How to protect WordPress website against DDOS attacks


How to protect WordPress website against DDOS attacks - Most people already know about the DDOS attack if you were doing business online. DDOS is not a new term. The term DDOS has been known since the early 90s, it was used to get the web service out of order by sending countless requests to the victim's server.

DDOS attack is a method by which an attacker sends traffic through a compromised network or computer, thus keeping the targeted system so busy that it stops responding to any request. other come from legitimate users. This tactic is being used by attackers to target and blackmail specific websites for ransom.

How does DDOS work?

In a DDOS attack, the target server or network receives requests from the system being compromised continuously to the limit of network bandwidth or server resources to the maximum. This slows down server response, in severe cases, it becomes useless.

There are many different types of DDOS attacks, which will take some time to understand each. In this post, I will briefly explain the two most common types of DDOS attacks: Volume Attack and Application-Level Attack.

Attack volume

In this type of attack, the target website or network is bombarded with the required traffic from botnets and infected zombie systems. The type of attack included in this catalog is connectivity, TCP SYN or ICMP / UDP, which mainly targets third and fourth layers, namely, the etwork Layer and Transport Layer, respectively.


This attacker uses an infected system to create high bandwidth traffic. The system is geographically distributed with bandwidths in excess of 10 TBPS, making this attack even more sophisticated.

Application level attack

DDOS attack at the application level or DDOS attack of layer 7. This attack usually targets vulnerabilities in web applications by sending traffic to a specific part of the website. This also increases bandwidth consumption, but DDOS attacks at the application level often do not cause website loss. However, it slows down your website.

This attack is much harder to detect than it looks like a real person. This attack often uses HTTP, DNS, and SMTP requests. The main types of application-level DDOS attacks are:

  1. Request flood attack

In this type of attack, the Application Layer receives a high number of requests at HTTP, DNS.

  1. Asymmetric attack

In this type of attack, the Application Layer receives a high workload that consumes server resources: RAM, CPU.

  1. Attack once in a row

This attack targets both Application and Network layer by sending large workload requests to applications associated with TCP sessions.

  1. Application exploit attack

This type of application vulnerability attacks or hijacks an application that causes problems with the server or operating system. The most common is SQL, cookie poisoning or cross-page scripting.

See more: How to create a Landing Page

Even the strong stuff falls under DDOS attacks

With so many complexities and DDOS attacks, it's almost impossible to completely protect the server or application you own.

Only this July, I read the DDOS attack that broke the Brexit negotiations. In other words the attack is worrying because it shows that the DDoS attack has become a business.


Protection against DDOS attacks

There is a preventative step to reduce the impact of the DDOS attack, the smaller DDOS attack is completely overwritten.

There is a method of use at the network level to detect and block illegal traffic. Most modern network hardware has specialized hardware attached to traffic detection and filtering software.

Switches and routers

Today, smart routers and switches are equipped with speed limiting software. Through this, network hardware identifies bogus IPs that are sending illegal requests and then blocking them from eating up network and system resources. Attacks from obscure addresses are easily blocked by them.

In most cases, you do not have access to invest in network hardware used by the hosting provider. It is best to go with the managed WordPress web host hosted at a reputable datacenter equipped with advanced network hardware, providing an initial level of security against DDOS attacks.

We chose SocialSEO to partner with DigitalOcean, Amazon, Vultr, Google and Kyup, because their data center is fully maintained, equipped with the latest hardware and smart software running the software. No additional customer costs, SocialSEO provides DDOS prevention.

Intrusion Prevention System (IPS)

Systematically detect DDOS attack behavior. They are provided by many security companies out there that develop systems that detect legitimate, illegal traffic patterns, filtering them. This system detects data packets in the network and then blocks any malicious activity.

Scrubbing and Blackholing

All traffic is routed through the purification center directly before accessing the network or application. They are maintained by the DDOS mitigation service provider so they are very expensive. If you are a victim of a major DDOS attack affecting your business, then you have no choice but to invest in the DDOS mitigation service.

SocialSEO provides an initial level of security to customers. They get fully updated servers with application-level firewalls and servers that detect unusual behavior from traffic and halt application-level hacking attempts.

Fix holes in WordPress


It's sad to hear that the DDOS attacker exploited the website provided by WordPress to launch a major DDOS attack.

I know WordPress is the best CMS solution out there, it is supported by a large community of developers and designers.

However, the problem remains that WordPress is vulnerable to vulnerabilities and exploits that are easily used by DDOS attackers. The reason is that WordPress holds 28% of the entire web, which is an attractive target. However, countless blame is on the website operator WordPress. Most users do not even know their website is being used as a zombie to attack another website.

Protecting a website from a DDOS attack is not an easy task. The best thing you can do to reduce the risk of DDOS attacks is to fix the vulnerabilities in the WordPress website you manage.

  1. Block XML-RPC function on WordPress

This function is enabled by default since WordPress 3.5, providing services such as pingback or trackback. They are easily exploited to send HTTP requests to the target website. If thousands of WordPress websites are compromised, they start sending requests to the target target site in parallel, a large DDOS Layer application attack is likely to occur.


It is better to disable the XML-RPC function in every WordPress website you own, so they cannot be used to launch DDOS attacks using pingback, trackback.

Just add the following code to the .htaccess file.


Refuse to order, allow

From all play


Alternatively, you can use a plugin like Disable Ping -RPC Pingback to disable pingback, trackback and then keep other XML-RPC functions.

  1. Update your WordPress version regularly

What we get through the use of WordPress is that it is updated regularly with improved security thanks to contributors and vibrant communities.

Things to update:

  1. Install WordPress

  2. WordPress interface

  3. WordPress plugin

  4. Server PHP version

  5. Apache version

  6. MySQL version

  7. operating system version

  8. Any other scripts or software you use

In addition to updating WordPress with related factors, Cloudways also maintains all server-side updates.

  1. Contact your web host

You should contact the web server and discuss if the server, network hardware is updated with the latest software version. In addition, you should discuss the security measures provided by web hosts.

SocialSEO offers many security features to its customers at no additional cost:

  • Access SFTP & SSH

  • Application-level firewall

  • Firewall operating system

  • Auto Backup, Server Clone and Auto Healing

  • Dedicated IP on Cloud Server

  • Automatically update and patch operating systems and services

  • Application updates and notifications

  1. Use the security plugin


Configure the security plugin to add a layer of protection to the WordPress website. I like to use WordFence when they actively monitor and prevent DDOS attacks from happening globally at the WordPress website.

Security plugins have removed web servers, because scripts from them use countless resources to track the various security threats facing WordPress websites. The server maintained by SocialSEO is fully capable of handling the resources needed for security plugins like WordFence.

  1. Security Analyst's suggestion on Quora

Meinton Navas, an information security analyst: talked about this when she answered how to protect WordPress website against DDOS attacks.

Increasing website security, especially WordPress website, should be a top priority right now. Will reduce the DDOS threat level because it reduces the amount of vulnerable WordPress resources available to an attacker.