Preventing DDoS Attack on WordPress site

Posted on Mar 04, 2021
Preventing DDoS Attack on WordPress site

WordPress undoubtedly hosts most of the websites on the internet, making it prone to common malicious attacks.

Distributed Denial of Service attack, commonly known as DDoS attack, slows or even completely halts a website making it inaccessible to the people using the service.

Our topic of discussion today revolves around how we can prevent DDoS attacks on our WordPress sites.

What is a DDoS Attack?


Let us first comprehend what a DDoS is before we jump into ways of preventing a DDoS attack. A DDoS attack entails many interconnected devices used by hackers to send fake traffic to a website’s server to overwhelm it.

These connected devices launch the attack separately whilst remaining unnoticed for a while until they are noticed and blocked. Using DDoS intensifies the impact of an attack, slowing down a server and finally bringing it down.

One funny thing is that attackers launching a DDoS attack don’t try to gain control of your server directly. They instead aim at bringing it down for some time, not to gain access.

ALSO READ: Cybersecurity in the eCommerce Industry: Security Threats & Best Practices

Why do DDoS Attacks happen?

There are several driving forces behind the execution of this type of attack, and below are some of the most common ones:

  • Tech-savvy juniors trying to explore and adventuring hacking. Seems fun, right? But the dangers could be too severe.
  • Groups of people who want to prove a political point.
  • Groups of people who are targeting particular websites of a specific region or country.
  • Attacks that are targeted at specific business service providers to cause monetary harm.
  • They are blackmailing and collecting ransom money.

The Dangers of a DDoS Attack?

DDoS attacks can vastly reduce the performance of a website or make it completely inaccessible, causing poor user experience, business, and monetary loss because mitigating such attacks can be costly.

Here is a breakdown of these costs:

  1. Inaccessible websites lead to loss of business.
  2. The cost of customer support to handle queries related to disruption of service
  3. Cost of deploying countermeasures by hiring professional security support services
  4. The highest cost and loss is the terrible user experience that affects the brand’s reputation.

ALSO READ: 10 Security Tips To Protect Your Websites from Hackers

How to Avoid DDoS Attack on WordPress


Deploying a content delivery network

A content delivery network (CND) is a service that caches a copy of your site on their respective data centers. CDNs act like middlemen between yourself and the site’s visitors.

A CDN enhances website performance, reducing the strain on the server and reducing website loading time.

In terms of preventing DDoS attacks, a CDN will prevent traffic from exhausting your site. It detects unusual traffic patterns, and In case it scales faster than expected, acts to mitigate a DDoS attack.

ALSO READ: Cloud Computing Security Issues and Challenges

CDNs such as Cloudflare act as reverse proxies to further protect a website from DDoS related attacks. 

Who uses a CDN? Many websites running on the internet can enjoy the benefits of using a Content Delivery Network to boost performance. It should not be a surprise, though, that most of them come as premium services.

On the bright side, there are many awesome CDN options out there that can easily integrate with WordPress.

Blocking access to the wp-login.php

A commonly used path for carrying out a DDoS attack in WordPress is the wp-login.php file. Cloudflare services enable a user to check the number of trials to access their wp-login.php file, and you might be shocked if you see the numbers.

Blocking access to these files is a sure recommended way to stay safe from hackers.

Activating a web application firewall (WAF) 

Another way of preventing DDoS attacks is activating WAF.  Smart algorithms identify malicious traffic and block it, thus guarding your website against malicious traffic. This way only good traffic is allowed.

There are various WAF solutions you can select. You should make sure the preventive mode suits your site, the pricing, complexity before choosing a plan. From our experience, we recommend using Sucuri.

It comes with free plugins and premium plans starting at 200 USD a year for one site. Another excellent choice is Cloudflare. For 20 USD a month, it offers free plugins and a pro plan to mitigate DDoS attacks.

Who should use a WordPress firewall?

Some WordPress security plugins go overboard and make strictly unnecessary changes that impact performance. We recommend using a free CDN instead of looking for a cheap and easy-to-use WordPress DDoS prevention method.

Supervising web traffic

It is not every time that a considerable size of traffic is right. DDoS attacks, in most circumstances, come as enormous traffic. It can sometimes be thought to be new users.

In case you notice huge unknown traffic, always be on the lookout because it might be an attacker looking to bring your server to its knees.

A suitable option would be installing monitoring tools to verify your log records and immediately alert you when visitors abruptly increase. Using this, you will avoid a DDoS attack targeting your site.

How to differentiate genuine visitors and DDoS attack:

  • Source IP: If your target is local customers, for example, but you receive massive traffic from abroad, then it should bring you to worry. 
  • Visiting time: If you see substantial local traffic coming in at 3 AM, something malicious is going on.
  • Business characteristics: For example, if your business is about selling beachwear, a huge traffic during summer would be usual.

Another approach would be to blacklist malicious IP addresses. This method is a bit more hands-on than others. It involves IP address monitoring and blacklisting those that show suspicious activities such as:

  • Multiple failed attempt
  • Massive traffic that seems unreasonable
  • IP clusters that could be flooding your site with traffic

Restricting Access to the WP-admin

The wp-admin area is where the most critical activities occur on your site, and you should be the only one accessing this area.

