{"id":7802,"date":"2025-11-06T20:48:00","date_gmt":"2025-11-06T18:48:00","guid":{"rendered":"https:\/\/unihost.com\/blog\/?p=7802"},"modified":"2026-03-18T13:34:00","modified_gmt":"2026-03-18T11:34:00","slug":"basic-ddos-protection-for-small-sites","status":"publish","type":"post","link":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/","title":{"rendered":"Basic DDoS Protection for Small Sites: Practical Steps"},"content":{"rendered":"<p>DDoS is no longer a \u201cbig company\u201d problem. A small ecommerce site, a local media portal, a landing page during a promo-anyone can be knocked offline by a wave of junk traffic. The good news: <strong>around 80% of the risk can be mitigated<\/strong> with simple, inexpensive actions-smart DNS, perimeter filtering, caching, rate\u2011limits, and a bit of configuration discipline. This guide is a practical playbook with no magic boxes: which attacks you\u2019re likely to face, what really works, what to do tonight, and how not to overpay with complexity.<\/p>\n<h2>How attacks work (and where to defend)<\/h2>\n<h3>Layers and surfaces<\/h3>\n<ul>\n<li><strong>L3\/L4 (network\/transport):<\/strong> SYN floods, UDP floods, ICMP floods, fragmentation abuse, and classic reflection\/amplification (NTP, DNS, CLDAP, Memcached, etc.). Goal: saturate the pipe or overwhelm state tables.<\/li>\n<li><strong>L7 (application):<\/strong> HTTP floods, slow\u2011loris\/slow\u2011read, waves to computationally heavy endpoints (search, cart, PDF render), and newer patterns like HTTP\/2 \u201crapid reset\u201d or HTTP\/3\/QUIC storms. Goal: exhaust CPU\/DB\/queues.<\/li>\n<\/ul>\n<h3>Where to filter<\/h3>\n<ul>\n<li><strong>In front of your origin<\/strong> &#8211; global anycast edge with CDN\/WAF. For a small site this is the most effective and cost\u2011efficient level: let someone else\u2019s perimeter absorb the punch.<\/li>\n<li><strong>At your provider\u2019s ingress<\/strong> &#8211; datacenter\/ISP filtering, \u201cclean pipe,\u201d border ACLs.<\/li>\n<li><strong>On your own server<\/strong> &#8211; OS limits, firewall, web server\/proxy settings, caching, and per\u2011endpoint\/app limits.<\/li>\n<\/ul>\n<p>Resilience is layered. Some junk never reaches your ASN, some gets dropped at the border, and the rest is defused by caches and rate limits.<\/p>\n<h2>Why this matters (and why \u201cmore horsepower\u201d won\u2019t save you)<\/h2>\n<ul>\n<li><strong>Bandwidth isn\u2019t armor.<\/strong> Many attacks are targeted: they hit state tables, TLS handshakes, queues, or heavy SQL. Doubling CPU won\u2019t fix an ocean of slow connections.<\/li>\n<li><strong>Reliability = trust.<\/strong> An hour of downtime during a launch burns marketing budget and customer goodwill.<\/li>\n<li><strong>Misconfigurations cause self\u2011DoS.<\/strong> A redirect loop, disabled caching, an unbounded request body-under load, these are DoS by your own hand. Good defaults often beat pricey subscriptions.<\/li>\n<\/ul>\n<h2>A pragmatic protection plan (priorities for small sites)<\/h2>\n<p>Below is a 12\u2011step plan split into three tiers. Work down the list; stop when risk and budget meet.<\/p>\n<h3>Tier 1 &#8211; \u201cDo it tonight\u201d (minimal cost)<\/h3>\n<ol>\n<li><strong>Competent DNS<\/strong>\n<ul>\n<li>Use <strong>two or more NS providers\/regions<\/strong>.<\/li>\n<li>Set sensible TTLs: short (5\u201315 min) for A\/AAAA of the site, longer for static records.<\/li>\n<li><strong>Hide your origin IP<\/strong>: don\u2019t leak it via stray A records for staging\/mail\/panel.<\/li>\n<\/ul>\n<\/li>\n<li><strong>CDN\/Reverse proxy in front<\/strong>\n<ul>\n<li>Enable full caching of static assets (Cache-Control with long TTL, ETag, gzip\/brotli).<\/li>\n<li>For popular HTML, enable <strong>edge caching<\/strong> with short TTL and explicit invalidation on release.<\/li>\n<li>Minimize passes to origin-fewer origin requests = harder to overwhelm.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Basic WAF\/Bot protection<\/strong>\n<ul>\n<li>Allow only needed methods (GET\/HEAD\/POST); block the rest.<\/li>\n<li><strong>Hide admin<\/strong>: restrict by IP\/ASN\/country and\/or require a challenge (JS\/captcha).