Deflect is created and maintained by eQualitie , a Canadian not-for-profit technology group. We are a small but dedicated team with a focus to provide dependable, performant and ethical technology solutions for protecting and promoting freedom of expression and association online. Deflect has been in continuous operation since 2011, serving 80 million unique readers every year.

eQualitie’s mission is to promote and defend fundamental freedoms, human rights, and the free flow of information online. Our goal is to create accessible technology and improve the skill set needed for defending human rights and freedoms in the digital age. With 25 staff and 5 board members operating from 10 different countries, eQualitie excels in delivering results on high impact technology projects and capacity building initiatives. Check out our website!

The fundamental reason for Deflect’s creation came about because of this necessity: there is an urgent need for this service amongst individuals and groups who are under threat of cyberattacks yet are unable to afford commercial mitigation services.

Most DDoS attacks are rudimentary and can be mitigated by good technology. Many website administrators doing good work in potentially hazardous circumstances simply don’t have the time or resources to allocate for a dedicated technical team.

We do not disclose the identity of our partners (nor will we disclose yours) to the public, other partners nor project donors. All of websites protected by Deflect are built and maintained by not-for-profit human rights and independent media organisations that work for and according to the principles enshrined in the UDHR.

• Deflect is a reverse caching service for websites vulnerable to Distributed Denial of Service (DDoS) attacks. Though the websites don’t change their IP addresses, Deflect ensures their home servers don’t have to deal with a sudden influx of artificial visitors or ‘bots’ trying to drag the sites offline. Instead, these requests all get redirected to Deflect, a network of servers built specifically to handle them.
• Meanwhile, legitimate traffic to the websites still gets full access to all published content. Unlike commercial mitigation services, we do not charge and we will not change the Terms of Use. There is no contract nor minimum length of time in which to stay on the network.

• Yes. We can protect your website from being overwhelmed by too much traffic, whether that traffic is malicious in origin or is the result of great popularity.
• We also hide the origin server address of your website, which helps protect against other types of attack, such as password hacking. If a hacker can’t find your host, they can’t launch an attack.
• Deflect is specifically designed for DDoS-mitigation. It is not a catch-all web security suite nor a web hosting provider.

• Probably. You do not need to be under constant attack to need Deflect, just to have a reasonable suspicion that your site may be targeted by hackers and DDoS attacks.
• Some of the sites under our protection are subject to near-continuous DDoS attacks, while others may go months without any suspicious traffic.
• It is possible to wait for an attack and switch over then (see Can I switch to Deflect during a DDoS attack?) but it is much more effective to switch in advance.

Yes you can. All you need to join Deflect is a registered domain name. 

After that we can point to your dev environment or you can build your website in situ.

• The Deflect service is free to any website or network of websites that represent human rights organizations, activists, dissident bloggers or independent media. There is no contract and you may use the service when you please.
• Thankfully it costs us a remarkably small amount to maintain our network of edges.

• Very likely. We provide our service on top of your hosting for free. It can reduce the cost of your hosting by greatly reducing the amount of traffic your host server has to deal with.
• There are some dedicated hosts that advertise their DDoS preparedness but it can be an expensive and restrictive business.
• If your website runs on WordPress, we can also offer you free and secure hosting with eQPress. Learn more about this option .

• No. Deflect is a DDoS mitigation infrastructure, not a website host. To join Deflect you simply need to change your DNS records. Your website remains on its original hosting provider. We can advise you on more reasonably priced and reliable providers if you are unhappy with your current host.
• If you need free secure hosting and your website is based on WordPress, we can offer you this option with eQPress.

If attackers know your webserver’s IP address, they can.

Deflect protects you from this by hiding the IP address of the server where your site is hosted. Once behind Deflect, your website’s name will resolve, with DNS, to Deflect’s IP addresses. Only Deflect then knows what the real IP address of your website’s server is, while public visitors will only see Deflect’s IP addresses associated to your website.

