WordPress is a popular Content Management System today. There are many possibilities on how far you can take your site with WordPress. However, such colossal fame also makes WordPress a hot target for various attacks and security issues. 

The DDoS (Distributed Denial of Service) attack is one of such vulnerabilities. DDoS attacks on WordPress are more common than you might anticipate and have been increasing rapidly. Unfortunately, they also open the gate for other types of attack. So, the best thing you can do is learn how to stop a DDoS attack to save your business from a major hit.

This guide will explain what a DDoS attack is and what type of damages it can cause. Also, we will walk you through various ways to stop a DDoS attack. 

Let’s begin: 

What is a DDoS Attack on WordPress?

A Distributed Denial of Service attack, aka DDoS attack, is a cyber-attack that attempts to disturb the average traffic rate of a network, service, or server. The prime objective of a DDoS attack is to send a flood of traffic to a targeted server to slow it down and ultimately crash it. 

Flowchart of a DDoS attack
  • The hacker (in this case, botmaster) uses compromised devices and computers to send HTTP requests to a WordPress server. Those compromised devices form a network known as a botnet. 
  • Botmaster initiates the launch command to the botnet. The botnet then requests the target server to fetch data. Botnets can be hundreds and thousands of hosts requesting the same data at the same time.
  • A single request consumes certain resources from the target server. The server only has limited resources and the capacity to handle normal traffic at a particular time. When there is a flood of malicious traffic, it overwhelms the server. As a result, it slows down and even crashes. If your site resides on this server, it too becomes unresponsive.

DDoS attacks are becoming more frequent nowadays. It is rising with the passing years. 

Even larger internet companies are not immune to DDoS attacks. Back in 2016, a popular DNS service provider – DYN, fell victim to a DDoS attack. This attack affected many powerful websites such as Netflix, Amazon, PayPal, Visa, Reddit, Airbnb, The New York Times, etc.

Later in 2018, GitHub (a popular code hosting platform) suffered a DDoS attack. That attack sent 1.3 TB per second traffic to the servers. 

So you see, it is essential to know how to stop DDoS attacks on WordPress. You will learn it here in the last segment of this guide. 

Why Do DDoS Attacks Occur?

There can be many reasons for DDoS attacks. It all depends on the motivation of the botmaster. Here are some of the common types of triggers: 

  • People with technical knowledge find it adventurous. They might even do it out of boredom.
  • There may be a political reason behind such attacks. Such motivation leads botmasters to attack a particular region or country.
  • Attacks on specific service providers or businesses cause monetary harm. One can also get motivated to take out competitors.
  • To blackmail someone or a particular organization for ransom.

Damages from a DDoS Attack 

This type of attack is intended to crash a server to make websites inaccessible or lower their performance. Here are the main damages from a DDoS attack: 

  • It lowers the site performance or makes it inaccessible. 
  • It results in a poor user experience. It leads to increased bounce rates and plummeting conversions. 
  • It can decrease your site’s SEO ranking. 
  • It causes a financial burden to solve the issue by hiring professionals. In fact, a report estimates a loss of up to $120,000 for small businesses and up to $2 million for enterprises. 

Difference Between a Brute-Force Attack and a DDoS Attack

You may have heard about a brute-force attack. It is another form of a cyber attack like a DDoS attack. However, these two attacks are different from each other.

A brute-force attack is a popular attack to hack into a website. In contrast, the DDoS attack wants to overflow traffic to a server. Thus, the key difference between a brute-force attack and a DDoS attack is the goal. 

A brute-force attack aims to obtain unauthorized admin access to a site by guessing passwords or trying out random combinations. After gaining access, the hacker intends to steal personal information from the site or install malicious software in it to infect the computer or data. 

On the contrary, a DDoS attack aims to overwhelm a server to degrade the site’s performance and even crash it.

How to Stop a DDoS Attack on Your Website?

DDoS may be difficult to deal with as botmasters can cleverly disguise it. But, with these practices, you can prevent and stop DDoS attacks on your WordPress: 

1. Disabling XML-RPC

XML-RPC is a remote method call that uses XML to encrypt HTTP and calls as a transport apparatus. In simple words, XML-RPC is a system that enables you to add posts on your WordPress blog using weblog clients such as Windows Live Writer

If you are using a WordPress mobile app and want to connect to the services such as IFTTT or want to post blogs remotely, you need to enable XML-RPC. However, hackers can impose a DDoS attack on your site via XML-RPC. So, if you don’t use the mobile WordPress app, it is better to disable XML-RPC. 

You can do it in two ways: 

#Using a plugin

You can install a plugin called Disable XML-RPC on your WordPress. This plugin automatically disables the XML-RPC once you activate it. 

#Using the .htaccess 

You can also add a code to your .htaccess file to disable XML-RPC: 

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


2. Disabling REST API

REST stands for Representational State Transfer. REST in WordPress uses HTTP requests to access data and use it. It relates to the reading, creating, updating, and even deleting of those data. 

Likewise, API (Application Programming Interface) is a code that enables two softwares to communicate with each other. The API paves a correct path for requesting services from the application or OS. 

REST API lets plugins access and even delete your WordPress data. Therefore, it may act as an enabling factor for DDoS attacks. Thus, disabling REST API may help prevent and even stop a DDoS attack. 

