Content Error or Suggest an Edit
Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!
I think I understand where you’re coming from.
1. You had no downtime with your current provider WP Engine and you want to replicate this same setup.
2. Your primary concern is replicating their firewall/load balancer setup. As you believe, this is what helped with uptime.
3. You don’t want to use Cloudflare.
4. You believe that bot traffic and targeted WordPress attacks being blocked helped keep your site online.
Do you have a monitoring system in place? If you don’t, set one up that is multi-location. This should be your means of calculating your 99% uptime. You might be surprised that WP Engine does have small blips of minutes randomly.
Replicating what WP Engine has for a firewall is going to be hard. They talk about advanced DDoS mitigation. Which in reality most sites rarely see as others have mentioned. You’ll see more resource exhaustion DDoS attacks. I’ve been through about 10 DDoS attacks in my lifetime. All of which were between 10-100Gb/s. Luckily we had a custom DDoS system built internally that cut them short pretty quickly since we had built our own POP’s all over North America and could block the traffic more towards the source. So I don’t think you need to worry about DDoS mitigation. I think resource exhaustion attacks is what you’ll need to focus on.
As for a WAF. We can’t see what they’re using, it’s all proprietary. I’m assuming it’s some sort of WAF. Either GCPs or another vendor WAF. You can deploy vendor-specific appliances in GCP or AWS.
You can follow some best practices. For instance, blocking xml-rpc. The current WAF’s from GridPane provide basic protection. Personally, the 6/7G firewall is generic and requires care and feeding for the most part to stop false positives. I don’t like this. As for the modsec firewall, you will have to deal with overhead and the rules GridPane uses. Which at the time is “OWASP foundation 3+ Core Ruleset (CRS)”. This isn’t bad, but you’ll get more out of OLS or LSE as they have a better engine for modsec from what I’ve read.
As for a load balancer. They do talk about high availability, so they’re most likely using some sort of load balancer and container solution. You need to talk to GridPane, as their high availability is something custom from my understanding. You’d be Looking at millisecond failover.
I understand why you don’t want to use Cloudflare. Some people just don’t. However, they’re literally the leaders in this space. Go with Pro and you’ll get more access to a lot of things WP Engine or GridPane aren’t doing. Talk about DDoS attacks. A popular VOIP company voip.ms used them to deal with a huge attack. Took a while due to the nature of VOIP being UDP. But they’re back online. Cloudflare has a huge amount of modsec rules, and are improving their offering rather quickly.
There is a lot of garbage traffic that WordPress sites get. As I mentioned before, some traffic causes resources exhaustion. So putting in the appropriate countermeasures is important. It’s possible WP Engine just scaled to handle this versus blocked or contained the traffic. Google’s crawler can DDoS your site pretty easily with 100 requests a second. I’ve seen it before. So putting in some sort of throttling would help.
If you’re looking to save money by switching to GridPane. You’ll need to invest some money learning the platform and building it to your requirements. So you might spend the same amount or more within the first 6 months. Even then, GridPane might not provide what WP Engine provides.
If you’re looking for high availability, Denny Cave is cooking up something special. High-frequency servers with high availability and scaling.
Hope this helps!