WordPress is one of the most popular website builder in the world because it offers powerful features and a secure codebase. However, that does not protect WordPress or any other software from malicious DDoS attacks, which are common on the internet.
DDoS attacks can slow down websites and eventually make them inaccessible to users. These attacks can be targeted towards both small and large websites.
Now, you may be wondering how can a small business website using WordPress prevent such DDoS attacks with limited resources?
In this guide, we will show you how to effectively stop and prevent a DDoS attack on WordPress. Our goal is to help you learn how to manage your website security against a DDoS attack like a total pro.
What is a DDoS Attack?
DDoS attack, short for Distributed Denial of Service attack, is a type of cyber attack that uses compromised computers and devices to send or request data from a WordPress hosting server. The purpose of these requests is to slow down and eventually crash the targeted server.
DDoS attacks are an evolved form of DoS (Denial of Service) attacks. Unlike a DoS attack, they take advantage of multiple compromised machines or servers spread across different regions.
These compromised machines form a network, which is sometimes called a botnet. Each affected machine acts as a bot and launches attacks on the targeted system or server.
This allows them to go unnoticed for a while and cause maximum damage before they are being blocked.
Even the largest internet companies are vulnerable to DDoS attacks.
In 2018, GitHub, a popular code hosting platform, witnessed a massive DDoS attack that sent 1.3 terabytes per second traffic to their servers.
You may also remember the notorious 2016 attack on DYN (a DNS service provider). This attack got worldwide news coverage as it affected many popular websites like Amazon, Netflix, PayPal, Visa, AirBnB, The New York Times, Reddit, and thousands of other websites.
Why DDoS Attacks Happen?
There are several motivations behind DDoS attacks. Below are some common ones:
- Technically savvy people who are just bored and find it adventurous
- People and groups trying to make a political point
- Groups targeting websites and services of a particular country or region
- Targeted attacks on a specific business or service provider to cause them monetary harm
- To blackmail and collect ransom money
What is the difference between a Brute Force Attack and a DDoS Attack?
Brute Force Attacks are usually trying to break into a system by guessing passwords or trying random combinations to gain unauthorized access to a system.
DDoS attacks are purely used to simply crash the targetted system making it inaccessible or slowing it down.
For details see our guide on how to block brute force attacks on WordPress with step by step instructions.
What damages can be caused by a DDoS attack?
DDoS attacks can make a website inaccessible or reduce performance. This may cause bad user experience, loss of business, and the costs of mitigating the attack can be in thousands of dollars.
Here is a breakdown of these costs:
- Loss of business due to inaccessibility of website
- Cost of customer support to answer service disruption related queries
- Cost of mitigating attack by hiring security services or support
- The biggest cost is the bad user experience and brand reputation
How to Stop and Prevent DDoS Attack on WordPress
DDoS attacks can be cleverly disguised and difficult to deal with. However, with some basic security best practices, you can prevent and easily stop DDoS attacks from affecting your WordPress website.
Here are the steps you need to take to prevent and stop DDoS attacks on your WordPress site.
Remove DDoS / Brute Force Attack Verticals
The best thing about WordPress is that it is highly flexible. WordPress allows third-party plugins and tools to integrate into your website and add new features.
To do that WordPress makes several APIs available to programmers. These APIs are methods in which third-party WordPress plugins and services can interact with WordPress.
However, some of these APIs can also be exploited during a DDoS attack by sending a ton of requests. You can safely disable them to reduce those requests.
Disable XML RPC in WordPress
XML-RPC allows third-party apps to interact with your WordPress website. For example, you need XML-RPC to use the WordPress app on your mobile device.
If you’re like a vast majority of users who don’t use the mobile app, then you can disable XML-RPC by simply adding the following code to your website’s .htaccess file.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>
For alternate methods, see our guide on how to easily disable XML-RPC in WordPress.
Disable REST API in WordPress
The WordPress JSON REST API allow plugins and tools the ability to access WordPress data, update content, and/or even delete it. Here is how you can disable REST API in WordPress.
