QUIC.cloud provides several protections against DDoS attack. The QUIC.cloud dashboard allows you to enable and configure reCAPTCHA & WordPress Brute Force Defense, and you may also restrict XML-RPC requests if you wish. Configurable allow and block lists are provided for access control.
While there are many WordPress plugins available to provide security features, CDN-level protections are both more effective and more efficient.
So, let’s look at what you can do with QUIC.cloud.
Start by visiting your QUIC.cloud Dashboard. Choose the domain you wish to configure. Then, navigate to CDN > CDN Config > Security. You should see sections for Anti-DDoS, Access Control, and reCAPTCHA Settings.
reCAPTCHA & WP Brute Force Defense
This setting can help protect against flood attacks. We highly recommend keeping it
ON at all times, with the possible exception of when you are running benchmarks. Your domain’s reCAPTCHA activation parameters are configurable via the Connection Limit and Max Login Attempts settings.
Valid values range from
0 (no limit) to
10000. The default limit is
2000, which means reCAPTCHA will be activated for your visitors when there are 2000 or more concurrent connections to your domain at any given node. (Tip: If you have been a QUIC.cloud user for a long time, your Connection Limit may be set to
0, as that was the original default.)
The Connection Limit that you set here applies only to this domain’s visitors at a single CDN node. There is also a connection limit set for the CDN node as a whole, and it may vary from node to node. The node-level limits are set by QUIC.cloud and take all connections to that node into account, regardless of which domain is involved.
The limit you set here for your domain will supplement node-level limits, but it will not replace them. As such, reCAPTCHA may be activated for your domain’s visitors, if the node-level limits have been crossed, even if your domain limits have not.
If you prefer, you can choose not to set domain-level limits at all (set Connection Limit to
0), and just let the CDN handle it at the node level.
Here’s an example that might help illustrate the concept. Given the following facts:
- Your domain
example.comis regularly served from CDN Node A and CDN Node B.
- Node A has a connection limit of
- Node B has a connection limit of
- You’ve set Connection Limit for
If there are 16 visitors to
example.com, and they all hit Node B,
example.com‘s per-node limit of
15 will be crossed and reCAPTCHA will be activated.
If there are 24 visitors to
example.com, and 12 go to Node A while the other 12 go to Node B, only the Node A visitors will see a reCAPTCHA, because Node A’s limit of
10 was crossed, but Node B’s limit of
20 was not, and neither was
example.com‘s per-node limit of
Max Login Attempts
This setting defines the maximum number of login attempts any IP address can make before reCAPTCHA is activated. The default is
10, but you can use
0 to require reCAPTCHA activation on every login attempt. After 5 minutes of inactivity, the login attempt count is reset. (Tip: If you have been a QUIC.cloud user for a long time, your Max Login Attempts may be set to
10, as that was the original default.)
Trusted IP addresses are exempt and will not be shown a reCAPTCHA for any number of login attempts.
Protect From Bad Visitor
When the attack is over, turn this setting back
OFF, and reCAPTCHA will revert to being controlled by the Connection Limit and Max Login Attempts settings as before.
Restrict XML-RPC requests
This setting defaults to
OFF, POST requests to XML-RPC will be allowed unless we detect a request that results in a
403 error code. Upon detection of a
403, all non-trusted IP requests for XML-RPC for the next five minutes will automatically see a
Turn this setting
ON to always show a
403 error to non-trusted IP addresses which attempt POST requests to XML-RPC.
Those IP addresses on the Allowlist will be allowed access to your site without being subjected to any security checks. Only add IPs you trust to this list.
Those IP addresses on the Blocklist will automatically be blocked from your site.
QUIC.cloud currently supports reCAPTCHA v2. With this version you can have either a
Invisible reCAPTCHA. Select your preference in this setting.
How many tries will you give your visitors to successfully complete a reCAPTCHA challenge? Any number from
10 is valid. The default is
Bots listed here will ignore any configured reCAPTCHA connection limits. Instead, bots that match this list will be allowed 100 visits per 10 seconds per IP to a single node. Please be careful with this setting. Only whitelist a bot if necessary. It is easy to spoof a user agent in order to bypass site security.
An entry is considered a match if it is found anywhere in the
User-Agent header. Enter one bot per line. Regex is allowed.
Let’s look at an example. Assume we’ve added the following to the Bots Whitelist:
We will get the following results:
User-Agent: mobile: MATCH – regex exact match
User-Agent: notmobile: NO MATCH – does not begin with
m, does not contain
User-Agent: goodbot: NO MATCH – does not match the regex, does not contain
User-Agent: thisisagoodbot: MATCH – contains
bingbot are considered ‘good’ bots by default and are already on the allowlist. Some other bots you may or may not want to add:
facebookexternalhit: Facebook External Hit
UptimeRobot: Uptime Robot
Twitterbot: Twitter Bot
Custom reCAPTCHA Keys (optional)
QUIC.cloud has a default set of keys that we use to control the configuration.
If you want more control over the reCAPTCHA configuration for your domain, you can supply your own set of keys from Google. Enter the values into reCAPTCHA Site Key and reCAPTCHA Secret Key as appropriate.