<\/li>\n<li>Turn on managed rules for SQLi\/XSS\/scanners and set per\u2011endpoint frequency limits for \u201cexpensive\u201d routes.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Rate limiting at the edge and on origin<\/strong>\n<ul>\n<li>Limit by IP\/prefix\/token; set separate quotas for heavy operations (search, login, post\/purchase).<\/li>\n<li>Use a small <strong>burst<\/strong> allowance and a grace period so legit users aren\u2019t punished.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Application\u2011level cache<\/strong>\n<ul>\n<li>Cache HTML fragments, menus, and slow widgets.<\/li>\n<li>Externalize sessions\/cache to Redis\/Memcached; keep hot keys in memory.<\/li>\n<\/ul>\n<\/li>\n<li><strong>HTTP\/2 and HTTP\/3 with constraints<\/strong>\n<ul>\n<li>Limit stream\/frames concurrency; drop idle\/slow streams; enable rapid\u2011reset protections.<\/li>\n<li>Disable exotic features you don\u2019t use; they just widen the attack surface.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<h3>Tier 2 &#8211; \u201cOne week to tidy up\u201d<\/h3>\n<ol start=\"7\">\n<li><strong>Firewalling and OS\/network limits<\/strong>\n<ul>\n<li>Size nf_conntrack\/state tables with headroom and alerts, but apply anti\u2011scan rate limits.<\/li>\n<li>Enable SYN cookies and limit half\u2011open connections; drop legacy protocols\/ports.<\/li>\n<li>Simple ACLs: block obviously abusive ASNs\/regions you don\u2019t serve.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Plug origin backdoors<\/strong>\n<ul>\n<li><strong>No direct IP access<\/strong> to origin: only via CDN\/proxy (allowlists of proxy IPs, mTLS, firewall rules).<\/li>\n<li>Use a separate subdomain and stricter policy for admin\/API.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Solid TLS posture<\/strong>\n<ul>\n<li>Clean cipher profiles, HSTS, automated certificate renewals.<\/li>\n<li>Prioritize modern ciphers; disable renegotiation\/compression.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Web server\/proxy hardening<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Cap header\/body sizes, first\u2011byte\/read\/send timeouts, max connections, worker\/memory limits.<\/li>\n<li>Sane keep\u2011alive and buffers so slow\u2011reads don\u2019t starve workers.<\/li>\n<\/ul>\n<ol start=\"11\">\n<li><strong>Signals and alerts<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Watch RPS, p95, 5xx, cache\u2011HIT ratio, open connections, conntrack, SYN backlog.<\/li>\n<li>Consolidate by root cause: one incident \u2192 one page.<\/li>\n<\/ul>\n<ol start=\"12\">\n<li><strong>Defensive degradation plan<\/strong><\/li>\n<\/ol>\n<ul>\n<li>Prepare a <strong>lightweight landing<\/strong> (no heavy widgets) you can switch on quickly.<\/li>\n<li>Fallbacks for critical APIs: queues\/cached responses\/placeholders.<\/li>\n<\/ul>\n<h3>Tier 3 &#8211; \u201cRedundancy and readiness\u201d<\/h3>\n<ul>\n<li><strong>Two independent origins<\/strong> (active\u2011passive or active\u2011active) with content\/state sync.<\/li>\n<li><strong>Geo load\u2011balancing<\/strong> and anycast edge.<\/li>\n<li><strong>Separate public and admin planes<\/strong> (different domains\/paths\/keys).<\/li>\n<li><strong>Fire drills<\/strong> quarterly: simulate an attack (safely) and measure MTTA\/MTTR.<\/li>\n<\/ul>\n<h2>Concrete recipes for common attacks<\/h2>\n<ul>\n<li><strong>SYN flood (L4):<\/strong> enable SYN cookies; increase backlog and half\u2011open timeouts; ask DC\/ISP to drop spoofed sources; limit new connections\/sec per IP.<\/li>\n<li><strong>UDP flood\/amplification:<\/strong> close unneeded UDP services; rate\u2011limit per port; block known reflectors; rely on edge scrubbing for volumetrics.<\/li>\n<li><strong>Slow\u2011loris\/slow\u2011read (L7):<\/strong> cap header\/body sizes; first\u2011byte deadlines; minimum client read rate; limit concurrent requests per IP; reap hung connections.<\/li>\n<li><strong>HTTP flood to heavy pages:<\/strong> aggressive caching (edge + app), JS challenges\/captcha for suspicious ASNs\/UAs; per\u2011endpoint limits; pre\u2011render and reduce response weight.<\/li>\n<li><strong>Brute force\/scraping:<\/strong> behavioral rules; block by IP\/ASN\/geo; mandatory JS\/captcha on anomalies; honey endpoints to fingerprint scanners; content protections (robots\/headers\/controlled throttling).