How to Stop a DDoS Attack on WordPress Website

WordPress is the most used and popular Content Management System. The WordPress core system is very secure and reliable, and many popular websites are built on top of it. Its flexible plugin system can extend almost every possible feature to the core.

how to stop a ddos attack on wordpress website

But no matter how robust your structure is, there are intruders out there trying to attack your sites by starting DDoS Attacks.

Learn how to stop a DDOS attack from bringing down your website.

What are DDOS Attacks?

A distributed denial-of-service (DDoS) attack is a third party disrupting your site traffic by sending multiple superfluous requests

Back in 2017, even the big web hoster DreamHost faced a massive DDoS attack.

dreamhost ddos attack
Source: Wordfence

No matter who you are, DDoS attacks can be targeted anywhere if there’s a loophole in security.

Read a complete guide to secure your WordPress website from hackers with advanced options.

Here, we will guide you with the slightest details to keep all the threats from DDoS attacks away!

What is DDOS? 

DDoS, abbreviated for Distributed Denial of Service, is an attack on your site that sends multiple superfluous requests to your website from different sources to overload the system. Its goal is to slow down the response times of a website until it is not reachable anymore for legitimate requests from being fulfilled.

Once these attacks are successful, the intruders can inject a piece of code into your site and eventually hack it.

How to Stop a DDos Attack on WordPress Website

The requests are sent from other (WordPress) sites and hosts comprised of malware. These sites are used as a medium to attack.

It makes the server at your site busy with all these requests and eventually stops responding at a point, making it impossible for you to recover the site.

Attacks are targeted through different devices, making it go unnoticed, thus making it even easier to make the attack successful.

If you think your site is safe, think again since more prominent companies like Amazon, DreamHost, and PayPal have also been victims four years back.

Imagine the loss at their side. That’s why prevention is better than facing the circumstances.

What are the Reasons Behind the DDoS Attacks?

These are the multiple reasons why the attackers start DDOS attacks:

  • The Ransom: to collect money while keeping your site hostage is one of those reasons.
  • Attackers find pleasure and do it out of fun purposes.
  • People who like to attack a specific group of people.
  • Competition: The competitor wants to cause you monetary damage, can hire or attacks your site itself.

What is the BruteForce Attack?

Hackers try to login via guessing different combination of username and password. Once they have access, they can add malicious code to your site.

Remember, BruteForce and DDoS attacks are somehow different.

Types of DDoS Attacks

There are various types of DDoS attacks, but the widespread ones are as follow:

  1. Volumetric

That is the most common type of DDoS attack that means flooding the site with non-sense requests, which in return slow down the website or simultaneously results in a complete shutdown of the website.

  1. Resource Depletion

The attackers don’t take down the site entirely yet slow it down with constant attacks.

  1. Zero-Day

All these attacks require time and effort, but this one particularly asks for more than just attacks.

The intruders search thoroughly to find the weak points, and here’s where it all goes in vain from your side. Once the attackers find your weak spots, they plant their piece of code, which makes your site end up in worse conditions.

  1. Protocol

This one completely exploits the server and crashes the site, leaving it to be of no use.

What Particular Damages can be Caused by DDoS Attacks?

As explained above, the DDoS attacks end up slowing down your site, reducing the speed performance and the overall loading time. All damages caused by DDoS attacks belong to you ultimately, whether they are monetary or not. Below are certain damages that can be caused by DDoS attacks:

  • You may lose several orders on an eCommerce site.
  • The after-effects of not responding to customer queries, costing you all the hard work you’ve put into your site till yet
  • The burden of hiring security and hardware. While bringing up new people and explaining to them how to ensure the bandwagon is accurate will cost you lots of time and money for the recruits, whether people or devices.
  • In the end, user satisfaction is going to fail. Unexpected unavailability will end up losing your SEO (Search Engine Optimization) rankings, as well as the customers facing server or connection timed out error is the worst-case scenario. If your site is hitten by a large DDOS and it goes down, your users might get a message like this:

ddos attack on wordpress website

How to Stop a DDoS Attack on WordPress Website?

