Hello. I own a website and design them competitively as well. Unfortunately, while setting up contextual advertising on Google, I mistakenly activated it for all of Russia.

This resulted in my website being attacked and going down within a couple of hours. I recently connected with Cloudflare, but I'm unsure if it will help with the ongoing attack. The site is currently under an HTTP flood attack. Are there any other ways to protect my website?

I've heard about firewalls and plugins for WordPress (which is what my website uses), but expensive hosting is currently out of my reach. Can you please assist me?

Are you positive that this is a targeted assault? What data are you using to come to your conclusion? In my experience, there were patients whose server generated the main page using an SQL query with a lot of join statements, with a complete lack of caching, with a specific configuration (nginx on windows). The site ceased to function with 30 concurrent clients. It was difficult to explain this to these types of people if external traffic filtering measures could only ensure the server's operability if it was available to a narrow circle of web clients.

You connected to Cloudflare yesterday, but it's uncertain if it will assist with an already occurring attack. It may, but attackers could still find out the IP address to which Cloudflare redirects traffic and direct the attack accordingly. As a result, additional security measures are required on your hosting, such as prohibiting incoming traffic except for redirected traffic from Cloudflare.

In terms of a Http flood attack, as a networker, I would suggest exploring additional security measures like hardware solutions only if incoming traffic to the server makes up a significant proportion of the interface bandwidth (50-60%). Ideally, the server should be able to withstand the line-rate volume of traffic, or the volume of traffic that fully utilizes the bandwidth of the network interface. External solutions should only be considered after optimizing the server and immature optimization in this case can be harmful. However, services like Cloudflare can be useful in certain cases, such as yours.

If there are many requests from non-targeted countries, such as when a possible attacker purchases a cheap botnet, you can try filtering clients by country using GeoIP databases though be ready for definition errors. Caching settings are also worth considering.
 
If expensive hosting isn't possible, consider purchasing a VPS and configuring caching using Cloudflare. This provides flexibility in settings. Although shared hosting may be more resistant to some attacks than a low-cost VPS in exceptional situations.

Overall, you've done what you can by connecting to Cloudflare. To continue configuring, you must understand the subtleties of your website. DDoS attacks may not be present in your situation. Consider organizing appropriate support for your website by hiring a system administrator or learning more about system administration yourself.

To achieve better results, it's advisable to opt for the cheapest AntiDDoS instead of just relying on plugins and firewalls without understanding the attack principles.
If you're keen on doing it yourself, we suggest using tools like ab, hping, etc. to check your site for loads that cause it to become slow, and adjust the engine accordingly while closing off the firewall.

This will help you gain a better understanding of the issues affecting your site. It's important to note that Http flood attacks come in many forms, therefore specific details are required to effectively address them.

Instead of attacking, your advertising company can maintain a strong performance by investing in a powerful server and optimizing the server-side and the code base.
Choosing a host that offers a built-in free Anti-DDoS solution is also a good option such as USweb or OVH.

Given the HTTP flood attack that your website is experiencing, implementing additional security measures is essential, especially when expensive hosting may not be immediately feasible.

Firstly, Cloudflare can certainly offer valuable protection against DDoS attacks, including HTTP flood attacks, by distributing traffic across its global network and filtering out malicious requests. However, it's important to ensure that you have configured Cloudflare's settings optimally for your specific needs. Specifically, you can explore Cloudflare's "I'm Under Attack" mode, which provides additional protection against advanced DDoS attacks.

Additionally, considering the WordPress platform your website utilizes, it's imperative to strengthen the security posture at the application level. Look into reputable security plugins for WordPress that offer features such as firewall protection, malware scanning, and login security enhancements. While some security plugins may come with a cost, there are affordable options available that can significantly improve your website's defenses.

Furthermore, since you mentioned contextual advertising on Google as a potential entry point for the attack, it's crucial to review and adjust your advertising settings to prevent unwanted traffic and potential attack vectors. Ensure that you're targeting the appropriate audience and geographical locations to minimize exposure to malicious traffic.

In terms of cost-effective hosting solutions, consider exploring shared hosting providers that offer robust security features and DDoS protection as part of their packages. It's essential to research and select a reputable hosting provider with a proven track record in mitigating DDoS attacks.

Lastly, keep regular backups of your website's data and configurations so that you can quickly restore your site in the event of an attack. Maintaining up-to-date backups ensures that your website can be swiftly recovered without significant data loss.

Here are some detailed steps you can take to enhance your website's security without requiring expensive hosting:

1. Fine-Tune Cloudflare Settings: Ensure that Cloudflare is configured to provide optimal protection against DDoS attacks. Adjust the security settings within your Cloudflare account, such as enabling "I'm Under Attack" mode, which adds an additional layer of protection against sophisticated attacks. Explore other features like rate limiting and Web Application Firewall (WAF) rules to filter out malicious traffic.

2. WordPress Security Plugins: Utilize reputable security plugins specific to WordPress that offer comprehensive protection against various types of attacks. Look for plugins that include features such as firewall protection, IP blocking, and traffic monitoring. While some security plugins may come with a cost, there are affordable options available that can significantly bolster your website's defenses.

3. Targeted Advertising Settings: Review and adjust your Google Ads and contextual advertising settings to target specific geographical locations and audiences, thereby reducing the exposure to unwanted and potentially malicious traffic. This targeted approach can help mitigate the impact of future attacks stemming from unintended ad targeting.

4. Affordable Hosting Solutions: Research shared hosting providers known for their robust security measures and DDoS protection. While cost-effective, reputable shared hosting services often include security features such as web application firewalls, regular security updates, and proactive monitoring for suspicious activities.

5. Regular Backups: Implement a reliable backup strategy to ensure that your website's data and configurations are regularly and securely backed up. This practice will enable you to quickly restore your site in the event of an attack, minimizing potential data loss and downtime.

6. Code-level Security Measures: Consider implementing additional code-level security practices within your website, such as input validation, output encoding, and secure coding standards, to protect against common web application vulnerabilities.

I strongly recommend a multi-layered approach to security, combining the capabilities of services like Cloudflare with targeted security plugins for WordPress and conscientious hosting choices. By taking these detailed measures, you can significantly improve your website's resilience against ongoing and future attacks, even within budgetary constraints.

DNS requests with the victim's spoofed source IP address to a DNS server. When the server receives the request, it responds to the victim with a large response.