Once you are behind Deflect, there are two ways attackers can locate your web server:

• Through other services that aren’t behind Deflect, like an email server. It’s important to make sure other services have their own IP addresses.
• Historical DNS records. We can advise you on whether your web server IP can be found on the internet, and how to get a new one - if you need it.

We treat all support requests with priority. Sometimes, a complicated network incident or a series of other support requests may make it difficult to process your request immediately. Our goal is for every request to be answered within six hours.

Our team is distributed around different time zones. Someone is always online to process your request. This is why we always recommend that you use the Deflect Support system for creating incident or support tickets.

You do. We simply help deliver the content but we make no changes to it. You could say we control the backup, since switching your DNS to our servers means there is an automatic backup of your site every time you get a visitor.

We evaluate websites by two key criteria:

• Is your work not-for-profit and concerned with independent media and/or defending human rights?
• Do you have reason to believe your website may be subject to a DDoS attack because of the work you undertake? Or have you already been targeted?

Read more on the Eligibility page. 

• No. You are free to join or leave the Deflect network any time.
• When you subscribe, we ask you to agree to our Terms of Use and Privacy Notice .

Deflect won’t affect your ad revenue. We cache only the content hosted on the origin website (not external content, that will be served by Google Ads for example). Your readers web browsers will be able to retrieve unique ads, analytics hit links, or other content from these third-party services.

Yes you can! Although the normal registration process may change depending on what exactly the attackers are targetting and how your current hosting set-up is responding to it. Get in touch with us if you have any questions.

No, in fact it should make pages load faster for your readers. That’s the beauty of caching servers – they quickly reply with static content. Also, by absorbing the majority of traffic destined for your website, we reduce the strain on your server and allow it to process specific requests quicker. This is the case on a day-to-day basis, not just during a DDoS attack.

1. Check if you qualify for protection according to our eligibility criteria .
2. Go to the sign-up form and follow these instructions .
3. Change your DNS records to point to Deflect.

All things being equal, that’s all it takes.

We also recommend websites to change their IP address after switching to Deflect, because if there are no DNS records pointing directly to your server, your new IP will never be revealed and its true location can be hidden from the Internet and from potential attackers.

First and foremost, Deflect can protect your website from various denial of service attacks . Our defense-in-depth approach has ensured 10 years of successful operations and we proudly maintain a 99.99% network up-time. Read more about other types of types of attacks that Deflect can protect you from.

All traffic bound for your website will go through Deflect’s distributed caching infrastructure first. It is our job to serve all legitimate requests and to protect your server from illegitimate requests and malicious hits. We have capacity to manage tens of thousands of requests per second and can deal with any size attack. Trust us, we’ve been tested through the years! Read more about our solutions here .

An even better level of protection is to host your WordPress website with us on the managed eQpress platform .

We think so, yes. Deflect is not only helpful for your web security needs. Our global caching infrastructure will mean that your readers receive content quicker than before, also improving the website’s SEO. With Deflect, you will have real-time visitor statistics, free TLS certificates (https://) and enterprise level support to answer all of your questions. In addition, your commercial contribution allows us to protect many human rights and independent media organizations around the world. Take a look at some of them. 

In theory, yes they can. However, if you follow our recommendations for a secure setup during Deflect registration and immediately thereafter, it will be difficult for attackers to target your website directly. Here are three important steps you can take to reduce the likelihood of this scenario:

