WordPress is one of the most popular website-building platforms, catering to most websites (around 30% of all websites). It is a secure platform, but that does not mean it is immune to DDOS attacks.

DDoS attacks or Distributed Denial of Service attacks are prevalent over the internet, slowing down websites and eventually making them inaccessible to users. The attacks can happen to both small and large businesses alike.

This tutorial will go through the steps to prevent any DDOS attacks on your WordPress website.

What is a DDoS Attack?

As mentioned earlier, a DDoS attack stands for Distributed Denial of Service and puts the victim’s web services out of order by sending many requests.

The DDoS attack is when an attacker sends traffic (called “requests”) through compromised networks and computers to the target to make the targeted system too busy to respond to any other requests from legitimate users.

It does this by overwhelming the target or its close infrastructure with a flood of traffic. The ultimate goal of the attacks is to slow down and eventually crash the targeted server.

Every server has a limit, and your WordPress site can only handle so many simultaneous visits before it begins to crumble under pressure. DDoS attacks evolved from DoS (Denial of Service) attacks. The difference is DDoS takes advantage of multiple machines or servers that are compromised across different regions.

The compromised machines form a network, often referred to as a botnet. Then, each affected machine acts as a bot and attacks the targeted server or system. This allows them to go unnoticed for some time and cause as much damage as possible before they’re blocked.

A key advantage for attackers to use distributed denial of service (DDoS) attacks, rather than a singular denial of service (DoS) attack, is that many machines located around the globe are being used to generate traffic and, as such, is it’s much harder for a website to track and thwart these attacks.

What will happen from a DDoS attack

If you fall victim to a DDoS attack, then a lot of negative things can happen, including but not limited to:

  1. The visitor’s experience will be negative. In the best-case scenario, the site will load slower than usual or, at worst, be shut down.
  2. If you have an eCommerce site, the site will lose sales, or if you provide content (like a blog site), visitors might go elsewhere for the information.
  3. Your site’s reputation will have a significant drop. This will affect your domain authority, relevance and trust, which are directly related to SEO.
  4. It will cost extra to repair the damages. The cost will depend on the duration of the attack, and it is hard to calculate because you must consider plenty of side effects like customer support and security experts to fix and repair the site.

Types of DDoS attacks

During a DDoS attack, a target server or network receives frequent requests from compromised systems, which makes the bandwidth limit of a network or resources of a server max out. This slows down the server response, and sometimes, the server becomes useless. There are various types of DDoS attacks. This article will explain the two most common DDoS attacks, Volumetric Attacks and Application Level Attacks.

Volumetric Attacks

A target site or a network receives traffic and requests from botnets and infected zombie systems in this type of attack. The examples of this attack category are connection floods, TCP SYN floods, and ICMP / UDP floods. This attack targets the third and fourth layers of the TCP / IP protocol called the Network Layer and Transport Layer. In these attacks, the attacker generates a high traffic bandwidth using infected systems.

Application Level Attacks

Application Level DDoS Attacks are called Layer-7 DDoS attacks. In these attacks, the actor sends traffic to specific website sections to target vulnerabilities in web applications. Application Level DDoS attacks do not make a website down but increase bandwidth consumption. It also slows the sites by a great deal. In these attacks, detection is hard since the traffic looks like it comes from real humans. The attacker in these attacks uses HTTP, DNS and SMTP requests.

How to Protect Your WordPress Website Against DDoS Attacks?

WordPress is one of the best CMS solutions, and a vast community of developers supports it. This cm is prone to vulnerabilities. Most users’ websites are being used as a zombie to attack other websites, and they are unaware of this. To reduce the threat of DDoS attacks, fix vulnerabilities in your WordPress sites. Steps to Protect Your WordPress Website Against DDoS Attacks are as below:

1.   Block XML-RPC functionality

XML-RPC functionality has been enabled by default since WordPress 3.5 and provides services like pingbacks and trackbacks. An attacker can exploit these functionalities to send HTTP requests to a target website. If thousands of compromised WordPress sites start to send requests to a target website simultaneously, a Large Application Layer DDoS attack can occur.

It is better to disable XML-RPC functionality on all of your WordPress websites, so they cannot be used to launch a DDoS attack using pingbacks and trackbacks. To do this, add the following code to your .htaccess file.


Order Deny, Allow 

Deny from all 


Notice: Alternatively, you can use a plugin like Disable XML-RPC Pingback to disable the pingback and trackback functionality and keep other functions of XML-RPC intact.

2.   Update your WordPress Version Regularly

Update the following options with your WordPress:

  1. WordPress installation
  2. WordPress themes
  3. Apache version
  4. WordPress plugins
  5. PHP version on the server
  6. Mysql version
  7. Contact your hosting company

You should contact the hosting company and discuss if the servers and network hardware are updated. Also, it would help if you asked them what security measures they provide.

3.   Use Security Plugins

You can add a layer of defence to your WordPress website by configuring a security plugin. There are multiple security plugins out in WordPress that you can add to your site. You can check the link here to see the complete list of DDOS plugins.

Here we will mention the top 5 plugins that you can use.

  • Cloudflare (recommended)
  • Disable XML-RPC Pingback
  • Protection Against DDoS
  • Stop XML-RPC Attack
  • Eazy XMLRPC Pingback Disable

What you should do during a DDoS attack

DDoS attacks can happen to anyone despite all the security measures in place. The top companies, like Cloudflare and Sucuri, always deal with them. So if your site is under attack, don’t worry: here are some things you can do to minimize the damage.

Inform the team

If you face a DDoS attack, you should first inform your teammates about the issue. This will help your team prepare to look out for potential issues and help with customer support queries.

Inform the customers

During a DDoS attack, the first line of attack will be on the site’s user experience. Therefore it’s best to let your clients know what is going on. You can announce that your website is having technical difficulties through your social media accounts, and everything will be back to normal soon.

If the attack is significant, you can also use your email marketing service to communicate with customers and follow your social media updates. Communication during these challenging times makes a huge difference in keeping your brand’s reputation strong.

Contact the hosting and security support.

Get in touch with your WordPress hosting provider. The attack you may witness could be part of a more significant attack targeting their systems. In that case, they will be able to provide you latest updates about the situation.

Contact your Firewall service and inform them that your website is under a DDoS attack. They may be able to mitigate the situation even faster and can provide you with more information.


WordPress is a very secure website builder, but hackers often target it due to its popularity. Luckily, you can follow many security practices to mitigate these security flaws. You have all the resources needed with the tap of a button to secure your WordPress site. If you haven’t done it already, take action and do something before it’s too late.

People also read: