Security Level and HTTP traffic?

We have a website with a Security Level set to Low. We had a DDoS attack and in analysing the data we found that for the traffic during the attack it was classified as the following security levels.

  • Unknown - This was the traffic that was blocked
  • Low - This is fine, client protocol was shown as TLSv1.3 or 1.2
  • Off - I assume this is short for “Essentially Off” maybe, but this traffic shows as Client SSL protocol of none so looks to have been http only?

Does this mean that if the traffic is http and not https the security level is off or am I missing something?

Do you use some CMS like WordPress?

Try with some lightweight firewall like BBQ Plugin.

I have websites with “Low” security. No issue, but using htaccess or Nginx rules to block certain and have security measures activated along with the WordPress firewall plugin, even BBQ is enough, or go with some like WordFence or All in one security.

Use at least minimum TLS v1.2 in CloudFlare, set to Flexible SSL at least, Always HTTPS, Automatic HTTPS redirection, enable HSTS, etc.

Should be fine if not using any “nulled” themes or plugins alongside.

And, try to use if so, come sort of caching plugin like WP Super Cache or at least have cache control rules added to htaccess or Nginx configuration file.

If not using WordPress, try adding htaccess/nginx rules for security for example from here:

Same here as in the other thread, please do not make such recommendation as that will render the OP’s site insecure.

@si101, your encryption mode should be Full strict and Full strict only.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.