WordPress Security
DDoS Protection for WordPress: Keeping Your Site Online
Protect your WordPress site from DDoS attacks with CDN services, rate limiting, and traffic filtering strategies.
S
Sarah Chen
7 min read
1,203 views
Distributed Denial of Service attacks overwhelm your server with traffic, making your site unavailable. Protection requires a multi-layered approach combining CDN, server, and application defenses.
Understanding DDoS Attacks
Attack Types
- Volumetric - Flood bandwidth (UDP floods, ICMP floods)
- Protocol - Exploit network protocols (SYN floods)
- Application Layer - Target WordPress specifically (HTTP floods)
WordPress-Specific Attacks
- XML-RPC pingback attacks
- wp-login.php brute force floods
- Search query floods
- Comment spam floods
- REST API abuse
CDN-Based Protection
Benefits of CDN
- Absorb volumetric attacks at edge
- Filter malicious traffic before server
- Geographic distribution of load
- Always-on DDoS protection
Cloudflare Configuration
- Enable "Under Attack" mode during incidents
- Set security level to High
- Enable Bot Fight Mode
- Configure rate limiting rules
- Block known bad countries if appropriate
WordPress Application Protection
Disable XML-RPC
// Completely disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');
// Or block via .htaccess
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Rate Limit Login
// Limit login attempts
add_filter('authenticate', 'wpfs_ddos_login_limit', 30, 3);
function wpfs_ddos_login_limit($user, $username, $password) {
$ip = $_SERVER['REMOTE_ADDR'];
$transient = 'login_attempts_' . md5($ip);
$attempts = get_transient($transient) ?: 0;
if ($attempts >= 5) {
return new WP_Error('too_many_attempts',
'Too many login attempts. Try again later.');
}
if (is_wp_error($user)) {
set_transient($transient, $attempts + 1, HOUR_IN_SECONDS);
}
return $user;
}Block Aggressive Bots
// Block known bad bots
add_action('init', 'wpfs_block_bad_bots');
function wpfs_block_bad_bots() {
$bad_bots = array(
'masscan', 'nikto', 'sqlmap',
'nmap', 'python-requests', 'curl'
);
$user_agent = strtolower($_SERVER['HTTP_USER_AGENT'] ?? '');
foreach ($bad_bots as $bot) {
if (strpos($user_agent, $bot) !== false) {
http_response_code(403);
exit('Forbidden');
}
}
}Server-Level Protection
Nginx Rate Limiting
# Nginx rate limiting configuration
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
}
server {
# Limit requests per second
location /wp-login.php {
limit_req zone=one burst=5 nodelay;
limit_conn addr 10;
}
# Limit connections for all requests
location / {
limit_conn addr 20;
}
}Apache mod_evasive
# Enable mod_evasive
<IfModule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 5
DOSSiteCount 100
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 60
</IfModule>Caching as Defense
Page Caching Benefits
- Reduces PHP processing per request
- Serves static HTML during attacks
- Lowers database load
- Enables CDN edge caching
Aggressive Caching During Attack
// Emergency caching mode
define('WPFS_EMERGENCY_CACHE', true);
// In your caching configuration
if (defined('WPFS_EMERGENCY_CACHE') && WPFS_EMERGENCY_CACHE) {
// Cache everything for 1 hour
// Disable dynamic content
// Serve stale content if needed
}Monitoring and Response
Attack Indicators
- Sudden traffic spike
- High server load
- Slow page responses
- Connection timeouts
- Unusual geographic traffic patterns
Response Checklist
- Enable CDN "Under Attack" mode
- Activate emergency caching
- Block attacking IP ranges
- Contact hosting provider
- Document attack for analysis
Prevention Best Practices
- Use a CDN with DDoS protection
- Keep WordPress and plugins updated
- Implement rate limiting everywhere
- Disable unnecessary services (XML-RPC)
- Have an incident response plan ready
Conclusion
DDoS protection requires preparation before attacks occur. Implement CDN protection, rate limiting, and caching now. Have response procedures documented and tested.
S
Written by Sarah Chen
WP Folder Shield Team
