WordPress DDoS Protection

Every server has a limit, and your website can only handle so many simultaneous visits before its server begins to buckle under pressure. This, in a nutshell, is how a distributed denial of service (DDoS) attack works. Considering how common they are, setting up WordPress DDoS protection is a smart move.

There are a lot of ways you can mitigate the effects of DDoS attacks on your website. Blocking suspicious IPs is a great start, and so is investing DDoS protection services. Securing your website against DDoS attacks from the get-go can save you a lot of time and headaches down the road.

In this article, we’re going to go over the threat of DDoS attacks by the numbers. Then we’ll discuss five WordPress DDoS protection methods.

Let’s get to it!

Why your website might need DDoS protection

DDoS attacks are much more frequent than you might think. In the first half of 2019, DDoS attacks increased by 39 percent in comparison to 2018, which itself saw millions of attacks. Their potency is also increasing dramatically, with attacks of over 500 gigabytes per second (Gbps) becoming more and more common.

The targets for these attacks aren’t only large websites. Even smaller sites can be affected by attackers seeking to collect a ransom. This makes WordPress DDoS protection almost a necessity, more than a precaution.

Five methods to secure your WordPress site against DDoS attacks

DDoS attacks may be scary, but there are a lot of ways you can set up WordPress DDoS protection.

If you’re proactive, you may never find yourself in a position where a DDoS attack takes down your website. Let’s take a look at five different methods.

1. Use a content delivery network (CDN)

CDNs are services that cache copies of your website on their data centers. The most popular CDNs offer data centers around the world and they act as a middleman between you and your site’s visitors.

Whenever possible, your CDN will serve a cached copy of your site from its servers, which translates to less strain on yours. What’s more, CDNs can also help you decrease overall loading times because they’re built with performance in mind.

CDNs act as a sort of firebreak to DDoS attacks by preventing the resultant traffic from overwhelming your website. They can detect anomalous patterns in traffic, and if things are scaling too fast, can act to mitigate the attack.

Some CDNs, like Cloudflare, also act as a reverse proxy which can further protect your WordPress site from DDoS attacks.

Who should consider using a CDN:

Most websites can benefit from integrating a CDN to improve their performance. It shouldn’t come as a surprise many of them are premium services, though. The good news is there are several great free CDN options, and most of them integrate easily with WordPress.

2. Sign up for a dedicated DDoS protection service

While most CDNs offer DDoS protection as a sort of extra, there are other services with entire businesses built around the functionality.

For example, Google offers a service called Project Shield, which is made available via invitation:

WordPress DDoS Protection with Project Shield.

Other DDoS protection services tend to be on the high-end when it comes to prices. This is the kind of service that only enterprises usually pay for. To give you an idea, AWS offers a Shield service for DDoS protection, and charges $3,000 per month for its Advanced tier.

Who should consider dedicated DDoS protection:

Unless you run a major eCommerce operation that can’t afford to be offline for even an hour, dedicated DDoS protection might be overkill. This type of service comes with an expensive price tag, so you’ll need a big budget.

3. Switch to a new hosting provider

Most web hosts rave about their performance. However, it’s obvious that not all of them are at the same level performance-wise. Some web hosting servers slow down dramatically even under a moderate strain, which makes those providers terrible options if you face a DDoS attack.

The good news is, most reputable web hosting providers implement some level of protection against traffic floods at the server level. SiteGround, for example, uses a hardware firewall and looks out for unusual numbers of connections.

Another example is WP Engine, which integrates with Cloudflare out of the box to provide DDoS protection for all its plans. Those are two of our favorite WordPress web hosts, but they’re far from the only options that offer DDoS protection.

Who should consider switching to a new hosting provider:

If you think your web host is handicapping your website’s performance, it’s in your best interest to switch providers as soon as possible.

4. Set up a firewall

You’re probably already familiar with the concept of firewalls. A firewall is a piece of software that protects your computer from unauthorized access using its own set of pre-programmed rules.

You can configure your firewall to help you limit the number of users accessing your website during a specific period and filter out visitors that are likely to be bots. If you set the number to something reasonable, this can be enough to stop most DDoS attacks without impacting the user experience.

Using Wordfence's rate limiting feature.

One way to do this in WordPress is through plugins. For example, Wordfence includes a Rate Limiting feature you can use to limit how many users and automatic crawlers can access your website.

Who should consider using a WordPress firewall:

We’ve shared our feelings about WordPress security plugins in the past. A lot of them go overboard and make more changes to your website than strictly necessary, which can impact performance.

If you’re looking for a cheap and easy-to-implement WordPress DDoS protection method, we recommend using a free CDN instead.

5. Blacklist suspicious IP addresses

This method is a bit more hands-on than other approaches for WordPress DDoS protection. It involves monitoring which IP addresses are trying to access your website, and blacklisting those that show suspicious activity, such as:

  • Repeated login attempts
  • An unreasonably high number of visits
  • IP clusters flooding your website with traffic

WordPress enables you to blacklist IP addresses at the server level by tweaking your .htaccess file:

WordPress DDoS protection with .htaccess rules

You can also use plugins such as All In One WP Security & Firewall to achieve the same goal:

However, you’ll need a way to monitor suspicious IP activity, and this method can’t help you prevent DDoS attacks. Even so, if you’re quick you can mitigate them – and it’s free.

Who should consider blacklisting IP addresses:

If you’re more concerned with brute force rather than DDoS attacks, IP blacklisting can be a great way to protect your website. It’s also a viable option if you don’t want to use any plugins or third-party services for your website.

Conclusion

These days, even small websites can fall prey to DDoS attacks. In addition, some groups use them as a form of blackmail against businesses, which means setting up WordPress DDoS protection can be a smart move.

There are five ways you can protect your WordPress website from DDoS attacks:

  1. Use a CDN.
  2. Sign up for a dedicated DDoS protection service.
  3. Upgrade your hosting plan or switch to a new provider.
  4. Set up a firewall.
  5. Blacklist suspicious IP addresses.

Of course, malicious actors can target your WordPress site with a lot more than DDoS attacks. To fully protect your WordPress site, check out our top 10 WordPress security tips and four ways to tighten WordPress security.

Do you have any questions about WordPress DDoS protection? Let’s go over them in the comments section below!

Free guide

5 Essential Tips to Speed Up
Your WordPress Site

Reduce your loading time by even 50-80%
just by following simple tips.

Download free guide