This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

How to Protect Your WordPress Website Against DDoS Attacks

May 3, 2021

7 Min Read
wordpress ddos

Most probably you have heard about DDoS attacks if you have been in the online business for a while. DDoS (Distributed Denial of Service) is not a new term. The term DDoS has been known from the early 90s and it has been used to put web services out of order by sending out loads of requests to the victim’s server.

The DDoS attack is a method in which an attacker sends traffic (in some cases, called “requests”) through compromised networks and computers to a single target, thus making the targeted system so busy that it stops responding to any other requests coming from legitimate users. These tactics are being used by attackers to target and blackmail specific sites and demand ransom.

How Does DDoS Work?

During a DDoS attack, a target server or network receives requests from compromised systems. The requests are so frequent that the bandwidth limit of a network or resources of a server maxes out. This slows down the server response and in severe cases, it is rendered useless.

There are various types of DDoS attacks and you will need some time to understand each of them. In this blog post, I am going to briefly explain the two most common types of DDoS attacks that are Volumetric Attacks and Application Level Attacks.

Volumetric Attacks

In this type of attack, a target site or a network is bombarded with traffic and requests from botnets and infected zombie systems. The attack types that fall under this category are connection floods, TCP SYN floods, and ICMP/UDP floods and mainly target the third and fourth layers, namely Network Layer and Transport Layer respectively.

Seven Layers of OSI

These types of attacks utilize infected systems to generate a high bandwidth of traffic. The systems are distributed geographically with bandwidths exceeding well over 10 TBPS and these attacks are becoming even more sophisticated.

Application Level Attacks

Application Level DDoS Attacks is also known as the Layer-7 DDoS attacks. These attacks usually target the vulnerabilities in web applications by sending traffic to particular sections of a website. This also increases the bandwidth consumption, but Application Level DDoS attacks do not usually take down a website. However, it slows them down by a great deal.

These attacks are much harder to detect as the traffic looks as if it is coming from real humans. These attacks usually utilize HTTP, DNS, and SMTP requests. Major types of Application Level DDoS attacks are:

1. Request Flooding Attacks

In this type of attack, Application Layer receives a high amount of requests on HTTP and DNS.

2. Asymmetric Attacks

In this type of attack, Application Layer receives high-workload requests that consume server resources such as RAM and CPU.

3. Repeated One-Shot Attacks

These attacks target both Application and Network layers by sending high-workload requests on applications combined with TCP sessions.

4. Application Exploit Attacks

This kind of attack target application vulnerabilities that take over or manipulate an application to cause a server or OS malfunction. Most common of them are SQL injection, cookie poisoning, and cross-site scripting

Even the Mighty Fall Prey to DDoS Attacks

With so many complexities and kinds of DDoS attacks, it has almost become impossible to completely safeguard your servers and applications.

Just this July, I read that “DDoS Attacks Could Disrupt Brexit Negotiations”. Another nature of attacks is disturbing as it shows that DDoS attacks have become a business.

DDoS Threat Email

Founder of Moz, Rand Fishkin had also tweeted about it to inform the community.


Protection against DDoS Attacks

There are precautionary steps and methods to lower the effects of DDoS attacks and in many cases, smaller DDoS attacks can be completely overridden.

There are methods that can be employed at the network level to detect and block illegitimate traffic. Most modern networking hardware has specialized hardware accompanied by software that can detect and filter the traffic.

Switches and Routers

These days, intelligent routers and switches are equipped with software capable of rate-limiting. Through this, the network hardware can identify bogus IPs that are sending illegitimate requests and block them from further eating away system and network resources. SYN flood attacks and attacks from “dark addresses” can be easily blocked by them.

In most cases, you do not have access to invest in the networking hardware used by your hosting provider. Your best bet is to go with a managed WordPress web hosting that host at reputable data centers that are equipped with high-end networking hardware and provides an initial level of security against DDoS attacks.

One of the reasons why we, at Cloudways, have partnered up with DigitalOcean, Amazon, Vultr, Google, and Kyup that their data centers are fully maintained and equipped with intelligent hardware running the latest software. With no additional cost to its clients, Cloudways provides DDoS prevention at its networking core.

Intrusion Prevention Systems (IPS)

There are systems that detect the behavior of DDoS attacks. These are offered by many security companies out there that have developed systems that detect legitimate and illegitimate traffic patterns and filter them. These systems detect pockets of data on the network and block any malicious activity.

Scrubbing and Blackholing

All the incoming traffic is passed through a “scrubbing center” before accessing a network or application. These are maintained by companies that provide DDoS mitigation services and therefore, they cost a lot. But, if you are a victim of large DDoS attacks affecting your business, then you have no choice other than to invest in DDoS mitigation service.

