WordPress DDoS Protection: How to Keep Your Site Online

A DDoS attack — a Distributed Denial of Service attack — does exactly what the name suggests: it denies service to your real visitors by overwhelming your site with fake traffic until it collapses under the load. For a business owner, the consequences are immediate and measurable. Your site goes offline, customers cannot reach you, transactions fail, and the longer the outage runs, the more damage it does to your search rankings and your reputation. This is not a theoretical risk. It is one of the most common threats facing websites right now, and WordPress sites are in the crosshairs more than most.

WordPress powers over 40% of the web, which makes it an extraordinarily attractive target. Attackers do not have to work hard to identify what software a site is running, and they do not have to guess where the weak points are. Predictable WordPress endpoints — including xmlrpc.php, wp-login.php, and admin-ajax.php — exist on nearly every WordPress installation, giving attackers known targets to aim at directly. Add to that the fact that the average WordPress site runs 20 or more plugins, each adding code and expanding the attack surface, and you start to understand why WordPress is disproportionately targeted. Scale and predictability are exactly what attackers look for.

The business consequences of a successful attack are serious. Downtime means lost revenue — whether you run an e-commerce site processing orders or a professional services site generating enquiries, every minute offline is a minute your competitors are still visible and you are not. Search engines measure site availability, and a prolonged outage can damage the rankings you have spent months or years building. Beyond that, visitors who encounter an error page do not assume a technical problem; they assume the business is unreliable. That erosion of trust is harder to recover than the rankings.

Recognising the Warning Signs and Understanding the Attack

The earlier you spot a DDoS attack, the more options you have. Warning signs include unusual slowness or unresponsiveness, 502 or 503 errors being reported by visitors, and server CPU, memory, or bandwidth usage spiking without a corresponding increase in real users. That last point is the key diagnostic: if your analytics show a normal number of genuine visitors but your server is behaving as though it is serving thousands, something is consuming resources that should not be there.

DDoS attacks fall into two broad categories, and understanding the difference matters when you are deciding what protection to put in place. Network-layer attacks — sometimes called volumetric attacks — aim to saturate your server’s bandwidth with raw traffic. They are blunt instruments, and they tend to be easier for hosting infrastructure to absorb or filter at scale. Application-layer attacks, known as Layer 7 attacks, are a more sophisticated and more common threat to WordPress specifically. Rather than flooding raw bandwidth, they target the application itself by sending requests that look like legitimate user behaviour. Because WordPress generates pages on demand by pulling from the database for every request, it is especially vulnerable to this kind of attack — even a few hundred requests per second can take a mid-sized WordPress site down. The attacker does not need a massive botnet; they just need to keep hitting the right endpoints at a sustained rate.

Layer 7 attacks are difficult to block at the server level precisely because the traffic mimics genuine user activity. Standard firewall rules that filter by IP or protocol are not built for this. By the time your server has worked out that a request is malicious, it has already spent the database queries and processing power to begin handling it. At scale, that consumption is enough to bring the site to its knees.

What Protection Looks Like in Practice

The good news is that the protective measures available are well-established, and framing them as business continuity decisions — rather than technical configurations — makes the investment straightforward to justify.

• A Web Application Firewall (WAF). A WAF sits between incoming traffic and your WordPress site, analysing requests before they reach your server. It can identify and discard the kind of high-volume, pattern-based requests that characterise Layer 7 attacks, whilst allowing genuine visitors through. Effective DDoS protection helps prevent downtime, protects hosting resources, and keeps real visitors from being blocked by malicious traffic, whilst helping maintain site speed during attacks by filtering fake traffic before it consumes server resources. A managed WAF does this automatically, which matters for businesses without in-house technical staff monitoring the site around the clock.
• CDN-based traffic filtering. A Content Delivery Network distributes your site across multiple servers in different locations, which means incoming traffic is spread across that network rather than hitting a single origin server. More importantly, the major CDN providers include DDoS mitigation as part of their infrastructure, absorbing and filtering attack traffic at the network edge before it ever reaches your site. For businesses with international audiences, this has the added benefit of improving load times for genuine visitors.
• Hosting environment. Not all hosting is equal when it comes to attack resilience. Shared hosting environments, where your site shares server resources with hundreds of others, offer very little capacity to absorb sudden traffic spikes. Managed WordPress hosting providers typically include server-level protections and have the infrastructure to respond quickly when an attack is detected. If your site is material to your business, the hosting environment is not a cost to minimise — it is a foundational decision.

None of these measures requires you to become a technical expert. They require you to make decisions about the level of risk your business can tolerate and to ensure whoever manages your WordPress site has implemented appropriate protections. If you are unsure whether your current setup would survive a sustained attack, that is worth finding out before you are forced to find out under pressure.

If you would like an honest assessment of where your WordPress site stands, get in touch with me at The WordPress Guy and I will tell you exactly what I find.