How to Prevent DDoS Attacks in WordPress

With the pandemic in full swing in many countries and the explosion of online businesses, digital attacks are becoming more frequent and threatening. Some of the most common and dangerous ones are DDoS attacks. In this guide, we’ll show you how to prevent DDoS attacks on your WordPress site.

What are DDoS Attacks?

Before jumping into how to prevent DDoS (Distributed Denial of Service) attacks, let’s first understand what they are. Simply put, a DDoS attack is a type of denial of service (DoS) attack that involves many connected online devices that hackers use to overwhelm the servers of a website with fake traffic.

In DDoS attacks, these connected machines and servers launch attacks separately but at the same time, allowing them to go unnoticed for some time before getting blocked. With this tactic, they can easily intensify the impact of these attacks, slowing down and finally crashing the server they aim at.

One interesting thing about DDoS attacks is that they don’t try to breach and access your server directly. Instead, they aim to make the website and servers crash for a certain time so users can’t access it. However, DDoS assaults can be used as a cover to breach the server’s security.

So what happens if you are a victim of a DDoS attack? If hackers have successfully crashed your server, you might be in trouble. It may cost you thousands of dollars to recover your system, not to mention other expenses like bandwidth. More importantly, the attack will take tolls on your traffic, reputation, and sales results.

Are DDoS attacks common?

Yes, they are. In fact, DDoS attacks are becoming more and more common. According to recent studies, there are currently 16 DDoS attacks every 60 seconds! And in 2019 alone, there were more than 8.4 million DDoS attacks around the world.

To avoid all these issues, it is of utmost importance to prevent DDoS attacks on your WordPress site. In this guide, we’ll show you what to do to avoid them and keep your website safe.

How to Prevent DDoS Attacks in WordPress

These are some ideas to prevent DDoS attacks in WordPress and avoid hackers affecting your site.

  1. Block access to wp-login.php
  2. Activate a WAF
  3. Supervise website traffic
  4. Restrict access to the wp-admin area
  5. Activate country blocking
  6. Disable DDoS Attack API
    1. XML RPC API
    2. REST API
  7. Update WordPress regularly

1. Block access to wp-login.php

The wp-login.php file is one of the most common paths that hackers use for DDoS attacks in WordPress. For example, at QuadLayers, we block access to the wp-login.php files more than 250 times per day!

If you use a service like Cloudflare, you can check how many times someone has tried to access your wp-login.php files. And you’ll be surprised at how high that number is. Blocking access to those files is one of the best ways to prevent DDoS attacks in WordPress.

Most security services offer different options to block access to wp-login.php. We use Cloudflare so we’ll show you how to block attacks to the wp-login.php files with this service. Cloudflare’s free plan allows you to set up to 5 rules so you can do this without spending any money.

In the dashboard, go to Firewall > Firewall Rules > Create a Firewall rule. Give the rule a name, and fill in the blanks with the following information:

How to prevent DDoS attacks in WordPress - Wp-admin.php

  • Field: URI Path
  • Operator: contains
  • Value: /wp-login.php

Alternatively, you can copy and paste the following code in the Expression Preview section:

(http.request.uri.path contains "/wp-login.php")

Click the Save button and you are all set.

2. Activate a WAF

WAF is short for Web Application Firewall and serves as another layer of protection for your website. It guards your site against hazardous traffic by using a smart algorithm to identify and block seemingly malicious requests. This way, it allows you to only receive good traffic.

There are many WAF solutions to choose from. Before deciding which one you will use, check if the protection is suitable for your site as well as price and ease of use. Having used a couple of these over the years, we highly recommend Sucuri. It has a free plugin and a couple of pro plans that start at 199 USD per year for a single site. Cloudflare is also an excellent choice. It offers a free plugin and pro plans with DDoS attack mitigation for 20 USD per month.

Additionally, we recommend you follow some security tips to improve your site’s overall protection against all types of malware.

3. Supervise Website Traffic

A great surge in traffic doesn’t necessarily mean good news. Although not always, DDoS attacks are usually in the form of a huge amount of traffic. These volumetric attacks are network-based and are sometimes mistaken for new visitors. If you see tons of new visitors coming to your website, check whether it is new users or someone trying to take your site down.

The best solution for this is to install monitoring tools and have them check your logs and alert you if the number of requests/visitors suddenly increases. This way, you will prevent DDoS attacks on your WordPress site.

To differentiate between new visitors and DDoS attacks, you may want to pay attention to:

  • Source of traffic: Does your traffic come from the region you target? If you target local customers, for example, but receive huge traffic from overseas, then there’s something weird going on.
  • Time of traffic: If you witness a surge of visits at 3:00 AM local time, then it might be the attacks as well.
  • Your business’s characteristics: Take into account your business type as well. If you sell swimwear and beachwear, for instance, a surge of visitors during the summer is normal.

Please note that Google bots and other search engine crawlers sometimes do make suspicious requests to your website. Mind the difference between them to make sure you will block DDoS attacks, not the bots.