<\/li>\n<\/ul>\n<h2>Mistakes that break resilience more often than attackers do<\/h2>\n<ul>\n<li><strong>No HTML caching<\/strong> (CMS renders every homepage from scratch).<\/li>\n<li><strong>Origin reachable by direct IP<\/strong>, bypassing WAF\/CDN.<\/li>\n<li><strong>No limits\/timeouts<\/strong> on the web server and in the app.<\/li>\n<li><strong>Public admin panels<\/strong> on the internet without IP filtering or MFA.<\/li>\n<li><strong>Static assets and the DB on the same disk\/pool<\/strong>: a log\/static surge starves the database.<\/li>\n<li><strong>Secrets\/keys in public repos<\/strong> \u2192 used to bypass checks or hit private endpoints.<\/li>\n<li><strong>Single points of failure<\/strong>: one NS provider, one region, one balancer.<\/li>\n<\/ul>\n<h2>One\u2011evening checklist (really)<\/h2>\n<ul>\n<li>Two NS providers; TTL 5\u201315 min for the site\u2019s A\/AAAA.<\/li>\n<li>CDN\/WAF edge enabled; origin hidden and only reachable from trusted proxy ranges.<\/li>\n<li>Edge cache for static + short HTML cache with release\u2011driven invalidation.<\/li>\n<li>Only GET\/HEAD\/POST allowed; admin restricted by IP + challenge.<\/li>\n<li>Rate limits on heavy endpoints; token bucket with burst.<\/li>\n<li>Header\/body limits; connect\/read\/send timeouts set.<\/li>\n<li>SYN cookies on; conntrack monitored; junk ports dropped.<\/li>\n<li>Monitoring for p95\/5xx\/cache\u2011HIT\/open conns + actionable alerts.<\/li>\n<li>Test plan: quick \u201cab\/k6\/locust\u201d load or a mild challenge at the edge.<\/li>\n<li>Lightweight page\/fail\u2011open mode prepared and documented.<\/li>\n<\/ul>\n<h2>Incident playbook: when it\u2019s on fire<\/h2>\n<ul>\n<li><strong>Confirm:<\/strong> independent checks from 2\u20133 regions.<\/li>\n<li><strong>Harden edge policies:<\/strong> suspicious ASNs\/geos \u2192 challenges; aggressive per\u2011endpoint limits.<\/li>\n<li><strong>Reduce origin work:<\/strong> raise HTML\/JSON cache TTLs; pause heavy background jobs; switch to the lightweight landing.<\/li>\n<li><strong>Protect origin:<\/strong> close direct IP; tighten proxy allowlists; bump conntrack\/worker limits temporarily.<\/li>\n<li><strong>Communicate:<\/strong> status page + brief user updates (\u201celevated load, service recovering\u201d).<\/li>\n<li><strong>Postmortem:<\/strong> what alerts missed, which links were weak, which defaults to change.<\/li>\n<\/ul>\n<h2>What this costs (pragmatically)<\/h2>\n<ul>\n<li><strong>$0\u2013$20\/mo:<\/strong> basic CDN\/WAF plan-good enough for many small sites; edge caching, simple rate limits, method restrictions, IP filters.<\/li>\n<li><strong>$20\u2013$100\/mo:<\/strong> add bot protection\/challenges, custom L7 rules, reports\/alerts, higher quotas.<\/li>\n<li><strong>$100+<\/strong>: premium options-priority L3\/L4 scrubbing, custom policies, geo load\u2011balancing, SLAs.<\/li>\n<\/ul>\n<p>On your side it\u2019s a few engineer hours to set up, then occasional tweaks as traffic patterns change.<\/p>\n<h2>Measuring success<\/h2>\n<ul>\n<li><strong>Availability (%)<\/strong> and <strong>errors (5xx\/4xx)<\/strong> on key endpoints.<\/li>\n<li><strong>Latency p95\/p99<\/strong>-confirm filtering didn\u2019t add harmful overhead.<\/li>\n<li><strong>Cache HIT ratio<\/strong>-target &gt;80% for static, &gt;50% for HTML during peaks.<\/li>\n<li><strong>Share of traffic challenged\/blocked<\/strong>-a proxy for noise level and rule effectiveness.<\/li>\n<li><strong>Origin utilization<\/strong> (CPU\/memory\/connections) at comparable RPS before\/after changes.<\/li>\n<\/ul>\n<h2>Why Unihost<\/h2>\n<p><strong>Network &amp; edge.<\/strong> Routing and peering are tuned for low p95 latency; edge filtering reduces noisy traffic before it hits your servers. Private VLANs help separate public and administrative planes.<\/p>\n<p><strong>Servers for load.<\/strong> <strong>NVMe Gen4\/Gen5<\/strong>, high\u2011frequency CPUs, predictable uplinks; edge+app caching synergy; dedicated resources for DB\/queues.<\/p>\n<p><strong>Security by default.