How to Stop DDoS Attacks on WordPress With the Right Plugin
WordPress is one of the most secure content management systems. Millions of people trust it as their go-to website builder. Still, you shouldn’t ignore security issues such as DDoS attacks if you want to keep your websites up and running.
You can’t leave your public websites insecure, keeping them susceptible to DDoS attacks. Otherwise, all your effort and money will go to waste within seconds before you can even realize it. A powerful attack may result in the prolonged unavailability of a website. Imagine you depend on a website for a living and can’t access that due to a DDoS attack. Sounds terrible, right?
No worries, we know how alarming this issue is. So in this article, we showed how to stop DDoS attacks on WordPress both manually and using a plugin. Before diving deeper, let’s know what is a DDoS attack at first.
What Is a DDoS Attack?
DDoS stands for distributed denial of service. A DDoS attack is a cyber attack that uses a network of compromised computers (also known as botnets). These botnets simultaneously send massive data or numerous requests to a target server.
This sudden overflow of data often exceeds the capacity of the server. It causes websites to slow down or crash due to the overwhelming traffic/data/requests that they can’t handle.
Here’s a real-life example of how a DDoS attack disabled the internet banking facility of HSBC in 2016.The Guardian
How Does DDoS Affect Your Website?
The effects of a DDoS attack depend on a few variables like how prepared you are, how secure your server is, and how powerful the attack is. The capacity of a server varies in many aspects. So, you can’t set one-formula-for-all when determining how an attack can affect your site. Here’s a list of some common problems caused by a DDoS attack.
Your Website May Shut Down
The most-reported outcome of a DDoS attack is a slow and unresponsive website. If the attack is too strong to handle for your system, the website may shut down at the peak of the attack. You won’t get the site back until you fix the issues.
It Becomes Easier to Hack
During a DDoS attack, everyone focuses on mitigating the attack, while leaving the security system vulnerable. And, chances are high that the attack will weaken the security features of your WordPress website. You need to ensure optimum security for your WordPress site to stay risk-free (almost).
You Will Lose Time & Money
Suppose you have an online store. If it falls prey to a DDoS attack, you will face a substantial loss of money. Customers won’t be able to make orders and existing customers won’t be able to check the order status. Besides, you may need to hire security professionals to mitigate the attack completely. The website will remain down for an extended time if you can’t get it back to work.
Your Brand’s Reputation Will Be at Stake
The visitors and online shoppers can’t enter or log in to your website during the attack. Your support team/customer relation executives may receive hundreds of calls simultaneously if you have a strong customer base. This unavailability of service seriously hampers a brand’s reputation. Customers/visitors may start feeling insecure to shop or get information from your website.
The SEO Health Will Deteriorate
Google bots often crawl through websites to find and index new or updated content. You may lose rank if it comes to your website when the site is unavailable. Even sometimes it takes a few days to get the website back in order.
During this whole time, the affected website usually redirects to a 502 bad gateway. This also affects search rankings negatively. Moreover, any link that points to your website won’t work as well. All these things combinedly will worsen your website’s SEO health.
DDoS Attack Vs. Hacking- Are they Same?
Some people confuse hacking and brute-force attacks with DDoS attacks. Yes, hacking and brute force attacks are other forms of cyber attack. But, it’s different from DDoS.
Hacking refers to taking control of the system and exploiting the weakness in security to gain access to a system or a website. Whereas, DDoS refers to making a website slow or unavailable due to the overflow of traffic sent to the target website.
Bruteforce attack is also one kind of hacking where the hackers try to get the login info by performing trial and error attacks. Hackers try to guess all possible combinations and find out the right login credentials to get access to your website.
Hacking/brute-force attack is more serious in the case of a business website. If a malicious hacker misuses the stored data within your website, it can cause irreparable loss. You may even lose control of the website permanently.
You can use a Security Plugin to prevent hackers from getting easy access to your website.
Why You May Become a DDoS Target
You may wonder why would someone bother to launch a DDoS attack on your website. Some attackers have well-defined goals while some others do it just for fun. Let’s explore the possible reasons.
1. Attacks by Unethical Competitors: You can’t expect all your business competitors to have strict principles. Instead of outperforming you in legitimate methods, some competitors may sponsor DDoS attacks to gain a competitive advantage over you. What’s more disheartening is that you can’t identify the attackers since attackers usually use untrackable IP addresses.
2. Attacks by Followers of a Different Ideology: Suppose you run a website that promotes Black Lives Matter (BLM) movement, a motivated anti-BLM group may DDoS your website to hinder your regular activities. Or, imagine you are a supporter of Donald Trump, someone who is against him may run an attack to put your website out of action. When such attacks happen because of ideology or beliefs, it’s called “Hacktivism”.
Here’s an example of Hacktivism attack, performed by the Anonymous to protest against George Floyd death.BBC.com
3. Attacks Due to Vulnerability of the Website: People with excellent technical knowledge sometimes do DDoS attacks just for fun, out of boredom. This is nothing but an adventure, a source of recreation for them. Websites with low security and exposed vulnerability are most likely to fall victims to such attacks.
4. Attacks for Monetary Gain: You may become a DDoS target easily if the downtime of your website matters so much to your business. The attacker may run a planned attack to blackmail and ask for ransom money from you.
How to Stop DDoS Attacks on WordPress
You can stop DDoS attacks both manually and with the help of plugins. The first process involves a few pieces of coding and the latter requires a highly functional and compatible plugin. We’ve shown both methods in the following sections.