1. Change your server IP address after switching to Deflect: If an attacker knows your real IP address, they can target it directly, bypassing Deflect’s protection. Often these addresses can be found in historical DNS records . Other times, you may expose the server’s address by running mail services on the same machine or by pointing various sub-domains to it. DNS records are public and you should take care not to run any other services on the primary IP address than your website. Once your website is behind Deflect, only we should know the real location of your hosting server. We automatically hide these records from DNS, exposing our network edges instead.
2. Disable pingbacks and trackbacks on your website: These services exist to automatically reply when a website has linked to yours. Whenever someone publishes an article (or pretends to) your ping back service will reply directly to them revealing your website’s real IP address. You can disable these services manually. Here’s a guide for how to do this on WordPress websites.
3. Even if an attacker does not know your real IP address, they can POST to it directly. These types of requests are not cached and it is Deflect’s job to pass them to your origin server. POST can include form submissions, mailing list sign ups or search queries. Your web server should be able to handle most POST requests and Deflect’s mitigation system will notice and prevent malicious use of POST. However consider whether your readers really need the search function on your website – as that is the most resource intensive query for your webserver to process.

eQPress is a secure, stable and user-friendly hosting infrastructure based on the Wordpress blogging platform and protected by Deflect. 

eQPress offers website hosting to anyone who already uses or wants to use WordPress for their website and qualifies for protection under the terms of Deflect’s eligibility criteria .

If your existing website or the new website you want to create is eligible under Deflect, you can ask Deflect’s team for an eQPress account.

To do so, you first need to register a domain (if you don’t have one already) and then sign up with Deflect . When the registration is completed, you can ask Deflect’s team to create a new site for you or to migrate your site to eQPress.

After you have signed up with Deflect , you can migrate your site to eQPress by following these instructions , or we can do it for you. We will just need a MySQL database dump and the complete backup of all of your WordPress site files. This will allow us to do any tuning of the site that may be needed from the beginning.

No. To mitigate the risk of DDoS attacks, eQPress has been created ad hoc to protect your WordPress-based website under the Deflect network , so you cannot get your own IP.

Yes it is. eQPress supports both subdomains (sub.example.com) and subdirectories (example.com/sub).

Websites hosted by eQPress are secure because they are protected against DDoS by Deflect , which also protects from some malware attacks. Furthermore, the websites are hosted in hardened servers that are run by an experienced team. Please, keep in mind that you are still responsible for keeping all your themes, plugins and Wordpress version up to date!

HTTPS certificates can be added via the Deflect Dashboard . By following the procedure to install your TLS certificate, your website will be accessible on HTTPS.

Yes, definitely! eQPress has been developed as a hosting platform protected by Deflect, a distributed denial-of-service (DDoS) mitigation service created to neutralize cyberattacks against independent media and human rights defenders.

Deflect does not only change the risk of DDoS, but it also protects the backup copies from possible attacks. However, if you use pirated plugins and themes, if you never update them, eQPress won't be able to magically protect your website.

Websites hosted on eQPress are backed up every day, and the backup is encrypted and stored on Deflect’s servers. The system also has a mirror backup for failover. This gives our team the ability to switch to this mirror server if we have problems with the master eQPress server in the cluster.

eQPress is based on the latest version of WordPress and updates are carried out regularly.

WordPress periodically releases maintenance updates. These are typically for significant bug fixes or security issues. Since these upgrades might have security implications, and because WordPress’ popularity makes it susceptible to an exploit being quickly released, we ecourage you to apply these upgrades as quickly as possible. If your website has critical vulnerabilities that are already patched in the new verion of Wordpress core, themes or plugins, we may apply these updates for you to protect the website. In case any kind of functionality or design is broken after these updates updates are applied, it is your responsibility to fix these issues or disable plugins or change themes.

Yes, but if we find the theme to have a security vulnerability, we may decide to block it. Please do not use pirated themes and plugins, make sure that your licences and subscriptions are active and you are able receive security updates and new versions!

Yes, but if we find the plugin to have a security vulnerability or large performance flaw, we may decide to block it. Please, please do not use pirated themes and plugins, make sure that your licences and subscriptions are active and you are able receive security updates and new versions!

The best way to submit a support issue is through the Deflect Dashboard. Do not use some outreach emails and Feedback forms to request support - support tickets that are created in a proper way are considered high-priority and we will try to start working on the issue as soon as possible, while feedback form results may be evaluated occsionaly - use the right channel!