<\/strong> Firewall\/ACL templates, origin shield (no direct IP access), automated TLS renewals, ready\u2011made rules for method\/header\/body limits.<\/p>\n<p><strong>Observability.<\/strong> Integrations with Prometheus\/Grafana\/ELK\/OTel, alerts for conntrack\/SYN backlog, status page and post\u2011incident reporting.<\/p>\n<p><strong>Scale path.<\/strong> Start on <strong>VPS<\/strong>, grow to dedicated or GPU servers without rearchitecting-configurations move with your stack via IaC.<\/p>\n<h2>TL;DR<\/h2>\n<p>For small sites, DDoS protection is mostly <strong>discipline and a dozen good settings<\/strong>, not a pricey magic box. Hide origin behind an edge, let caches work, set sane limits, lock down admin, enable alerts, and keep a degradation plan. In <strong>8 out of 10<\/strong> cases this rides out spikes and \u201ccheap\u201d attacks without downtime.<\/p>\n<p><strong>Try Unihost servers &#8211; stable infrastructure for your projects.<\/strong><br \/>\n<strong>Order a VPS or dedicated server at Unihost, enable edge protection and caching, and survive the next attack without downtime.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DDoS is no longer a \u201cbig company\u201d problem. A small ecommerce site, a local media portal, a landing page during a promo-anyone can be knocked offline by a wave of junk traffic. The good news: around 80% of the risk can be mitigated with simple, inexpensive actions-smart DNS, perimeter filtering, caching, rate\u2011limits, and a bit [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":164,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"class_list":["post-7802","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-webdev","has-post-title","has-post-date","has-post-category","has-post-tag","has-post-comment","has-post-author",""],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Basic DDoS Protection for Small Sites: Practical Steps - Unihost.com Blog<\/title>\n<meta name=\"description\" content=\"Practical DDoS defense: smart DNS, CDN\/WAF, caching, rate limits, TLS hardening, and alerts. Improve resilience and avoid downtime with Unihost.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Basic DDoS Protection for Small Sites: Practical Steps - Unihost.com Blog\" \/>\n<meta property=\"og:description\" content=\"Practical DDoS defense: smart DNS, CDN\/WAF, caching, rate limits, TLS hardening, and alerts. Improve resilience and avoid downtime with Unihost.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/\" \/>\n<meta property=\"og:site_name\" content=\"Unihost.com Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/unihost\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-06T18:48:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-18T11:34:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unihost.com\/blog\/minio.php?2017\/03\/logo7.png\" \/>\n\t<meta property=\"og:image:width\" content=\"200\" \/>\n\t<meta property=\"og:image:height\" content=\"34\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Alex Shevchuk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@unihost\" \/>\n<meta name=\"twitter:site\" content=\"@unihost\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Alex Shevchuk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/\"},\"author\":{\"name\":\"Alex Shevchuk\",\"@id\":\"https:\/\/unihost.com\/blog\/#\/schema\/person\/92e127fbc9a0ce4ca134886442a54474\"},\"headline\":\"Basic DDoS Protection for Small Sites: Practical Steps\",\"datePublished\":\"2025-11-06T18:48:00+00:00\",\"dateModified\":\"2026-03-18T11:34:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/\"},\"wordCount\":1515,\"publisher\":{\"@id\":\"https:\/\/unihost.com\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg\",\"articleSection\":[\"WebDev\"],\"inLanguage\":\"en\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/\",\"url\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/\",\"name\":\"Basic DDoS Protection for Small Sites: Practical Steps - Unihost.com Blog\",\"isPartOf\":{\"@id\":\"https:\/\/unihost.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg\",\"datePublished\":\"2025-11-06T18:48:00+00:00\",\"dateModified\":\"2026-03-18T11:34:00+00:00\",\"description\":\"Practical DDoS defense: smart DNS, CDN\/WAF, caching, rate limits, TLS hardening, and alerts. Improve resilience and avoid downtime with Unihost.