What is a Botnet Attack and How to Protect Your Website

Key Takeaways

• Botnet attacks utilize thousands of rapidly rotating IP addresses to overload web servers, making manual IP blocking an unscalable and inefficient defense strategy.
• Manual site protection is prone to failure since missing a single obfuscated script or rotating IP leaves your server completely vulnerable to malicious payloads.
• The Cloudways Malware Protection Add-on automates security at the server level, guaranteeing malicious scripts are neutralized instantly before they can execute.

Understanding what is a botnet attack is critical when your server CPU suddenly maxes out from thousands of fake login attempts. At its core, it is a large scale cyberattack carried out by a network of infected and remote controlled devices.

This creates a major problem for website owners because trying to block the offending IP addresses manually rarely works. The malicious traffic simply shifts to new sources almost instantly.

Defending against automated threats is fundamental to website security. Because manual defenses cannot keep up with rotating IPs, utilizing an automated protection system is the most practical solution.

In this guide, we will explain how these networks operate and the different types of attacks they launch. We will also outline the steps to stop an active attack manually and show how the Cloudways Malware Protection addon offers a permanent automated solution.

What is a Botnet?

The term is a combination of the words “robot” and “network.” At its core, a botnet is a massive collection of compromised internet-connected machines that have been grouped together to attack external targets.

Once infected with malware, these compromised machines operate silently in the background. They wait for a remote attacker to issue commands to execute coordinated tasks against specific web targets.

For a website administrator, the danger is that these attacks appear to come from thousands of different IP addresses at once, making them incredibly difficult to block manually.

When your server experiences a sudden surge in malicious traffic or automated login attempts, it is usually these compromised machines working together to overwhelm your resources or guess your administrative passwords.

Data from the Cloudflare 2024 DDoS Threat Report highlights the sheer scale of this problem. In 2024 alone, Cloudflare tracked massive botnets launching 21.3 million automated attacks against web infrastructure globally, representing a 53% year-over-year surge.

While these networks target all types of custom applications and servers, they frequently focus on popular platforms. For example, research shows that 98% of malicious HTTP requests directed at standard WordPress login paths (/wp-admin/) are linked directly to automated botnet activity.

If your server remains unprotected, a botnet will not just take your site offline. It will breach your environment and weaponize your own hosting resources to help attack the rest of the internet.

Stop Botnet Attacks Automatically

Manual IP blocking fails against rotating botnets. The Cloudways Malware Protection add-on uses OS-level scanning to instantly neutralize malicious payloads before they execute.

Get Protected

How Do Botnets Work?

To execute an attack against your website, the attacker needs a way to communicate with thousands of infected devices simultaneously. This communication is handled through a Command and Control (C&C) infrastructure.

The attacker sends instructions to the network, telling every compromised machine to target your specific server IP address and execute the exact same malicious action at once.

These networks generally rely on one of two architectural models to distribute these instructions. Understanding them helps explain why these attacks are so difficult to stop manually.

The Client-Server Model

This is the older setup. The infected devices connect directly to one central server to receive their orders. While this is efficient for the attacker, it creates a weak spot.

If security professionals locate and block that main server, the infected devices lose their instructions and the attack on your website immediately stops.

The Peer-to-Peer (P2P) Model

Attackers developed the decentralized P2P model to fix the weakness of a central server. In this setup, the infected machines share commands directly with each other. If your firewall blocks a segment of the network, the remaining devices simply route their communication through different peers.

For a website owner, this means there is no single source to block. The attack traffic constantly shifts, making modern botnets exceptionally hard to stop using basic security rules.

Common Types of Botnet Attacks

Once an attacker controls a massive network of infected devices, they can use that combined computing power to launch several different types of attacks against your server.

Distributed Denial of Service (DDoS)

This is the most visible type of attack. The network is ordered to flood your target server with garbage traffic and fake requests.

The primary goal of DDoS attacks is to consume all your available bandwidth and processing power until your server simply crashes. Your legitimate customers are left looking at offline error pages while you scramble to restore access.

Credential Stuffing and Brute Force

Attackers frequently use botnets to break into website administrative panels. The compromised devices use thousands of rotating IP addresses to rapidly test lists of stolen passwords on your login pages.

Because the login attempts come from so many different locations at once, standard security plugins that limit login attempts often fail to block the attack.

Spam and Phishing

Botnets are responsible for sending millions of automated spam emails every day. If attackers manage to compromise your server and add it to their network, they will use your hosting resources to send out phishing campaigns or flood your site with contact form spam.