WordPress allows everyone to build websites without any technical knowledge, but this can result in losing the sites to these DDoS attacks.

As a beginner, it might be a lot to digest and understand what and how DDoS attacks work and how you can avoid them, but having a bit of knowledge to recognize the weak parts is always a good idea.

Tips and Steps to Prevent DDoS Attacks in WordPress

There are even easier ways no matter which rank of technicality you possess. All of these tips and steps will help you avoid the best of DDoS attacks.

Before doing anything, we recommend taking a backup of your website to revert in case of any mistake.

  1. Disable XML RPC

XML RPC allows third-party apps to interact with your site. Applications like WordPress for mobile use XML RPC to connect. So, if you are not using any of these applications, you can easily disable it to avoid any DDoS Attacks.

There are two ways to disable XML-RPC.

  • Via .htaccess Method

Disable xmlrpc.php using .htaccess:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


  • Via Plugin

If you want to disable XML RPC via a plugin, you can use one of these plugins to disable it:

Note: There are several other plugins available that can disable XML RPC.

  1. Disable REST API

The JSON Rest API is used to access, update, delete, etc. data from WordPress sites. To disable JSON Rest API, you can use Disable REST API.

  1. Activate WAF

Even though disabling the XML RPC and REST API makes your site protected on a limited level, so it’s better to install a WAF (Website Activation Firewall).

Website Activation Firewall acts as a proxy between your website and the traffic. It blocks all the unwanted data, malicious content, and fake Ids that try to interact, stopping even before reaching the site’s server.

Here is how WAF works on Sucuri!

Source: Sucuri

There are two types of WAF Implementation

  1. Cloud-based (implemented at hosting infrastructure)
  2. Hosted (usually, a plugin installed on WordPress)

Among the above two, I recommend cloud-based WAF as it stops attacks before reaching to your server.

Some of the WAF for WordPress

  1. Sucuri
  2. Wordfence
  3. Malcare
  4. Cloudflare
  5. StackPath
  6. Ninja Firewall
  7. Shield Security
  1. Constant Monitoring

Even installing all the firewalls in the world, or taking all the measures won’t help you sometimes.

You need to know how your site works to notice any slight changes in your website when DDoS attacks are being hurled over to your site.

  1. Updating WordPress

Make it a habit of constantly and promptly updating your WordPress and plugins. Most of the time, the WordPress core updates and plugins come with security enhancements that make your site safer than it used to be.

Before updating, make sure if the new update is working fine for other users. Sometimes new updates break some sites that are using either the old version of PHP or old version JQuery etc.

Things to update:

  • WordPress core
  • WordPress themes
  • WordPress plugins
  • PHP version
  • Apache server
  • Nginx server
  1. Taking Web Host Precautions

Contact your host and ask the recommended steps to avoid DDOS attacks. Usually, every host has some guidelines on how to prevent these types of attacks.

  1. Using Security Plugins

WordPress is a blessing when it comes to plugins, letting you do all the creativity with the plugins, but at the same, they can be a threat to your site.

Instead, with all those plugins running your site, having a security plugin can help with the security stuff. Some plugins keep the constant unknown logins out and hold the website safe.

Remember, security plugins are installed on WordPress, and requests are checked, blocked after reaching the webserver.

But the safe part is keeping knowledge of which plugin is genuinely authentic and recommended by the WordPress community.

Some recommended security plugins are:

Here is a glimpse of the Wordfence Dashboard and how it protects your site with:

  • Firewall
  • Scan
Source: Wordfence
  1. Use CDN

CDN (Content Delivery Network) is a group of servers distributed all around the world, and it can help you keep track and add extra security layers making it a secure path to flow.

Some of the CDN that prevent DDoS attacks are:

  1. Cloudflare
  2. Akamai
  3. StackPath

Cloudflare provides free protection against DDoS attacks.

how to stop a ddos attack on wordpress website

Even though these tips come handy every time, you need to be extra careful using any third party tool or plugin to keep your site safe.

The worst that happens after the DDoS attack is losing your site ranking and not being able to work at the same pace even after gaining access to the site after the attacks.