\",\"breadcrumb\":{\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage\",\"url\":\"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg\",\"contentUrl\":\"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Unihost\",\"item\":\"https:\/\/unihost.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\/\/unihost.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Basic DDoS Protection for Small Sites: Practical Steps\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/unihost.com\/blog\/#website\",\"url\":\"https:\/\/unihost.com\/blog\/\",\"name\":\"Unihost.com Blog\",\"description\":\"Web hosting, Online marketing and Web News\",\"publisher\":{\"@id\":\"https:\/\/unihost.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/unihost.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/unihost.com\/blog\/#organization\",\"name\":\"Unihost\",\"alternateName\":\"Unihost\",\"url\":\"https:\/\/unihost.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/unihost.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/unihost.com\/blog\/minio.php?2026\/01\/minio.png\",\"contentUrl\":\"https:\/\/unihost.com\/blog\/minio.php?2026\/01\/minio.png\",\"width\":300,\"height\":300,\"caption\":\"Unihost\"},\"image\":{\"@id\":\"https:\/\/unihost.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/unihost\",\"https:\/\/x.com\/unihost\",\"https:\/\/instagram.com\/unihost\",\"https:\/\/www.linkedin.com\/company\/unihost-com\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/unihost.com\/blog\/#\/schema\/person\/92e127fbc9a0ce4ca134886442a54474\",\"name\":\"Alex Shevchuk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/unihost.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/37068b7d8dd334ae091ca77c586798519f5157257b25f6bc5dbe0daa5f828510?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/37068b7d8dd334ae091ca77c586798519f5157257b25f6bc5dbe0daa5f828510?s=96&d=mm&r=g\",\"caption\":\"Alex Shevchuk\"},\"description\":\"Alex Shevchuk is the Head of DevOps with extensive experience in building, scaling, and maintaining reliable cloud and on-premise infrastructure. He specializes in automation, high-availability systems, CI\/CD pipelines, and DevOps best practices, helping teams deliver stable and scalable production environments. LinkedIn: https:\/\/www.linkedin.com\/in\/alex1shevchuk\/\",\"url\":\"https:\/\/unihost.com\/blog\/author\/alex-shevchuk\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Basic DDoS Protection for Small Sites: Practical Steps - Unihost.com Blog","description":"Practical DDoS defense: smart DNS, CDN\/WAF, caching, rate limits, TLS hardening, and alerts. Improve resilience and avoid downtime with Unihost.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/","og_locale":"en_US","og_type":"article","og_title":"Basic DDoS Protection for Small Sites: Practical Steps - Unihost.com Blog","og_description":"Practical DDoS defense: smart DNS, CDN\/WAF, caching, rate limits, TLS hardening, and alerts. Improve resilience and avoid downtime with Unihost.","og_url":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/","og_site_name":"Unihost.com Blog","article_publisher":"https:\/\/www.facebook.com\/unihost","article_published_time":"2025-11-06T18:48:00+00:00","article_modified_time":"2026-03-18T11:34:00+00:00","og_image":[{"width":200,"height":34,"url":"https:\/\/unihost.com\/blog\/minio.php?2017\/03\/logo7.png","type":"image\/png"}],"author":"Alex Shevchuk","twitter_card":"summary_large_image","twitter_creator":"@unihost","twitter_site":"@unihost","twitter_misc":{"Written by":"Alex Shevchuk","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#article","isPartOf":{"@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/"},"author":{"name":"Alex Shevchuk","@id":"https:\/\/unihost.com\/blog\/#\/schema\/person\/92e127fbc9a0ce4ca134886442a54474"},"headline":"Basic DDoS Protection for Small Sites: Practical Steps","datePublished":"2025-11-06T18:48:00+00:00","dateModified":"2026-03-18T11:34:00+00:00","mainEntityOfPage":{"@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/"},"wordCount":1515,"publisher":{"@id":"https:\/\/unihost.com\/blog\/#organization"},"image":{"@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage"},"thumbnailUrl":"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg","articleSection":["WebDev"],"inLanguage":"en"},{"@type":"WebPage","@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/","url":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/","name":"Basic DDoS Protection for Small Sites: Practical Steps - Unihost.com Blog","isPartOf":{"@id":"https:\/\/unihost.