This will quickly ruin the reputation of your server IP address and cause your legitimate business emails to end up in spam folders.

Malware Distribution

Instead of just crashing your site, attackers use automated networks to probe millions of servers looking for specific vulnerabilities.

The botnet automatically scans for outdated software or weak core files. Once it finds a gap in your security, it drops malicious files or spyware directly into your hosting environment to maintain permanent access.

How Botnets Target Websites

Botnets systematically compromise web servers using a three-stage attack lifecycle. The process is fully automated and designed to exploit vulnerabilities across thousands of targets simultaneously.

1. Reconnaissance and Probing

Botnets use automated scripts to continuously scan the internet for vulnerable infrastructure. They probe server IP addresses looking for open ports, weak administrative credentials, and outdated web applications. The goal is to map out exploitable targets without triggering basic security firewalls.

2. Breach and Infection

Once a vulnerability is found, the botnet executes the intrusion. This typically involves launching distributed brute-force attacks against login portals or exploiting unpatched software to bypass security.

After breaching the perimeter, the network drops a malicious payload onto the server. Attackers frequently install a hidden WordPress backdoor to maintain persistent remote access even after the initial vulnerability is patched.

3. Activation and Exploitation

The compromised server is now integrated into the botnet. The central command server hijacks your hosting resources and bandwidth for malicious activities.

This includes utilizing your server to launch DDoS attacks against external targets or deploying automated SEO spam, such as the Japanese keyword hack, directly onto your domain.

Signs Your Server is Under a Botnet Attack

A botnet attack is difficult to pinpoint at first glance because the traffic comes from thousands of different sources rather than a single malicious IP. However, you can identify an active attack by checking these specific areas of your hosting environment:

High Server CPU Usage

Check your hosting control panel for sudden resource exhaustion. If your resources are suddenly maxing out but your analytics show no new human visitors, bots are likely involved.

Automated networks frequently hammer specific resource-heavy endpoints like login portals or API gateways. If you are a Cloudways user, you can monitor these usage spikes directly from the Cloudways dashboard.

Spikes in Failed Logins

Your security logs are a primary indicator. A sudden influx of failed authentication attempts from random IP addresses across the globe points directly to a distributed credential stuffing campaign.

Instead of a single IP trying a hundred passwords, a botnet uses a hundred different IPs to try one password each to evade basic security bans. Check your web application firewall or raw server access logs to see if your login pages are being heavily targeted.

Unexpected File Changes

If the botnet successfully breaches your perimeter, you will see unauthorized modifications. Look for unrecognized administrator accounts appearing in your CMS dashboard or strange PHP scripts suddenly sitting in your public directories.

Attackers drop these files to establish a hidden backdoor or to hijack your server resources to send out automated spam.

How to Protect Your Website From Botnets

Protecting your server from botnets means filtering bad traffic before it eats up your resources and blocking the entry points that automated scripts target. Here are the most effective strategies to protect your server from botnet attacks:

Lock Down Login Pages

Botnets bypass standard rate limiting by distributing their login attempts across thousands of rotating IP addresses. Since you cannot rely on IP bans alone to stop a distributed attack, you must harden the authentication process itself.

Enforcing Two-Factor Authentication (2FA) ensures that even if an automated script successfully guesses an administrator password through credential stuffing, it cannot access your backend without the secondary time-sensitive code.

Automate Vulnerability Patching

Botnets constantly scrape the web for known security flaws in outdated plugins and core software. The moment a new vulnerability is publicized, these automated networks begin hunting for servers that have not applied the patch.

Relying on manual updates leaves your environment exposed during this critical window. You must implement a system that applies critical updates immediately.

You can enable native background updates within your CMS or configure third-party management dashboards like ManageWP or MainWP to handle bulk updates across multiple domains automatically.

If you use Cloudways, you can enable the SafeUpdates add-on to automate this process. It detects, tests, and applies routine and security updates to your applications without requiring manual intervention.

How to Stop a Botnet Attack Manually

While automated defenses are the best long-term strategy, you might find yourself in the middle of an active attack without a firewall in place.

When thousands of rotating IPs are hammering your server, you must take immediate manual action to drop the malicious requests and keep your infrastructure online.

Because attack vectors and server stacks vary, there is no single magic command to stop a botnet. However, here is the standard manual mitigation process to regain control of your server:

1. Identify the Attack Pattern in Your Logs

Botnets usually target a specific vulnerability or endpoint. You need to find out exactly what they are requesting so you can block it. Access your server logs via your terminal to pinpoint the anomaly.

