How to Stop a WordPress DDoS Attack

Repeated spikes in traffic are not always a good thing for WordPress sites. On the one hand, it could mean that new visitors are finding your site. However, it could well be more sinister, like an attack

Perhaps your site is getting an unprecedented amount of traffic, and your site is becoming sluggish in response. It may well be a sign of a WordPress DDoS attack or even a brute force attack. Either way, we’re here to help. 

In this article, we will talk about how to mitigate the fury of a WordPress DDoS attack and make sure your site doesn’t pay the price. 

TL;DR: The only way to stop a WordPress DDoS attack in its tracks is to install a robust firewall. A DDoS attack floods a server with requests, disrupting its functioning and slowing down a site to the point of crashing. MalCare has an advanced WordPress firewall, bot protection, and extensive activity logging, ideal for reducing the impact of attacks and protecting your site.

What is a DDoS attack on WordPress?

A distributed denial of service (DDoS) attack on a WordPress site is a form of cyberattack that aims to disrupt normal functioning. It floods a site’s server with so many requests that all the resources are consumed, and the site becomes sluggish to the point of crashing

A DDoS attack is a step up from a DoS attack, employing multiple servers distributed across various locations instead of just one. These servers collectively form what is known as a botnet.

Imagine your site receiving hundreds of requests per second, coming in from thousands of bots from all over the globe. These types of attacks can cripple a site for the duration of the attack.

Ironically, the primary objective of a DDoS attack is not to compromise the target system with malware or gain unauthorized access. Instead, it aims to disrupt and disorient. Sometimes this is a tactic to divert attention, but sometimes it can just be malicious behavior for its own sake.

While DDoS attacks specifically targeting WordPress sites are relatively uncommon in our extensive experience as security providers, the real vulnerability lies in potential site compromises. Once a WordPress site is compromised, it can be commandeered to participate in a botnet, contributing to attacks on other targets. Therefore, it is imperative to prioritize robust security measures to safeguard against both DDoS attacks and potential site breaches.

How to detect a DDoS attack

Being able to identify a DDoS attack promptly is crucial in mitigating its impact on your WordPress site. Some telltale signs to watch out for are:

Sluggish performance or unresponsiveness: If your website experiences a significant slowdown or becomes entirely unresponsive, it may indicate a DDoS attack. The influx of malicious traffic overwhelms the server’s capacity to handle legitimate requests.

Site crashes: If your website crashes without any apparent cause, such as scheduled maintenance or updates, or if your hosting provider reports no downtime on their end, it could very well be a sign of an attack.

Usage alert spikes: If you’ve configured resource usage alerts with your web host, keep an eye on them. Excessive traffic requests will consume bandwidth and CPU cycles, and your web host may send you a hefty bill as a result. 

Unusual traffic patterns: An unexpected surge in traffic, coupled with unusual engagement metrics like high bounce rates, can indicate a DDoS attack. This sort of traffic signifies a flood of bot traffic that lacks genuine user interaction.

Server response errors (e.g., 503 Service Unavailable): These HTTP status codes indicate that the server is unable to handle the request, and perhaps the reason is a massive surge in requests. 

Ordinarily, a good firewall will mitigate a DDoS attack to the point that you remain blissfully unaware of its occurrence. We strongly recommend installing MalCare’s firewall to prevent not only DDoS attacks but any others that may compromise your WordPress site. 

How to stop a DDoS attack

When faced with a potential DDoS attack, taking swift action is critical to keep your site up and running. 

Install a robust firewall

This is your first line of defense. A reliable firewall like MalCare acts as a shield, intercepting and neutralizing DDoS attacks even before they reach your server.

MalCare ensures seamless operations on your site during an attack because none of the malicious requests pass through. Similarly, it defends your site against other more pernicious threats like SQL injection and remote code execution attacks.

Protecting your site with MalCare is quite simple as it takes only a few steps.

Step 1: Go to your WordPress site’s dashboard, hover your pointer over Plugins to open a sub-menu, and click on Add New.

Step 2: Search for MalCare using the Search plugins… text box.

Step 3: Install and activate the plugin, and you are all done!

