1. Home
  2. Docs
  3. CDN
  4. Configuring CDN Security

Configuring CDN Security

QUIC.cloud provides several protections against DDoS attack. The QUIC.cloud dashboard allows you to enable and configure reCAPTCHA & WordPress Brute Force Defense, and you may also restrict XML-RPC requests if you wish. Configurable allow and block lists are provided for access control.

While there are many WordPress plugins available to provide security features, CDN-level protections are both more effective and more efficient.

So, let’s look at what you can do with QUIC.cloud.

Start by visiting your QUIC.cloud Dashboard. Choose the domain you wish to configure. Then, navigate to CDN > CDN Config > Security. You should see sections for Anti-DDoS, Access Control, and reCAPTCHA Settings.

Anti-DDoS

reCAPTCHA & WP Brute Force Defense


This setting can help protect against flood attacks. We highly recommend keeping it ON at all times, with the possible exception of when you are running benchmarks. Your domain’s reCAPTCHA activation parameters are configurable via the Connection Limit and Max Login Attempts settings.

Connection Limit

Valid values range from 0 (no limit) to 10000. The default limit is 2000, which means reCAPTCHA will be activated for your visitors when there are 2000 or more concurrent connections to your domain at any given node. (Tip: If you have been a QUIC.cloud user for a long time, your Connection Limit may be set to 0, as that was the original default.)

The Connection Limit that you set here applies only to this domain’s visitors at a single CDN node. There is also a connection limit set for the CDN node as a whole, and it may vary from node to node. The node-level limits are set by QUIC.cloud and take all connections to that node into account, regardless of which domain is involved.

The limit you set here for your domain will supplement node-level limits, but it will not replace them. As such, reCAPTCHA may be activated for your domain’s visitors, if the node-level limits have been crossed, even if your domain limits have not.

If you prefer, you can choose not to set domain-level limits at all (set Connection Limit to 0), and just let the CDN handle it at the node level.

Here’s an example that might help illustrate the concept. Given the following facts:

  • Your domain example.com is regularly served from CDN Node A and CDN Node B.
  • Node A has a connection limit of 10
  • Node B has a connection limit of 20
  • You’ve set Connection Limit for example.com to 15.

If there are 16 visitors to example.com, and they all hit Node B, example.com‘s per-node limit of 15 will be crossed and reCAPTCHA will be activated.

If there are 24 visitors to example.com, and 12 go to Node A while the other 12 go to Node B, only the Node A visitors will see a reCAPTCHA, because Node A’s limit of 10 was crossed, but Node B’s limit of 20 was not, and neither was example.com‘s per-node limit of 15.

Max Login Attempts

This setting defines the maximum number of login attempts any IP address can make before reCAPTCHA is activated. The default is 10, but you can use 0 to require reCAPTCHA activation on every login attempt. After 5 minutes of inactivity, the login attempt count is reset. (Tip: If you have been a QUIC.cloud user for a long time, your Max Login Attempts may be set to 10, as that was the original default.)

Trusted IP addresses are exempt and will not be shown a reCAPTCHA for any number of login attempts.

Protect From Bad Visitor


If your site is under attack right now, set Protect From Bad Visitor to ON. This will enable reCAPTCHA immediately for every visitor.

When the attack is over, turn this setting back OFF, and reCAPTCHA will revert to being controlled by the Connection Limit and Max Login Attempts settings as before.

Restrict XML-RPC requests

This setting defaults to OFF. When OFF, POST requests to XML-RPC will be allowed unless we detect a request that results in a 403 error code. Upon detection of a 403, all non-trusted IP requests for XML-RPC for the next five minutes will automatically see a 403 error.

Turn this setting ON to always show a 403 error to non-trusted IP addresses which attempt POST requests to XML-RPC.

Access Control


Exert more fine-grained control over the IP addresses you allow to visit your domain.

Those IP addresses on the Allowlist will be allowed access to your site without being subjected to any security checks. Only add IPs you trust to this list.

Those IP addresses on the Blocklist will automatically be blocked from your site.

reCAPTCHA Settings

reCAPTCHA Type

QUIC.cloud currently supports reCAPTCHA v2. With this version you can have either a Checkbox or Invisible reCAPTCHA. Select your preference in this setting.

Max Tries

How many tries will you give your visitors to successfully complete a reCAPTCHA challenge? Any number from 1 to 10 is valid. The default is 3.

Bots Whitelist

Bots listed here will ignore any configured reCAPTCHA connection limits. Instead, bots that match this list will be allowed 100 visits per 10 seconds per IP to a single node. Please be careful with this setting. Only whitelist a bot if necessary. It is easy to spoof a user agent in order to bypass site security.

An entry is considered a match if it is found anywhere in the User-Agent header. Enter one bot per line. Regex is allowed.

Let’s look at an example. Assume we’ve added the following to the Bots Whitelist:

^mobile$
agoodbot

We will get the following results:

  • User-Agent: mobile: MATCH – regex exact match
  • User-Agent: notmobile: NO MATCH – does not begin with m, does not contain agoodbot
  • User-Agent: goodbot: NO MATCH – does not match the regex, does not contain agoodbot
  • User-Agent: thisisagoodbot: MATCH – contains agoodbot

Googlebot and bingbot are considered ‘good’ bots by default and are already on the allowlist. Some other bots you may or may not want to add:

  • facebookexternalhit: Facebook External Hit
  • UptimeRobot: Uptime Robot
  • Twitterbot: Twitter Bot
  • yandex: Yandex

Custom reCAPTCHA Keys (optional)

QUIC.cloud has a default set of keys that we use to control the configuration.

If you want more control over the reCAPTCHA configuration for your domain, you can supply your own set of keys from Google. Enter the values into reCAPTCHA Site Key and reCAPTCHA Secret Key as appropriate.

Tags , , ,
Was this article helpful to you? Yes No