You can install the Disable WP REST API plugin for this. Once activated, the plugin makes the REST API of your site inaccessible to unauthenticated users. However, the plugin only offers limited protection against DDoS attacks. Your website will still be open to usual HTTP requests. Also, you may face API service disturbances on your WordPress. 

3. Activating WAF (Website Application Firewall)

A WAF (Website Application Firewall) is the first layer of protection to prevent DDoS bots and hackers from entering your site. WAF acts as a proxy between the site and incoming traffic. WAF uses an intelligent algorithm to block suspicious requests before reaching the server.

It performs virtual patching of plugins, WordPress core, and theme vulnerabilities. 

WAF is a feature associated with hosting providers. If the feature is not built-in on your hosting package, you can sign up for Sucuri. It is the best security plugin and website firewall plugin. Sucuri runs on a DNS level. It means they catch DoS volumetric attacks before they can send requests to your site. 

Its pricing is as follows: 

  • Basic: $199.99 per year per site 
  • Pro: $299.99 per year per site 
  • Business: $499.99 per year per site

Alternatively, you could also use Cloudflare. The pricing is as follows: 

  • Free version 
  • Pro: $20 per month 
  • Business: $200 per month 
  • Enterprise: custom-based.

However, the free version only offers limited DDoS protection. You need to sign up for business plans to get seven-layer DDoS protection.

Note: WAF functions at the application level are less effective during DDoS attacks. 

4. Using CDN 

A CDN (Content Delivery Network) is a group of servers that are distributed geographically that deliver content to users all over the world. These servers work together to deliver internet content at a faster pace. 

It reduces the physical distance between the users and the servers thus improving the web performance.

There are several benefits of using CDN, one of which is the improved web security. CDN providers dedicate their effort and time to prevent DDoS attacks, web exploitations, and other cyber threats. 

Most of the popular CDN providers offer sufficient security measures to prevent scammers, bots, and other threats. Plus, they also provide DRM (Digital Rights Management) licensing using Apple FairPlay, Microsoft PlayReady, and other content protection systems. 

Thus, using a CDN service can be an easy and effective way of stopping a DDoS attack on WordPress. If you are not sure which CDN is good for you, here are the 10 best CDN providers.

Check out their details along with pros and cons. You can then figure out which suits you the best. 

DoS Vs. DDoS: What’s the Difference? 

DDoS attacks evolved from DoS attacks. Thus, it is necessary to know the difference between them. 

A DoS attack is an online attack where the botmaster tries to make computers or other devices unavailable to the users. They do so by disrupting the normal functioning of the device. Its goal is to manipulate the server into denying user access and interfering with the normal system.

However, a DDoS attack sends a flood of requests to a particular server and takes it down.

Unlike DDoS attacks that involve multiple machines, a DoS attack occurs between a single site and a single target. 

How to know if it is DDoS or Brute-Force?

Both DDoS and Brute-Force attacks use server resources and decrease their performance. As a result, symptoms in both the attacks look quite similar. Your site gets slower and may even crash. 

You can certainly know whether it is a DDoS attack or a Brute-Force attack by using the Sucuri plugin. 

Install and activate the Sucuri plugin

  • Now, go to the “Sucuri Security” on the dashboard and click on the “Last Logins” option.
Last logins option in the Sucuri plugin

  • Go to the ‘Failed logins’ tab.
Failed logins tab on Sucuri

If you see multiple login requests here, it means your site is under Brute-Force attack.

What to do under a DDoS attack?

You can use the Web Application Firewall of companies such as CloudFlare and Sucuri to help prevent a DDoS attack. However, in case of exceptionally large attacks, it may impact your site. Thus, it is better to prepare for a scenario where your site may be under a DDoS attack. Here are some tips to follow when your site is under a DDoS attack: 

1. Alert team Members. 

If you work in a team, it is best to inform them the moment you figure out it is a DDoS attack. Doing so will prepare them for any queries and figure out possible solutions. 

2. Inform Your Customers. 

A DDoS attack can cause a great inconvenience to your customer as it impacts the user experience. Unfortunately, it is true, especially for online stores. Your customers may not be able to log in or place orders. Thus, you can convey to them that the site is under technical difficulty and will soon be standard. 

Such a message will let them know of the situation and follow up sometime later. After all, communication is what will keep your brand image strong. 

3. Contact Your Hosting and Security Support. 

Contact your hosting provider and firewall service to inform them about the trouble you are facing. This may sort out the issue faster, and they may even provide more updates on the attack.

If you use Sucuri, you can set it to Paranoid mode. It will block multiple requests on your site, thus making it accessible only for legitimate traffic.


You cannot predict if your site is vulnerable to a DDoS attack or not. So the best you can do is learn how to stop DDoS attacks on WordPress before you become the victim of it. 

You just learned multiple ways to stop and prevent a DDoS attack. If you liked it, comment below. 

You might also check: 

About the Author

Nabin Jaiswal

Nabin Jaiswal is the co-founder of CoachPodium, WP Delicious, and other WordPress products. With over six years of experience in WordPress, he is passionate about writing and sharing his insights with the community. Nabin is committed to contributing to the community through knowledge-sharing and innovation. He has also had the privilege of being a speaker at multiple WordCamps, sharing his expertise and experiences.

View All Posts

Leave a Reply

Your email address will not be published. Required fields are marked *