Not needed by default, but can be used if a website is under attack.
Option 1: Use a firewall
A Web Application Firewall (WAF) can detect and block DDOS attacks. There are two options:
- A firewall from your hosting provider (best because it doesn’t use your servers resources)
- A plugin like WordFence or Sucuri.
Option 2: block IP addresses in .htaccess
Block a single IP address on each line, or a all IP addresses in a network with the same subnet like in the example (all IP’s that have the same first 3 octets + any value for the last octet)
See also ‘IP Networks & subnet’ below.
Order Allow,Deny
Allow from all
Deny from 5.157.14.0/24
Deny from 45.152.199.0/24
Deny from 196.240.250.0/24Code language: JavaScript (javascript)Option 3: only allow access to url’s with /?s from your own website and 403 forbid from other referers
If a request comes with a query string like ?s=value but was not referred from your own website, it will be blocked with a 403 Forbidden response.
Change www.mydomain.com to your own.
RewriteEngine On
RewriteCond %{QUERY_STRING} ^s=([^&]+)$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.mydomain.com
RewriteRule ^(.*)$ - [F,L]Code language: JavaScript (javascript)Option 4: completely disable the WP search feature
Source: https://blog.sucuri.net/2019/04/ddos-targeting-wordpress-search.html
RewriteEngine On
RewriteCond %{QUERY_STRING} ^s=([^&]+)$ [NC]
RewriteRule ^(.*)$ - [F,L]