How do I bypass WordPress 404 handling?

by

How do I skip WordPress altogether if there’s a 404? I’ve tried adding an ErrorDocument to the .htaccess with no joy.

The reason I’m asking is that we use a lot of custom fields and as such our site is quite slow, so I use heavy caching to get around this. We’ve been seeing quite a number of attacks of scripts running vulnerability scanning scripts which generate many 404’s a second and this overloads the server. I figure if I just return a simple html 404 document then this will significantly reduce load on the server during these attacks. The current WordPress 404 isn’t good enough for my purposes as it still loads relatively slow.

Any advice would be appreciated.

Thanks

Edit. I do not think it’s a duplicate of How do I skip wordpress’s 404 handling and redirect all 404 errors for static files to 404.html? as that relates to static files. My query relates to any 404 and the solution on that pages doesn’t work for my problem.

1 Answer
1

If you have a non-static request like:

example.tld/some-slug/

then you will need to run WordPress to see if that slug is available.

The webserver (nginx/apache) doesn’t know that, because WordPress will have to inform us about that through the 404 response header.

If your site has only few pages, then you could tell the webserver about it beforehand.

I don’t know if there exists any webserver modules that can store the existing WordPress sitemaps (on disk or memory) to pre-check for possible 404 errors.

If this slug doesn’t exists and you get thousands of requests on that slug, then you might try to cache the 404 response.

There are cache plugins out there that can do that.

But that might not be so useful if the attack consists of random slugs:

example.tld/azwc/
example.tld/eldw/
example.tld/tpwh/
...

Then you could block the IP address, but most likely there are thousands of IP addresses as well.

Then you might try services that collect and block large number of bad IP addresses.

Any way, you should try to trim down your 404.php page.

The defense might depend a lot on what kind of attack requests you’re getting.

Leave a Comment