All public websites are vulnerable to DDoS attacks, and WordPress sites are no exception. Fortunately, WordPress is a very flexible platform, so it supports effective defenses against attacks.

What is a DDoS attack?

A DDoS attack is a coordinated aggressive action carried out by a network of compromised computers or devices (botnet) that sends data en masse or requests data from a single server (target). The flow of requests exceeds the capacity of the server, slowing it down or causing it to fail due to insufficient resources.

Potential damage from a DDoS attack

A lot of bad things can happen to your site if it becomes the target of a DDoS attack.

For example:

  • This can negatively affect the perception of your visitors. At best, site responses can become slow; in the worst case, the entire site will be unavailable.
  • If your website is an online store, you could lose sales, and if it just serves content, your visitors could go to a competitor’s site.
  • Your website’s reputation can be severely damaged, both in terms of perceived brand reputation (i.e., your company is considered frivolous) and in terms of authority, relevance, and trust, which are the pillars of any  SEO strategy  .
  • The cost of restoring a site will depend on the duration of the attack and is difficult to quantify because there are many side effects to consider, such as the efforts of the support team to respond to user complaints about service disruptions, or hiring a security service to clean up your website.

Who are the victims of DDoS attacks?

Any website, regardless of its size and volume, can be the target of a DDoS attack.

Websites with discovered vulnerabilities are the simplest targets, but an attack can be deliberately targeted against any specific website. An attack can be carried out for ideological reasons, for example, to discredit a site that promotes certain political or religious ideas. Or blackmailing the site owner and demanding a ransom, it could also just be the hobby of a group of tech-savvy people looking to showcase their skills.

You can also buy an attack (which is illegal): a company pays a group of hackers to attack its competitors. Whatever the reason, the bottom line is this: Any website owner must take steps to prevent a DDoS attack from harming the site.

How to protect your WordPress from DDoS attacks?

Two necessary security measures to take to protect your WordPress site from DDoS attacks:

  • Get a good WordPress backup solution.
  • Get started with a cost-effective cloud-based DDoS protection solution.

A backup solution is what you need for many reasons, not just DDoS protection. There are many free and paid backup solutions in the WordPress plugin directory, so we won’t dive into this topic for now. If your website is damaged after an attack, restoring it with a safe backup is a quick way to get it back to normal.

When it comes to DDoS defense solutions, you have to ask yourself how much peace of mind you want and how much money you are willing to pay for it. If you don’t want to pay anything, you will have to take care of a lot yourself.

Do it yourself

One of the great things about WordPress is that it has an open architecture that allows third-party applications to integrate and interact with it. This is accomplished through several APIs (Application Programming Interface) available to programmers. The problem is that these APIs can be exploited through a DDoS attack to send a stream of requests. So the first thing to do is disable a vulnerable API called XML-RPC.

XML-RPC is only required if your WordPress website interacts with external third party applications such as the WordPress mobile app. If you can do without them, then it is better to disable XML-RPC. This can be done simply by editing .htaccessyour website file to deny access to the program xmlrpc.php. Or, if you think it’s not safe to modify the internal files of the website yourself, you can download a plugin that will do the job for you.

Anti-DDoS plugins

There are several WordPress security plugins that fix other WordPress vulnerabilities.

Protection Against DDoS – This plugin solves performance issues caused by Brute Force and DDoS attacks. By performing all checks through a file .htaccess, it stops malicious requests at the web server level before they reach the WordPress site.

It also addresses an XML-RPC vulnerability, and its configuration options offer Cloudflare users the ability to deny access to visitors from specific countries.

Disable WP REST API – WordPress REST API is another popular CMS vulnerability that can be exploited. Fortunately, this vulnerability can be easily fixed with this ultra-light plugin. It uses just 22 lines of code – less than 2KB – and works by disabling the WP REST API for visitors not logged into WordPress. After installing and activating it, if logged-out visitors send JSON / REST requests to your site, they will receive a message that the REST API is limited to authenticated users.

Disable XML-RPC Pingback – over 80,000 installations and a 4.5 star rating; this plugin excludes all used methods from the XML-RPC interface. Additionally, it removes X-Pingback from HTTP headers, which prevents bots from reaching the xmlrpc.php file.

Security measures

If you want to completely forget about DDoS and other security issues in order to put all your efforts into your business, then you need a solution that covers all aspects.

Such a decision should include:

  • Web application firewall. A firewall stands between your site and the Internet, detecting and blocking hostile traffic.
  • Antivirus package for websites. It should periodically and automatically scan your website to detect any traces of malware and remove it.
  • Scan the server for non-infectious hacks, such as banner ads from unknown sites.
  • Audit / monitor the site to detect any suspicious activity such as file changes, new messages, new users, failed login attempts, and more.

Let’s take a look at the following solutions that provide comprehensive security for your WordPress site.

1. Sucuri

Sucuri  is a well-known web security company with extensive experience with WordPress websites.

The moment you activate Sucuri on your site, they install a cloud proxy firewall between your site and the internet, filtering all traffic directed to your hosting server.

The firewall only allows legitimate visitors to enter your WordPress site. As a side effect, your website will have a faster response time thanks to the Sucuri cloud, and you can save hosting money by reducing the amount of traffic your server requires.

Sucuri’s pricing plans start at around $ 199 a year for a basic service, which isn’t all that easy as it lacks just a couple of corporate benefits. The included features more than justify the price, but if that’s not enough to convince you, please note that they also offer a malware cleaning service along with a blacklist removal.

2. Cloudflare

Cloudflare  uses its huge CDN (Content Distribution Network) to protect your WordPress website from DDoS attacks, which, in addition to protecting it, makes your site faster. With more than 200 datacenters distributed around the world, the CDN is large enough to absorb and repel even the most powerful attacks, so you don’t have to worry about its mitigation capacity being overwhelmed.

The service is free for individuals and small (not business-critical) websites. The free plan includes DDoS protection, global CDN, and email support. Paid plans start at $ 20 per month, including web application firewall, caching analytics, mobile optimization, and more.

3. StackPath

A global network with a total bandwidth of 65 Tbps enables StackPath to resist the largest and most sophisticated DDoS attacks, covering the full range of attack methods, including HTTP, SYN and UDP floods. The StackPath platform collects and analyzes DDoS attack information across all of its edge to block all malicious attempts, no matter where they come from.

StackPath DDoS Protection is part of a package that starts at $ 20 / month and includes CDNs, Web Application Firewall (WAF), DNS, and monitoring services. These four services can be purchased individually for $ 10 per month each. Prices are scaled based on volume; For example, if you require a CDN of 100 TB / mo and WAF is requesting 50 MB / mo, you will have to pay $ 2,000 per month.


If your website crashes, gets blacklisted, or loses its reputation, don’t make excuses. You have all the resources at your fingertips to prevent disaster from destroying your favorite WordPress site. If you haven’t already, take action and do something before it’s too late.