DDoS Attacks on WordPress: How to Keep Your Site Online Under Attack

Table of Contents 5 sections

What is a DDoS Attack?

A Distributed Denial of Service (DDoS) attack aims to make your WordPress site unavailable by flooding it with more traffic than it can handle. Unlike other attacks that try to break in, DDoS attacks try to shut you out.

These attacks use networks of compromised devices (botnets) to generate massive amounts of traffic from thousands of different IP addresses, making it difficult to distinguish legitimate visitors from attack traffic.

Types of DDoS Attacks Against WordPress

Application Layer Attacks (Layer 7)

These attacks target WordPress specifically, sending requests that are expensive for the server to process:

• WordPress login floods — Thousands of simultaneous login attempts to /wp-login.php
• XML-RPC pingback attacks — Abusing the pingback feature to amplify requests
• Search query floods — Sending complex search queries that trigger expensive database operations
• WP-Cron abuse — Triggering wp-cron.php thousands of times simultaneously
• Comment spam floods — Overwhelming the comment processing system

Network Layer Attacks (Layer 3/4)

These overwhelm the server's network connection regardless of the application:

• SYN floods — Exhausting server connection tables
• UDP floods — Overwhelming bandwidth with UDP packets
• DNS amplification — Using DNS servers to multiply attack traffic

WordPress-Specific DDoS Vectors

The XML-RPC Pingback Amplification

WordPress sites can be used as amplifiers in DDoS attacks. An attacker sends pingback requests to thousands of WordPress sites, all pointing to the victim's server. Each WordPress site then sends a verification request to the victim, multiplying the attacker's traffic.

The wp-cron.php Problem

By default, WordPress loads wp-cron.php on every page view. Under heavy traffic (legitimate or attack), this creates additional server load. Disabling this and using a real cron job is recommended.

Mitigation Strategies

1. Use a CDN with DDoS protection — Cloudflare, Sucuri, or AWS CloudFront can absorb attack traffic before it reaches your server
2. Disable XML-RPC — Add xmlrpc_enabled filter or block access via .htaccess
3. Use server-side cron — Disable WP-Cron and set up a real cron job: define('DISABLE_WP_CRON', true);
4. Implement rate limiting — Limit requests per IP at the server level (nginx/Apache)
5. Enable caching — Serve cached pages to reduce server load. Tools: WP Super Cache, W3 Total Cache, or server-level caching
6. Choose quality hosting — Managed WordPress hosts often include DDoS protection and automatic scaling
7. Block known bad IPs — Use services that maintain real-time threat intelligence databases

During an Active Attack

1. Enable "Under Attack" mode in your CDN (Cloudflare has this built in)
2. Contact your hosting provider — they may be able to null-route attack traffic
3. Enable maintenance mode to reduce server processing
4. Check logs to identify the attack pattern and targeted endpoints
5. Block the most aggressive IP ranges at the firewall level