In the example screenshot above, you can see a classic distributed attack pattern emerging in the raw access log. Look closely at these specific indicators:

• Rotating IP Addresses: If requests originate from completely different IP addresses (like the 192.0.2.14 and 198.51.100.42 examples shown) instead of a single source, it strongly suggests a distributed network is involved.
• Identical Requests and Timestamps: If you notice multiple POST requests hammering the exact same file (such as /login.php) within the exact same second (12:15:01, 12:15:02), this rapid frequency points directly to automated bots.
• Matching User Agents: If every single request uses the exact same browser string (like the “Mozilla/5.0…” example) despite coming from different global IPs, it is a massive red flag. This indicates that a coordinated script is executing the commands.

2. Block the Targeted URI at the Server Level

Once you identify the specific file or endpoint the bots are targeting (like the /login.php file from the previous example), cut off access to that path.

If the targeted file is not critical to your live frontend operations, drop the traffic at the server level before it ever consumes your PHP or database resources.

The screenshot above shows a basic Nginx configuration block designed to reject these malicious requests. Depending on your web server stack, you can implement similar rules:

• For Nginx: Add a location block in your main configuration file that returns a 403 Forbidden status for the targeted URI. You can specifically restrict POST requests while leaving GET requests open for regular visitors.
• For Apache: Implement a strict deny rule in your .htaccess file using the <Limit POST> directive to reject the automated traffic instantly.

3. Implement Aggressive Rate Limiting

Since blocking every single rotating IP in a botnet is impossible, you need to restrict how many times any single IP can connect within a specific timeframe.

Tools like Fail2Ban allow you to create custom rules (known as “jails”) that automatically drop connections from abusive IPs.

As shown in the configuration above, you can set strict thresholds to protect your server and prevent database exhaustion:

• Define ban conditions: You can configure Fail2Ban to scan your server logs and flag any IP that exceeds normal request limits. In this example, if an IP triggers 10 errors (maxretry = 10) within a 10-minute window (findtime = 600), it is classified as malicious.
• Automate the ban: Once triggered, the system automatically blocks the offending IP at the firewall level for 2 hours (bantime = 7200). This instantly cuts off the botnet traffic and gives your resource-heavy dynamic pages time to recover.

4. Temporarily Scale Server Resources

Analyzing logs and configuring firewall rules takes time. If your CPU or memory is already maxed out, your server might crash before your defenses take effect. Temporarily increasing your server capacity helps absorb the initial flood of malicious traffic.

Cloudways users can use the vertical scaling slider in the server management panel to instantly add CPU and RAM. This gives the environment enough breathing room to stay responsive while processing the new rate-limiting rules.

The manual steps we covered are just the beginning. You have to dig deep into your server infrastructure to truly stop botnet attacks.

Manual mitigation is ultimately unscalable against thousands of rapidly rotating IP addresses. To handle threats that inevitably slip through, you need an automated, server-level solution like the Cloudways Malware Protection add-on.

Automated Solution to Stop Botnets: Cloudways Malware Protection Add-on

Because manual IP blocking struggles against rotating botnets, relying purely on perimeter defense is dangerous. You need deep server security to catch payloads once they actually reach your environment.

The Cloudways Malware Protection add-on operates at the OS level, continuously scanning for internal file changes. By utilizing runtime application self-protection (RASP), the system automatically isolates and neutralizes malicious scripts the moment they attempt to execute.

This secures your application from the inside out, completely bypassing the need to track individual IP addresses.

How to Enable Cloudways Malware Protection Add-on

Activating this server-level protection requires no manual configuration and runs without draining your application’s resources.

• Navigate to Application Security: Log into your Cloudways account, select your target application, click Application Security from the left menu, and choose the Malware Protection tab.
• Activate the Scanner: Click Enable Protection to activate real-time monitoring and initiate a comprehensive sweep of your server files and database.

• Monitor the Dashboard: The dashboard categorizes automated actions into tabs like Malicious (listing isolated threats and file paths) and Proactive Defense (logs showing precisely when active scripts were blocked).

Wrapping Up!

Botnets use thousands of changing IP addresses to overload websites, force their way into accounts, and spread malware.

While setting up your server rules and checking your logs are good starting points, trying to block every single IP by hand during an active attack is a losing battle.

To effectively stop botnet attacks, website owners need to rely on automated security rather than manual blocks.

Instead of constantly trying to track and ban new IP addresses, using a tool like the Cloudways Malware Protection add-on secures your site from the inside out. It automatically finds and stops malicious files before they can run, ensuring your website stays protected without requiring constant manual intervention.