4. Restrict access to the wp-admin area

You should be the only one who can get access to the wp-admin area as this is where you control all the most important activities in WordPress. However, when restricting access to the wp-admin area, make sure not to include certain files such as /wp-admin/admin-ajax.php and /wp-admin/theme-editor.php that are used by plugins and themes that need to access the wp-admin area from the outside. Additionally, you can exclude your IP and when the referrer comes from your website.

If you’re using a security service, this shouldn’t be hard to configure. In our case, this is how we did it using Cloudflare:

In the dashboard, go to Firewall > Firewall Rules > Create a Firewall rule. After naming the rule, fill in the blanks with the following information:

How to prevent DDoS attacks in WordPress - WP-admin area

  • Field: URI Path
  • Operator: contains
  • Value: /wp-admin/


  • Field: URI Path
  • Operator: does not contain
  • Value: /wp-admin/admin-ajax.php


  • Field: URI Path
  • Operator: does not contain
  • Value: /wp-admin/theme-editor.php


  • Field: Referrer
  • Operator: does not contain
  • Value:


  • Field: IP Address
  • Operator: does not contain
  • Value:

Otherwise, you can just click Edit expression and paste the following code:

(http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains "/wp-admin/theme-editor.php" and not http.referer contains "" and ip.src ne

5. Activate Country Blocking

Similar to a website firewall, country blocking is a type of geo-blocking that serves to minimize the risk of your website being attacked. Although site owners cannot rule out the possibility of DDoS attacks by country blocking alone, it is a typical practice to level up the protection against the attacks while complying with organizational policies. Since a large number of cyberattacks have come from a few countries in recent times, you might consider blocking them from interacting with your website.

As one of the security plugins that enables easy country blocking, Sucuri is an excellent choice for this.

6. Disable DDoS Attack APIs

The principle of this method is to disable several APIs so that hackers can’t use them to launch attacks on your WordPress site. Normally, these APIs are the gateways for third-party plugins and services to integrate into a website. However, hackers often exploit them to launch DDoS or brute force attacks.

There are two APIs you should consider disabling:


This API helps third-party apps to interact with your site, especially for using the WordPress app on your mobile phone. The bad news is that it’s one of the most common DDoS attack targets. So, if most of your users don’t use the mobile version of WordPress, you may consider disabling this API to prevent DDoS attacks.

To deactivate the XML RPC API and block all its requests, simply add the following code to your website’s .htaccess file.

# Block all the WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny, allow
deny from all


Another API that can be disabled to prevent DDoS attacks in WordPress is the REST API. This API allows third-party plugins and tools to access WordPress data as well as modify and delete content. The easiest way to disable this API is to download the Disable WP Rest API free plugin.

After downloading it, activate it and you are all set. The tool will work immediately and disable the REST API for all non-logged-in users without any further configuration.

7. Update WordPress Regularly

Regular updating of WordPress doesn’t only prevent DDoS attacks, it also guards your website against many other kinds of attacks and hacks. That’s why you must update regularly:

  1. WordPress installation, themes, and plugins
  2. PHP version on the server
  3. Apache, MySQL, and OS
  4. Any other scripts and software

What to do if you’re under a DDoS Attack in WordPress? 

Even though you can prepare in advance and try to prevent DDoS attacks in WordPress, what should you do if you’re under attack? These are the immediate responses you should carry out during a DDoS attack:

1. Inform your team

Working together when crisis strikes will give you the utmost power. When under a DDoS attack, make sure to alert your team members so they’re aware of what happens and can help you with countermeasures.

2. Notify your customers

This is especially important if the website under attack is a WooCommerce store since customers won’t be able to log into their account or purchase products during that time. Giving no announcement and explanation at such a critical moment could damage your reputation. So we recommend you let them know via emails or social media that your site is undergoing technical errors and will be back online soon.

3. Contact your hosting and security provider

After alerting co-workers and customers, contact your WordPress hosting provider too. As attackers could be targeting their systems, it is better that they know about it and they may even help you with the situation. On top of that, getting in touch with your security provider at this point is crucial. As dealing with attacks is within their profession, they can help you formulate better and faster countermeasures.

4. Implement responses

Should you have any countermeasures ready to deploy, this is when they come to the rescue. Normally, the countermeasures will work out of the box as soon as attacks happen. It’s better if you prepare this in advance. However, if you haven’t prepared any specialized security solution, ask your security provider as most of them offer emergency responses.

5. Evaluate countermeasure performance

Don’t forget to evaluate the countermeasure performance as they are taking place as well! Are they effective? Or are the attackers winning? That way, you can adjust your responses should any other attack come your way. Let’s hope it won’t be the case, but prevention is better than cure.


All in all, DDoS attacks are very frequent nowadays. The more your WordPress website grows, the more attractive it becomes to hackers. However, you can prevent and prepare for those attacks by implementing preemptive measures. The steps mentioned above will not only help you prevent DDoS attacks in WordPress but also help to keep your website safe from attacks in general.

But what if you’re already under attack? Don’t panic. Follow the recommendations mentioned above to try to reduce the issues and get your site up and running as soon as possible. Want to further enhance your site’s security? Check out our security tips!

Have you got any other useful tactics to prevent DDoS attacks? Please share it with us in the comment section below!