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage"},"image":{"@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage"},"thumbnailUrl":"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg","datePublished":"2025-11-06T18:48:00+00:00","dateModified":"2026-03-18T11:34:00+00:00","description":"Practical DDoS defense: smart DNS, CDN\/WAF, caching, rate limits, TLS hardening, and alerts. Improve resilience and avoid downtime with Unihost.","breadcrumb":{"@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/"]}]},{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#primaryimage","url":"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg","contentUrl":"https:\/\/unihost.com\/blog\/minio.php?2017\/04\/ddos-war.svg"},{"@type":"BreadcrumbList","@id":"https:\/\/unihost.com\/blog\/basic-ddos-protection-for-small-sites\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Unihost","item":"https:\/\/unihost.com\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/unihost.com\/blog\/"},{"@type":"ListItem","position":3,"name":"Basic DDoS Protection for Small Sites: Practical Steps"}]},{"@type":"WebSite","@id":"https:\/\/unihost.com\/blog\/#website","url":"https:\/\/unihost.com\/blog\/","name":"Unihost.com Blog","description":"Web hosting, Online marketing and Web News","publisher":{"@id":"https:\/\/unihost.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unihost.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Organization","@id":"https:\/\/unihost.com\/blog\/#organization","name":"Unihost","alternateName":"Unihost","url":"https:\/\/unihost.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/unihost.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/unihost.com\/blog\/minio.php?2026\/01\/minio.png","contentUrl":"https:\/\/unihost.com\/blog\/minio.php?2026\/01\/minio.png","width":300,"height":300,"caption":"Unihost"},"image":{"@id":"https:\/\/unihost.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/unihost","https:\/\/x.com\/unihost","https:\/\/instagram.com\/unihost","https:\/\/www.linkedin.com\/company\/unihost-com"]},{"@type":"Person","@id":"https:\/\/unihost.com\/blog\/#\/schema\/person\/92e127fbc9a0ce4ca134886442a54474","name":"Alex Shevchuk","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/unihost.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/37068b7d8dd334ae091ca77c586798519f5157257b25f6bc5dbe0daa5f828510?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/37068b7d8dd334ae091ca77c586798519f5157257b25f6bc5dbe0daa5f828510?s=96&d=mm&r=g","caption":"Alex Shevchuk"},"description":"Alex Shevchuk is the Head of DevOps with extensive experience in building, scaling, and maintaining reliable cloud and on-premise infrastructure. He specializes in automation, high-availability systems, CI\/CD pipelines, and DevOps best practices, helping teams deliver stable and scalable production environments. LinkedIn: https:\/\/www.linkedin.com\/in\/alex1shevchuk\/","url":"https:\/\/unihost.com\/blog\/author\/alex-shevchuk\/"}]}},"_links":{"self":[{"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/posts\/7802","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/comments?post=7802"}],"version-history":[{"count":5,"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/posts\/7802\/revisions"}],"predecessor-version":[{"id":8339,"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/posts\/7802\/revisions\/8339"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/media\/164"}],"wp:attachment":[{"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/media?parent=7802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/categories?post=7802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unihost.com\/blog\/wp-json\/wp\/v2\/tags?post=7802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}