Enable bot protection

Most attacks are executed by bots, and DDoS attacks are no exception. You’ll want to choose an effective bot protection feature that can differentiate between friendly and malicious bots. Good protection will block malicious bots while allowing essential ones like uptime monitors and search engine crawlers to come through. If you install MalCare, its built-in firewall includes a fine-tuned bot protection feature that takes care of this.

Use a Content Delivery Network (CDN)

A DDoS attack capitalizes on multiple servers to overwhelm a single target site server. To counter this, you can use a CDN to cache copies of your site across numerous servers, dispersing the traffic load. This significantly mitigates the impact of a DDoS attack. You can select from some of the most popular CDNs like Akamai, Cloudflare, Fastly, etc. but ensure your chosen CDN has built-in DDoS mitigation capabilities.

Source: Explosionweb

Disable XML-RPC

This function in WordPress, while initially useful for mobile app connections and pingbacks, has become an avenue for potential attacks. Disabling XML-RPC is a prudent step in preventing overload via excessive pingback requests. In any case, the XML-RPC is used less and less, so you would be wise to disable it, even outside the scope of DDoS prevention.

Usually, your web host will provide the ability to do so on its dashboard. Check their documentation for ways to do it. For example, Cloudways does it in the form of a toggle button in the Application Settings, as shown below.

By incorporating these measures into your security arsenal, you significantly enhance your resilience against DDoS attacks. Remember, a multi-layered defense approach is the most effective in safeguarding your WordPress site.

How a DDoS attack works

A DDoS attack unfolds in several orchestrated steps:

Compromised sites and botnet creation: The attacker gains unauthorized access to numerous websites, essentially turning them into unwitting accomplices. These compromised sites, collectively known as a botnet, serve as the attacker’s network of obedient pawns.

Bot-driven request flood: The attacker then directs this botnet to overload a specific target server with a deluge of requests. The server sees a massive wave of traffic, far beyond what it is designed to handle, bombarding it all at once.

Overwhelm and consequent site crash: The sheer volume of incoming requests inundates the target server, consuming its resources and bandwidth. This overload leads to a significant degradation in performance, and in severe cases, results in the server becoming completely unresponsive or crashing.

In some DDoS attacks, a technique known as amplification is employed. This involves exploiting certain protocols or services to amplify the volume of traffic directed towards the target server. This means that for every request sent by the attacker, the server receives a disproportionately larger amount of data, further worsening the impact of the attack.

Types of DDoS attacks

DDoS attacks can be of various types. Here are some of the most common ones:

HTTP flood attacks: These assaults flood a website with an overwhelming number of HTTP requests, straining server resources and causing slowdowns or crashes.

XML-RPC pingback attacks: Exploiting the XML-RPC function in WordPress, attackers overload a site with pingback requests, leading to server strain or unresponsiveness.

Slowloris attacks: This stealthy attack technique involves sending partial HTTP requests, effectively keeping connections open for as long as possible, and depleting server resources.

Zero-day DDoS attacks: Leveraging previously unknown vulnerabilities, attackers launch swift and potent DDoS assaults, making them particularly challenging to defend against.

Botnet attacks: Using a network of compromised devices, known as a botnet, attackers coordinate a synchronized flood of traffic to overwhelm a target server, causing disruption or downtime.

Impact of a DDoS attack

The biggest impact of a DDoS attack is a crashed site. The server is overwhelmed by attack requests to the point that it cannot handle legitimate ones any longer. One user reported seeing 2.5 million attacks in an hour and experienced 17 minutes of downtime as a result. The site in question had the free version of Cloudflare installed, which mitigated some of the attack requests, but still passed a fair few through to the site.

Website downtime: The overwhelming volume of attack requests causes the server to become unresponsive, resulting in site crashes and extended downtime. Downtime is never ideal, but it can have significant second-order effects. 

Performance degradation: Even if the site doesn’t crash, its performance is significantly hampered. Sluggish loading times and reduced functionality can frustrate visitors and deter potential customers.

Revenue Loss: Downtime directly translates to potential revenue loss. E-commerce sites, for instance, will lose out on sales during unavailability. Many businesses rely on their websites as the sole means of getting customers. Downtime, even for a few minutes, could be devastating. 

Branding damage: A poor user experience due to downtime or performance issues can tarnish a brand’s reputation. Visitors may associate the brand with unreliability, affecting long-term customer trust.

Exceeding server limits: The server’s capacity may be exceeded during an attack, potentially resulting in substantial hosting bills as resources are rapidly consumed.

