How to stop and prevent a DDoS attack on WordPress

WordPress offers powerful features and a secure codebase. So WordPress is one of popular the famous websites around the globe. Nowadays DDoS attacks are common on the internet. But sometimes these powerful features and secured codebase in the WordPress website are unsuccessful in protecting WordPress from DDoS attacks.

The WordPress website will slow down and unreachable for users due to DDoS attacks. The DDoS attacks target both large websites and small websites. This article describes you on how to stop and protect the WordPress website from DDoS attacks with limited resources. You can enhance the security of your website against DDoS attacks.

What is a DDoS attack?

DDoS stands for Distributed Denial of Service attack. This is a cyber-attack. DDoS attacks send requests asking data from WordPress hosting servers. It uses compromised computers and other devices to send those requests. The purpose of sending requests is to slow down the server and then crash it.

The DDoS attack is a developed form of DoS attacks which stands for Denial of Service. However DDoS attacks take the help of multiple compromised machines or servers to spread their attack rather than DoS attacks. A compromised machine network is referred to as a botnet and each compromised computer and device act as a bot. Each bot is launches attacks on servers. This is cause for large damage before they become noticeable.

Why do DDoS attacks happen?

• Tech-savvy people who are just bored and find it adventurous.
• People try to make a political point.
• Target websites of a particular country.
• To target particular businesses and service providers to make big losses to them.
• To blackmail and collect the ransom money.

What is the difference between a Brute force attack and a DDoS attack?

• Brute force attack – Guess password and try on random combinations to brake systems for the purpose obtain unauthorized access to those systems.
• DDoS attacks – Crash the targeted systems by making it slowdown and inaccessible.

You can refer more details by reading the article on how to block brute force attacks on WordPress.

What damages can be caused by a DDoS attack?

The website makes it inaccessible for users and slowdown. The companies have to face loss on their business due to customer dissatisfaction, loss of potential business opportunities, damage to the brand reputation, and reduce income. Therefore companies have to bear a huge amount of cost to mitigate this risk as a proactive action. The companies have to hire security services at a huge cost.

How to stop and prevent DDoS attacks on WordPress?

Normally, DDoS attacks are difficult to prevent. But you can manage it by applying basic security best practices for WordPress. So, you can stop DDoS attacks by performing below steps simply on your WordPress website.

The WordPress website is a very flexible website and it allows third-party plugins and tools to integrate into the website and also it allows you to add new features. For that WordPress makes some APIs available to programmers and though that your WordPress website can interact with the third party WordPress plugins and services.

1. Disable XML RPC in WordPress

XML-RPC allows the WordPress website to interact with third-party apps.  Then most of the users do not use the mobile app to interact with WordPress. Then you can disable it by following the below steps.

• Enter the below code in the .htaccess file in the website.
  • # Block WordPress xmlrpc.php requests
  • <files xmlrpc.php>
  • order deny, allow
  • deny from all
  • </files>

You can know more methods by referring to disable XML-RPC in WordPress.

2. Disable REST API in WordPress

REST API allows plugins and tools to access WordPress data, update content, and delete it. So you have to disable the REST API in WordPress. For that, you have to install and activate the Disable WP Rest API plugin. You can obtain step by step instruction to install and activate the Disable WP Reset API plugin by reading the article on how to install a WordPress plugin. This plugin will disable the REST API for all non-logged-in users as well.

Now you will have an idea bout disabling attack vectors such as XML-RPC and REST API. But it provides limited protection against DDoS attacks for the WordPress website. Hence the WordPress website is open to normal HTTP requests. Normally you will protect the website against small DOS attacks by tracking bad machine IPs and blocking those machines manually. However, this approach does not provide enough security to prevent large DDoS attacks as well.

However, it can activate a website application firewall and it will deal with large DDoS attacks effectively. The website application firewall is to act as a proxy between the WordPress website and incoming traffic. It tracks all distrustful requests and blocks those all requests before reaching them to the website server. The website application firewall uses an algorithm to do it.

The Sucuri is the one of best WordPress security plugin and a website firewall. The Sucuri WordPress security plugin can track a DDoS attack before it can make a request to the WordPress website. Because it runs on a DNS level. You can refer to how they help to block hundreds of thousands of attacks on the WordPress website by reading our case study.

You can also try on the Cloudflare website application firewall. However, this is given only limited DDoS protection as the free service. So you have to purchase their business plan for layer 7 DDoS protection at a cost per month.

You can get further details of Sucuri and Cloudflare as a comparison by reading on  Sucuri vs Cloudflare.

However, make sure that those website application firewalls are run on an application level. Because of that, those are acting less effectively during DDoS attacks. Those block the traffic after requests are reached to the website server. Somehow it already affects the website’s overall performance.

It shows very similar symptoms such as crash and slows down the website. Because both Brute and DDoS attacks use server resources.  However, you can search and find out whether it is a Brute or DDoS attacks by referring to Sucuri plugin’s login reports. Then you can perform below steps to know the type of attack which your website server has encountered.

• Install and activate the free Sucuri plugin.
• Go for Sucuri security and then for the Last logins page.

If it appears a huge amount of random login requests as failed logins, then your wp-admin is under a brute force attack. Then you have to find out a method to resolve it. You can simply refer to the guide on how to block brute force attacks in WordPress.  

Things to do during a DDoS attack

You may have a web application firewall and other protections already. However, DDoS attacks can happen even you have those security protections. But Sucuri and Cloudflare engage with DDoS attacks regularly and they have the ability to mitigate attacks.

1. Alert your team members

If you work with a team, you can simply inform your subordinates regarding this DDoS attack issue. Then advise and train them to ready for customer support queries, search for possible issues, and support during and after the attacks.

2. Inform customers about the inconvenience

Another good proactive step is to inform your customer base regarding the issue. Because DDoS attacks can impact user experience on the website. Hence your customers may not able to place their orders or even log in to their accounts. So you can simply give notice for your customers through social media accounts declaring that your website is facing technical difficulties currently and will be back to normal soon.

However, you can also use email marketing services to communicate with customers and forward them your social media informs. You can use your business phone services for VIP customers and inform them regarding technical difficulties having the website currently and let them know how your services are going to deliver until issues are fixed. You can avoid bad responses by effective communication with your customer base during a DDoS attack period.

3. Contract hosting and security support

Your hosting provider will be able to give their latest updates regarding this kind of situation. Firewall service will also provide more details to mitigate DDoS attacks. Especially the Sucuri firewall service allows you to settings to be in Paranoid mode which can block a huge amount of requests.

Keeping your WordPress website secure

The WordPress website often becomes a target of hackers around the globe. But you can implement security best practices to make your website more secure. If you are a beginner, please read the guide on step by step WordPress security guide, and further, you will obtain more details on how to block and mitigate DDoS attacks by reading this article.