Is Deflect down? is a question we often hear from our users. Usually the answer is ‘no’ and the problem likely lies with your webserver not responding to our edges, or your provider who has automatically blocked some of our edges. You can always check is Deflect is really down by opening https://deflect.ca which is protected by the same infrastructure as your website. To get a list of our edge servers (so that your provider knows not to block them) please contact us through the Deflect Dashboard.

Yes we do! You can bring your own certificates to Deflect or have us generate new certificates for your website with Let’s Encrypt. You can chose whether to force secure connections over TLS (https://) or to allow both insecure and secure connections in the control panel.

Let’s Encrypt is a free certificate authority. It allows users to automatically generate certificates for their web domains for free. The purpose is basically to make the process of setting up a secure website easier so that secure websites can become ubiquitous.

Since the process of creating SSL certificates with Let’s Encrypt is pretty simple for anyone who can use a command line, many Deflect users may be interested in generating their SSL certificates in this way. If you are planning to join Deflect and want to generate SSL certificates with Let’s Encrypt before, follow the instructions on the Let’s Encrypt website.

If, on the other hand, your website is already under the Deflect network, and you want to generate new SSL certificates with Let’s Encrypt, there are some details you need to know for the certificates to work correctly.

Let’s Encrypt tries to make configuration as easy as possible for users with its letsencrypt-auto tool, but unfortunately won’t work for Deflect, and sites under Deflect protection fail to verify the certificate names when queried. In order to prevent this from being an issue, and also to ensure uptime, you can use the webroot option to write the required data directly to the server’s webroot. An example of a generation command for equalit.ie is:

./letsencrypt-auto certonly -d equalit.ie,www.equalit.ie –webroot-path /var/www/equalit.ie/

Depending on how your webserver is set up, the path /var/www/example.com/ should be replaced with the correct path. If, for example, your CMS and content files are in the /wordpress folder, the path will be: /var/www/example.com/wordpress

These certificates then need to be uploaded to the Dashboard as normal.

If your browser warns you that your website / SSL certificate is insecure after migrating to Deflect, it is normal for it to be temporarily unavailable for 5 to 10 minutes due to the timing of Let’s Encrypt certificate generation. Therefore, it is best to switch DNS during low-traffic hours to minimize disruption.

Change your webserver IP after switching to Deflect. This will make it harder for anyone to target your server with a direct attack. In an ideal scenario, all traffic destined for your website will go through Deflect. However, before you joined the service, its likely that your server’s IP address existed in public historical DNS records e.g. https://viewdns.info/iphistory/ 

Make sure account access at your domain registrar is secure – protected by a strong password, 2-factor authentication and complicated reset questions. We sometimes see attackers socially engineering the registrar to take control of your domain.

Operationally, we prioritize our clients' privacy by refraining from disclosing our relationship with them without their explicit consent, ensuring a high level of confidentiality. Technically, the Deflect protection service is not overtly visible to the general user, but individuals with specific knowledge may be able to identify it by closely examining the web page headers.

When anyone tries to access your website editorial login page (e.g. /wp-admin) they may see the Deflect password protection page. Also, whenever our machine learning has initiated automatic mitigation measures, or when extra protection has been triggered either by you or our network operations, a challenger will appear before your website loads.

Because it’s part of eQualitie’s values . Also, Deflect has been built using open source software. We would like to honor that commitment and also contribute back to the community – opening our source code to the public. We share the fruits of our labour in the hope that others can learn from it, build on top of our code and continue this commitment to mutually beneficial software development. A security infrastructure should be built on good code and software development principles, not secrets. If we don’t have anything to hide, we are not vulnerable to the exposure of that secret. The onus of good coding is on us, and in practice, this usually makes the attacker’s mission more difficult.

Our VPSs are spread across three continents in secure locations.