Secure Your Website from DDoS Attack Manually
WordPress is a highly flexible platform that allows third-party integrations using APIs (Application Programming Interface). DDoS attackers take advantage of these APIs. They exploit the APIs to send overwhelming requests to the site. One of the most effective ways to stop DDoS attacks on WordPress sites is to disable a vulnerable API named XML-RPC.
You need this API only to interact with third-party applications. For example, this API allows you to use the WordPress mobile app. If you don’t need this functionality, you can unhesitatingly disable it.
Go to your website’s .htaccess file. Copy and paste the following code to the bottom of the .hataccess file.
#Block WordPress xmlrpc.php requests
deny from all
allow from xxx.xxx.xxx.xxx
These pieces of code will disable the XML RPC in your WordPress site. Replace
xxx.xxx.xxx.xxx with a particular IP address you want to allow to use XML-RPC of the WordPress site.
If you want to avoid the hassle of coding and use a plugin to secure your website, see the following section.
Use Plugins to Prevent DDoS Attacks
You can use a Web Application Firewall (WAF) to identify and block malicious traffic. Here we’ve shown how you can stop DDoS attacks on WordPress using one of the most used security plugins- Wordfence Security. Let’s explore how you can activate and configure Wordfence security for optimal performance.
Activate & Configure Wordfence Security
Wordfence comes with an integrated malware scanner that blocks the overwhelming requests that seem to be malicious. It limits login attempts and enforces powerful passwords. Thus, this firewall plugin secures a WordPress website from DDoS and brute force attacks. Learn how to use Wordfence from the following section.
Step 1: Install & Activate Wordfence
Go to the Plugins menu from your WordPress sidebar menu. Click on the Add New button.
You will see a search bar on the redirected page. Type “wordfence security” inside the search bar. The search results will suggest you Wordfence plugin along with other related plugins.
Choose Wordfence Security- Firewall & Malware Scan, and click on the Install Now button. Activate the plugin upon successful installation. Wordfence will show you a welcome page where you need to give your email address (1) and press the continue button to set up the plugin successfully.
Step 2: Configure the Settings
Now you’ll get a new menu named Wordfence on the left admin panel of your website. Click on the Dashboard menu.
You’ll be redirected to a new page. Now click on the Global Options tab to get access to the settings options.
Explore all the options and choose the right configuration as you see fit.
Step 3: Explore the Firewall Option
Click on the Firewall option from the sidebar right under the Wordfence menu. It will lead you to the following page. Click on the Manage Firewall button.
Then, click on the Optimize the Wordfence Firewall button.
Download the .htaccess file as the popup suggests, then press the Continue button to complete the optimization.
Step 4: Activate 2FA Security
You can enable two-factor authentication from the Login Security menu of the left sidebar.
Step 5: Explore the All Options Menu
Wordfence Security has an All Options menu, equipped with all the settings options. You can access this page for an easier Wordfence setup process.
Alternative to Wordfence
While Wordfence has a big fan base, there are other security plugins that are making bold statements as high-performance security tools for WordPress. We’ve listed two of the most deserving Wordfence alternatives here to help you choose the right one tailored to your needs.
While Wordfence is the most popular security plugin, other plugins like MalCare are also making an entry into the competition. It is an excellent security plugin with over 10,000 active installations and satisfactory user ratings.
MalCare features automated cleanups and a strong cloud-based firewall to protect the website from DDoS and other cyber attacks. You’ll get notified in real-time if the website goes down. You’ll get a malware scanner, malware remover, and website protector with this single plugin.
2. Security Ninja
Security Ninja has been serving the WordPress arena for more than ten years now. It runs over 50 security tests and finds issues instantly. You can easily use this plugin following a simple setup process.
This plugin warns users if they have plugins that are known to have vulnerabilities. It automatically blocks 600+ million malicious IPs with a single click. The Pro version features a Cloud Firewall that bans attackers before they can break into your website.
Bonus: Proven Tips to Stop DDoS Attack on WordPress
The above-mentioned methods are enough to prevent DDoS attackers from infecting your website. You can follow the below steps to add an extra layer of security.
- Backup your website’s data securely to stay risk-free even if an attack happens. You can use UpdraftPlus or BackupBuddy as a backup solution.
- Use a good CDN (Content Delivery Network) like Cloudflare. A CDN sends ttraffic to other servers if one server gets atacked.
- Invest in high-quality network hardware to reduce the chance of DDoS attacks.
- Use the most recent version of WordPress to ensure your website has the lastest safeguards.
- Use Protection Against DDoS plugin and restrict access from outside to xmlrpc.php.
- Activate the WordPress Rest API to manage access to the entire Rest API.
- Choose a hosting privider who regularly update their security systems, firewall, and software.
- Buy additional internet bandwidth and enhance yiour server’s capacity to handle more traffic.
It’s pretty obvious that with the right preparation and plugins installed on your website, you can stop DDoS attacks on your WordPress website. We suggest you back up all your data consistently so that you can recover the data even if you fall victim to a DDoS attack.
WordPress sites are usually secure and less likely to get hit by DDoS attacks. However, it’s wise to prepare yourself upfront and prevent DDoS and malware attacks. The right plugin can help you stop DDoS attacks easily within a few clicks.
Keep a close eye on your website. Take prompt action if you notice unusual traffic or any suspicious activity.
Md. Tanvir Faisal is a Content Writer at WP Hive with 4 years plus experience in Content Writing, Copywriting, Proofreading, and Editing. He focuses on writing informative content that draws social media attention and enhances search engine visibility. To date, he has successfully developed useful content for many websites across all formats.