The plugin works out of the box, and it will simply disable the REST API for all non-logged in users.
Activate WAF (Website Application Firewall)
Disabling attack vectors like REST API and XML-RPC provides limited protection against DDoS attacks. Your website is still vulnerable to normal HTTP requests.
While you can mitigate a small DOS attack by trying to catch the bad machine IPs and blocking them manually, this approach is not very effective when dealing with a large DDoS attack.
The easiest way to block suspicious requests is by activating a website application firewall.
A website application firewall acts as a proxy between your website and all incoming traffic. It uses smart algorithm to catch all suspicious requests and block them before they reach your website server.
We recommend using Sucuri because it is the best WordPress security plugin and website firewall. It runs on a DNS level which means they can catch a DDoS attack before it can make a request to your website.
Pricing for Sucuri starts from $20 per month (paid yearly).
We use Sucuri on WPBeginner. See our case study on how they help block hundreds of thousands of attacks on our website.
Alternately, you can also use Cloudflare. However, Cloudflare’s free service only gives limited DDoS protection. You’ll need to signup for at least their business plan for layer 7 DDoS protection which costs around $200 per month.
See our article on Sucuri vs Cloudflare for a detailed side-by-side comparison.
Note: Website Application Firewalls (WAFs) that run on an application-level are less effective during a DDoS attack. They block the traffic once it has already reached your web server, so it still affects your overall website performance.
Finding Out Whether it’s Brute Force or DDoS Attack
Both brute force and DDoS attacks intensively use server resources, which means their symptoms look quite similar. Your website will get slower and may crash.
You can easily find out whether it is a brute force attack or a DDoS attack by simply looking at Sucuri plugin’s login reports.
Simply, install and activate the free Sucuri plugin and then go to Sucuri Security » Last Logins page.
If you are seeing a large number of random login requests, then this means your wp-admin is under a brute force attack. To mitigate it, you can see our guide on how to block brute force attacks in WordPress.
Things to Do During a DDoS Attack
DDoS attacks can happen even if you have a web application firewall and other protections in place. Companies like CloudFlare and Sucuri deal with these attacks on regular basis, and most of the time you will never hear about it since they can easily mitigate it.
However in some cases, when these attacks are large, it can still impact you. In that case, it’s best to be prepared to mitigate the problems that may arise during and after the DDoS attack.
Following are a few things you can do to minimize the impact of a DDoS attack.
1. Alert your team members
If you have a team, then you need to inform co-workers about the issue. This will help them prepare for customer support queries, look out for possible issues, and help out during or after the attack.
2. Inform customers about the inconvience
A DDoS attack can affect user experience on your website. If you run a WooCommerce store, then your customers may not be able to place an order or login to their account.
You can announce through your social media accounts that your website is having technical difficulties and everything will be back to normal soon.
If the attack is large, then you can also use your email marketing service to communicate with customers and ask them to follow your social media updates.
If you have VIP customers, then you might want to use your business phone service to make individual phone calls and let them know how you’re working to restore the services.
Communication during these tough times make a huge difference in keeping your brand’s reputation strong.
3. Contact Hosting and Security Support
Get in touch with your WordPress hosting provider. The attack you may be witnessing could be part of a larger attack targetting their systems. In that case, they will be able to provide you latest updates about the situation.
Contact your Firewall service and let them know that your website is under a DDoS attack. They may be able to mitigate the situation even faster and can provide you with more information.
In firewall providers like Sucuri, you can also set your settings to be in Paranoid mode which helps block a lot of requests and make your website accessible for normal users.
Keeping Your WordPress Website Secure
WordPress is quite secure out of the box. However, as the world’s most popular website builder it is often targeted by hackers.
Luckily, there are many security best practices that you can apply on your website to make it even more secure.
We have compiled a complete step by step WordPress security guide for beginners. It will walk you through the best WordPress security settings to protect your website, and its data against common threats.
We hope this article helped you learn how to block and prevent a DDoS attack on WordPress. You may also want to see our guide on the most common WordPress errors and how to fix them.