Cloudways provides an initial level of security to its clients. They receive fully updated servers with application and server level firewalls that help in detecting the unusual behavior of traffic and halting hacking attempts at an application level.

Fix Vulnerabilities in WordPress

I must admit that it pains me when I hear news like DDoS attackers exploit WordPress powered websites to carry out large DDoS attacks.

I know WordPress is among the best CMS solutions out there and it is backed by a huge community of developers, designers, and bloggers.

However, the problem remains that WordPress is prone to vulnerabilities and some of the exploits are very easily utilized by DDoS attackers. One reason is that WordPress holds 28 percent share of the entire web and therefore, it is an attractive target. However, a lot of the blame lies on WordPress website operators. Most users do not even know that their website is being used as a zombie to attack another website.

Securing your website against a DDoS attack is a tough job. But, they say it’s better to be safe than sorry. The best you can do to reduce the threat of DDoS attacks is by fixing vulnerabilities in your WordPress sites.

Looking for better performance and security?

Migrate your WordPress website to Cloudways at zero cost.

1. Block XML-RPC functionality on WordPress

This functionality is enabled by default since WordPress 3.5 and provides services like pingbacks and trackbacks among others. These can be easily exploited to send HTTP requests to a target website. If thousands of WordPress websites are compromised and they start sending requests to a target website in parallel, a large Application Layer DDoS attack can occur.

WordPress XML RPC Pingback

It is better to shut down the XML-RPC functionality on all of your WordPress websites, so they cannot be used to launch a DDoS attack that utilizes pingbacks and trackbacks.

Just add the following code into your .htaccess file.

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

Alternately, you can use a plugin like Disable XML-RPC Pingback to disable the pingback and trackback functionality and keep other functions of XML-RPC intact.

2. Update Your WordPress Version Regularly

One thing that we get by using WordPress is that it is regularly updated with better security enhancements thanks to contributors and a vibrant community.

Things to update:

  1. WordPress installation
  2. WordPress themes
  3. WordPress plugins
  4. PHP version on the server
  5. Apache version
  6. MySQL version
  7. OS version
  8. Any other script or software that you use

Apart from updating your WordPress and its related elements, Cloudways maintains all the server side updates.

3. Get in Contact with Your Web Host

You should get in touch with web hosts and discuss if the servers and network hardware are updated with the latest versions of the software. Also, you should discuss what security measures that your web hosts provide.

Cloudways provides many security features to its clients without any additional costs:

  1. SFTP & SSH Access
  2. Application Level Firewall
  3. Operating System Firewall
  4. Auto backups, Server Cloning, and Auto-Healing
  5. Dedicated IP on Cloud Server
  6. Auto updates and patches of OS and services
  7. Application updates and notifications

4. Using Security Plugins

Configuring a security plugin can add a layer of defense to your WordPress website. I prefer to use WordFence as they actively monitor and prevent DDoS attacks happening around the globe on WordPress websites.

WordPress Security plugins do take a chunk out of your web servers, as their scripts utilize a lot of resources to monitor various security threats that your WordPress website facing. A server maintained by Cloudways is fully capable of handling resources needed by security plugins like WordFence.

5. Suggestions by Security Analyst on Quora

Meinton Navas, an information security analyst, had this to say when asked about how to protect WordPress websites against DDoS attacks. Read his thread, “How do I protect WordPress sites from DDoS attacks?” on Quora.

Hardening our websites’ security especially those that run WordPress should be our top priority now. It will help in lessening the DDoS threat level as it decreases the number of vulnerable WordPress resources available to the attacker.

Q. What is DDoS Attack

Distributed Denial-of-Attack is a coordinated and multinode attack where a server’s resources are overwhelmed/consumed and legitimate requests/users cannot be served.

Q. Why DDOS Attack Happen?

DDoS happen because it is easy to mount these attacks through malware. Hackers can set up a network of infected systems and use it to send a huge number of requests to the target server. Since the cost is low and the potential of damage is high, many hackers prefer DDoS as the first line of attack. preferred method of attack.

Q. How To Secure Website from DDOS?

You can protect your servers by filtering out traffic that fits the known criteria of a DDoS attack. A Bot Protection feature is now a must-have for any hosting platform. In addition, you should consider building redundancies within your system so that the server does not go down completely.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Customer Review at

“Beautifully optimized hosting for WordPress and Magento”

Arda Burak [Agency Owner]

Ahsan Parwez

Ahsan is the Community Team Manager at Cloudways - A Managed Cloud Hosting Platform. He loves to solve problems and help Cloudways' clients in any aspect he can. In his free time, you can find him playing RTS PC games.


Get Our Newsletter
Be the first to get the latest updates and tutorials.

Thankyou for Subscribing Us!


Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!


For 4 Months

Promo: BFCM2021
  • 28


  • 28


  • 28


  • 28