sorts of "solutions" that eventually cause problems. Either of these options will slow your website for every single visitor, and decrease your website’s capacity to respond to simultaneous visitors.
I’ve also seen several cases where a PHP plugin inadvertently blocked desired search engines from seeing the website, preventing the website being visible on places such as Duck Duck Go and reducing visibility on Google. There’s not much point implementing SEO on your website if Google can’t see what you’ve done.
The reasons why you should avoid website-based approaches quickly become technical, but essentially these options are still expecting the website to respond to the traffic. While the website’s busy responding to the attack traffic, it’s not responding to genuine traffic.
What you want is to block the unwanted traffic before it reaches the website. That way that traffic cannot directly slow down the website. Potentially it could still slow down the underlying server, but if the attack’s big enough to do that you need professional help.
For a small attack, the best option is to block the traffic at the server firewall. Whether you can do this largely depends on your hosting. In general you won’t be able to if you’re using cheap shared hosting.
If you use one of the cheaper business-grade hosting services and they don’t support blocking the traffic before it reaches the website, there is a half-way option they may support. The web server software they use (for example, Apache or Nginx) may support a type of rate limiting functionality. While not quite as good as blocking the unwanted traffic earlier, this solution is better than one based on .htaccess files and significantly better than any PHP-based approach.
Another tip: some people will tell you attacks always come from China or Russia, so all you need to do is block those countries. The attacks I’ve seen that come from China or Russia have been small ones; a genuine attacker will be able to attack from almost any country and will simply switch to a different country if you do block their first country of choice. Most of the attack traffic I’ve seen was from the USA.
Blocking big DoS and DDoS attacks
For big attacks, you really need to stop the traffic before it even arrives at the server. That means signing up for some sort of third party protection. You should definitely do this if:
your hosting company has contacted you and said they’re disabling (or "null routing") your website because the attack is affecting their other customers
you’ve tried the options mentioned above, and they weren’t sufficient
your hosting company doesn’t allow you to block the traffic before it reaches your website, and you don’t want to switch hosting companies.
the attacker is attacking the server, rather than directly attacking the website
Now you know that blocking DoS or DDoS attacks from within the website is more likely to cause you problems later than it is to actually fix anything.
If a small attack is sufficient to cause problems for your website, then a small amount of success will also cause problems. After all, a small DoS attack in essence has the same effect as a successful social media post, and you don’t want to miss out on success because your website can’t cope with it. Better to optimise your website so it doesn’t even notice small attacks, then you’ll know it can also cope with success.
Larger attacks should be blocked either at the server level, or before they even reach the server. You have several options here. The easiest and quickest is probably to sign up to a service such as Cloudflare or Sucuri.
And an extra tip for those wanting to block Google Analytics spam: most of it only pretends to visit your website. Blocking it at the website level using .htaccess has the same issues as blocking an attack that way, but suffers the additional problem that it won’t actually achieve anything. There are much better ways to fight Google Analytics spam.