Activating Country Blocking


A type of geographical blocking that works in the same way as a website firewall. It serves to reduce website attack risks.

Even though you might not completely keep out attackers by blocking countries’ features alone, leveling up protecting is typical. You could consider preventing countries with many reported cases of cyberattacks in recent years from accessing your site.

Sucuri is still a good choice to enable easier blocking of countries.

ALSO READ: What SSL Encryption is and how it Works in WooCommerce

Disabling DDoS attack API

The central concept here is disabling some APIs to prevent attackers from using them to carry out attacks through your WordPress site’s API.

It would be best if you considered disabling these two APIs:


It enables third-party mobile apps to access your website, making it a commonly used DDoS target. Therefore, you may have to disable this API if a large number of your users do not interact with WordPress using the mobile version.

Add the following piece of code to the .htaccess file of your website to disable all XML RPC API requests:

# blocking xmlrpcc.php requests

<Files xmlrpc.php>

Order deny, allow

Deny from all



This API allows third-party plugins and other tools to access, modify, and delete content on your WordPress.

To disable this API, download the Disable WP Rest API plugin, which is free. After download, activate the plugin, and you are raring to go. Without any further configurations, it will begin working immediately.

Consider Changing your Hosting Provider

Almost all web service hosts brag about offering the best website performance. But that is typically not the case. Some web servers drastically fall in performance even under moderate strain, making such providers even terrible options when facing a DDoS attack.

On the positive side, most popular and reputable web servers implement a protection level against traffic floods at the server level. For example, ‘SiteGround’ uses a hardware firewall and always looks for an unusual number of connections.

‘WP Engine’ is another perfect example. It integrates with Cloudflare out of the box to offer DDoS protection across all its plans. However, those two options are far from others as far as DDoS protection is concerned.

ALSO READ: Breathe New Life into WooCommerce with Managed Hosting by Cloudways

Keeping WordPress up to Date

Regularly updating WordPress is a good idea. Why? It not only prevents DDoS attacks but also protects your site from other everyday hacks and attacks.

You should regularly update the following components on your site:

  1. WordPress install, theme, plugins
  2. The PHP version you are using
  3. Apache server, MySQL
  4. Any other software and scripts

What should I do if I’m Attacked in WordPress using DDoS?

So, what happens when you are a victim of a DDoS attack? You might be in trouble if hackers successfully crashed your server. It might cost a lot to recover the system, and it will affect your sales results and spoil your reputation.

Below are the instant responses recommended in case someone crashed your server:

Let your team members know what has happened

In case you have been attacked by a DDoS, let all the team members know what has happened and support you in deploying necessary countermeasures. Working together during a crisis gives you the maximum power.

Send a notification to service users

If you are running an online store for selling products, inform customers of what has happened either through mails or other communication ways. During a DDOs attack, customers cannot access their accounts to purchase products.

You might end up damaging your reputation if you don’t inform your customers. We recommend letting them know that your site is undergoing maintenance issues and your services come back live in no time.

Contacting your host provider

You should contact your host provider right after alerting your team members and customers, who might instantly help handle the attack since the hackers are attacking their servers. It is also crucial to contact your security provider.

Your host may come up with a better and faster countermeasure since dealing with attacks is within their area of expertise.

Implementing responses

It would be the best time to deploy countermeasures if you had them ready. Usually, the countermeasures work outside the box in case an attack happens. Please have this ready in advance.

If you did not prepare any security solution in advance, it would be better to contact your security solution since they already have an emergency response.

Evaluating performance of countermeasures

Please take into account the performance of countermeasures as they happen. Are the countermeasures winning, or the attacks taking control? You can easily modify your responses in case any attacks happen.

Let us hope this won’t happen, but as always, to prevent is better than to cure.

Keeping your WordPress Website Secure

Nowadays, websites, whether big or small, face the risks of DDoS attacks. Furthermore, some groups carry out DDoS attacks as a form of blackmailing businesses.

Therefore, deploying WordPress DDoS preventive measures is inevitably a smart move ahead of the attacker.

You can use the following ways to protect yourself from DDoS attacks:

  1. Use a CDN
  2. Block access to wp-login.php
  3. Activating a web application firewall (WAF)
  4. Supervise web traffic
  5. Restricting access to the wp-admin area
  6. Activate country blocking
  7. Disabling DDoS attack API
  8. Change host provider
  9. Update WordPress

You should note that the more visitors accessing your website, the more lucrative it is to attackers.

Preparation and preventing those attacks should be at the back of your mind. The steps highlighted above will help you overcome a DDoS attack and keep your business safe from general attacks.

If you have been attacked, do not panic. Just do the actions recommended above to bring back your site as soon as possible.

Do you have any important tactics for mitigating DDoS attacks?

Please drop your comments in the section below!

Acowebs are developers of Woocommerce dynamic pricing that will help you add bulk discounts to products on your stores. It also developed the plugin for adding various extra product fields which is called Woocommerce custom fields, that are lightweight and fast. You can easily update your store with these add-ons and enjoy a hassle-free experience, check out the best options for additional Woocommerce custom product addons.

Jamsheer K

Jamsheer K, is the Tech Lead at Acowebs and it's parent company Acodez. He mostly writes about Wordpress, WooCommerce and other programming languages and his writing normally comes from rich and hands-on experience in these technologies.