Opportunity cost: Beyond immediate financial losses, a DDoS attack can disrupt ongoing projects and business operations, diverting resources toward mitigation efforts and away from strategic initiatives.

SEO Rankings: Prolonged downtime or degraded performance can negatively impact search engine rankings. Search engines tend to favor accessible and fast-loading websites, so a DDoS attack can lead to a drop in search engine rankings, further compounding the impact.

Difference between a DDoS attack and a brute force attack

Brute force attacks are mistaken for DDoS attacks on WordPress sites, even though they are far more prevalent. 

DDoS attacks aim to put a website or online service out of action by burdening it with an excessive volume of requests. This overload leads to server strain and potential crashes. However, the goal of a DDoS attack is not necessarily to gain unauthorized access or compromise the system.

On the other hand, brute force attacks are focused on gaining unauthorized access to a system, typically by repeatedly attempting different combinations of usernames and passwords until the correct one is found. This is done to breach site security measures and gain access to sensitive information or resources.

Brute force attacks are a favored method for gaining unauthorized access due to the platform’s popularity and the potential vulnerabilities in login credentials.

Why hackers carry out DDoS attacks

DDoS attacks, despite being non-invasive in the traditional sense, serve several distinct purposes for hackers:

Ransom: Some attackers conduct DDoS attacks as a form of extortion, demanding payment to cease the attack. They threaten to continue flooding the target until their demands are met.

Political or geopolitical causes: DDoS attacks can be politically motivated, aimed at silencing or disrupting organizations, websites, or services associated with opposing viewpoints or governments.

Harm site owners: In certain cases, attackers may hold grudges against site owners or organizations and employ DDoS attacks as a means of causing financial or reputational damage.

Demonstrate coding prowess: Some hackers view DDoS attacks as a way to showcase their technical skills and capabilities, using them as a form of self-expression or demonstration.

Nuisance or disruption: DDoS attacks can be carried out simply to create chaos, inconvenience, and frustration for the targeted party. This can be motivated by a desire to disrupt normal operations.

Source: Cybernews

Many WordPress site owners who have experienced DDoS attacks see evidence of personal malice directed towards them. Random DDoS attacks on WordPress sites are few and far between. 

If none of these motivations align with your circumstances, it’s possible that your site is being unwittingly recruited into a botnet, being utilized as part of a larger network of compromised sites for coordinated attacks. Apart from outright malice and criminality, who knows what motivates hackers to be so wanton and destructive. 

More ways to secure your site

A firewall is the best defense for your site and will go a considerable way to keeping your site malware-free. However, to protect your site and visitors, you should opt for a multilayered approach to WordPress security. 

Security plugins: If you opt for MalCare’s excellent WordPress firewall, you’ll get malware scanning, vulnerability scanning, and malware removal features for good measure. MalCare also provides detailed traffic logs, activity logs, and uptime monitoring, all of which collectively enable you to stay ahead of a wide range of threats.

Regular updates: Ensure plugins, themes, and WordPress core are always kept up to date. Regular updates often include security patches that address known vulnerabilities, making your site less susceptible to attacks.

Prudent plugin and theme selection: Opt for plugins and themes from trustworthy sources. Avoid using nulled (illegally cracked) plugins or themes, as they often come riddled with backdoors. Stick to well-maintained, reputable options to reduce the likelihood of security issues.

By combining these measures with a robust firewall, you significantly enhance your website’s defenses against potential threats and vulnerabilities. Remember that securing your site is an ongoing process, and proactive maintenance is key.


Based on our extensive experience, WordPress sites are rarely targets of DDoS attacks. Instead, there are far more common and egregious threats unique to WordPress. Luckily for us all, an excellent WordPress firewall serves as a formidable barrier against these various types of attacks.

Well, the best WordPress firewall you can have is by MalCare. Beyond its firewall capabilities, MalCare also has a highly efficient malware scanner and a convenient one-click malware removal feature. This all-in-one solution is a great safeguard for your WordPress site. 


What is a DDoS attack in WordPress?

A DDoS (Distributed Denial of Service) attack in WordPress is a malicious attempt to overwhelm a website’s server with an exceptionally high volume of requests. This flood of traffic is generated by multiple sources, often from a network of compromised computers or servers, known as a botnet. The primary aim of a DDoS attack is to render the targeted website inaccessible by overloading its server resources. This type of attack does not aim to breach or compromise the site’s security, but rather to disrupt its normal operation, leading to downtime or severely impaired performance.

What is the best DDoS plugin for WordPress?

MalCare is the best DDoS plugin for WordPress. It offers not only DDoS protection but also a comprehensive suite of security features for WordPress sites. This includes a robust firewall, a hardened malware scanner, and one-click malware removal.

Does GoDaddy protect against DDoS?

Yes, GoDaddy offers DDoS protection for its hosting services. They employ a range of security measures, including firewalls, traffic monitoring, and DDoS mitigation strategies, to help safeguard websites hosted on their platform. Keep in mind that the level of protection may vary depending on the specific hosting plan you have with GoDaddy, so it’s a good idea to review their security features and consult their support resources for detailed information on DDoS protection for your particular hosting package.

Can you DDoS WordPress?

Yes, it is possible to launch a DDoS (Distributed Denial of Service) attack against a WordPress website, just as it is possible to target any other type of website or online service. If you have concerns about the security of your website, it’s best to implement proper security measures and seek professional advice from trusted sources.

What issues does a DDoS attack cause for a website?

A DDoS attack can lead to significant problems for a website. It can cause unavailability or slowdowns, resulting in a negative user experience and potential revenue loss for sites. Moreover, it can damage SEO rankings and the site’s overall reputation. It can also lead to increased hosting costs from exceeding resource limits.

How long does a DDoS attack last?

A DDoS attack can last for only a few minutes to hours or even days. It depends on factors such as the scale and complexity of the attack, the capabilities of the attacker, and the effectiveness of the target’s mitigation measures. Effective DDoS protection and response strategies can help minimize the impact and duration of such attacks.

How can I secure my website from DDoS?

To secure your website from DDoS attacks, start by investing in a reputable firewall and DDoS protection services or plugins. Utilize a Content Delivery Network (CDN) to distribute content across multiple servers, absorbing potential attack impact. Monitor traffic patterns for anomalies and implement load balancing to evenly distribute incoming traffic. Ensure sufficient bandwidth with your hosting provider and conduct regular security audits while keeping software up to date. Lastly, maintain regular backups for quick recovery in case of any damage caused by a DDoS attack.

Why does a DDoS attack happen?

DDoS attacks occur for various motives. Some attackers seek financial gain through extortion, while others aim for a competitive edge. Activists may deploy DDoS as a form of protest, and political motives can drive attacks against specific viewpoints or entities. Additionally, hackers might use DDoS to showcase their skills or simply to cause disruption. In some cases, websites are unwittingly recruited into botnets, contributing to coordinated attacks.

What do I do if someone keeps DDoS-attacking my WordPress website?

If your WordPress website is facing persistent DDoS attacks, alert your hosting provider about the attacks and explore DDoS protection services or plugins. Install a robust firewall and a Content Delivery Network (CDN) if you haven’t already. Monitor traffic patterns for anomalies and configure firewall rules to filter out suspicious traffic. Consider seeking professional assistance if the attacks persist, and report the incidents to law enforcement authorities.

How to see a DDoS attack on a WordPress site?

To spot a potential DDoS attack on your WordPress site, keep an eye out for sudden and abnormal spikes in traffic, especially if it’s significantly higher than usual. Monitor your server’s performance metrics for signs of high CPU usage, memory utilization, or network traffic. Watch for slow loading times or unresponsiveness on your website. Analyze the source and behavior of traffic, particularly if it’s originating from a single IP or a small set of IPs. Review access and error logs for repeated requests or error messages. Check your DDoS protection plugin or network monitoring tool for alerts or notifications indicating a potential attack. If you suspect an attack, take immediate action to mitigate its impact.

The post How to Stop a WordPress DDoS Attack appeared first on MalCare.

Posted in

About Us

I believe that everyone should have a mechanic that they can trust and after spending several years helping out various customers for large companies I've seen my fair share of issues.

Honesty, Integrity, and Compassion are what we share with everyone that we work with. Stop scouring the internet for help and see how we can help you today.

Our Services

Website Migrations

Plugin & Theme Updates

IDX Broker Customizations

Facebook Chatbots

DNS & Email Integrations