WordPress powers over 40% of the web, which makes it one of the most attractive targets for Distributed Denial of Service (DDoS) attacks. If your site goes down for an hour, you lose revenue, search rankings, and visitor trust. If it goes down repeatedly, you lose much more.

A DDoS attack floods your website with fake traffic until it slows to a crawl or crashes entirely. Unlike hacks that steal data, DDoS attacks are about disruption. For a deeper look at how these attacks work, see our guide to DDoS attacks. This article focuses on what WordPress site owners and administrators can do to prevent, detect, and survive them.

Why WordPress sites are prime DDoS targets

WordPress’s popularity is also its biggest security liability. Attackers know most sites run it, they know which endpoints exist by default, and they know which plugins tend to be outdated. A few reasons WordPress sites are frequently targeted:

• Predictable endpoints: Files like xmlrpc.php, wp-login.php, and admin-ajax.php exist on nearly every install. Attackers can aim directly at them.
• Plugin sprawl: The average WordPress site runs 20+ plugins. Each one adds code, and potential vulnerabilities, to your attack surface.
• Shared hosting. Many WordPress sites run on shared or low-tier VPS hosting that cannot absorb sudden traffic spikes.
• Dynamic content: WordPress generates pages on demand, pulling from the database for every request. This makes it especially vulnerable to Layer 7 attacks that mimic real users.
• Search and filter features: Search boxes, category filters, and REST API endpoints can be expensive to process, giving attackers cheap amplification.

Put simply, even a small botnet can bring down an unprotected WordPress site.

Signs your WordPress site is under a DDoS attack

DDoS attacks do not always announce themselves. Sometimes your site just feels slow. The common signs that traffic is malicious rather than organic include:

• The site is unusually slow or unresponsive, with no obvious cause.
• Visitors report timeouts or 502/503 errors.
• Server CPU, memory, or bandwidth usage spikes without a matching increase in real users.
• Analytics show normal or even low visitor counts while the server logs show a flood of requests.
• Repeated hits to a single endpoint, such as wp-login.php, xmlrpc.php, or a specific search URL, coming from many different IPs.

See what a DDoS attack looks like in real time:

If you have never watched a DDoS attack unfold, it can be hard to tell one apart from a legitimate traffic spike. We have captured a short video of a live website being DDoSed. You will see how quickly server resources deplete and how the telltale signs show up in the logs.

How DDoS attacks hit WordPress

DDoS attacks generally fall into two categories that matter for WordPress owners.

Network-layer attacks (Layer 3 and 4) flood your server’s connection with raw packets, such as UDP floods, SYN floods, and ICMP floods. These are usually stopped upstream by your host or a cloud-based firewall before they ever reach WordPress.

Application-layer attacks (Layer 7) are the real problem for WordPress. Instead of flooding the network, they send HTTP requests that look like real visitor traffic: page loads, searches, login attempts, XML-RPC calls. WordPress has to process each one, hitting the database, loading plugins, and rendering pages. Even a few hundred requests per second can take a mid-sized WordPress site down.

In short, if your site is being DDoSed, it is almost certainly at Layer 7.

WordPress DDoS protection best practices

You cannot prevent attackers from trying. You can make your site hard enough to take down that they move on. The following are the most effective steps for WordPress owners and admins.

Put a WAF and CDN in front of your site

A cloud-based Web Application Firewall (WAF) sits between your visitors and your server, filtering out malicious traffic before it reaches WordPress. Combined with a Content Delivery Network (CDN), it absorbs traffic spikes and serves cached content from edge locations worldwide.

This is the single most effective defense. Hardening WordPress itself only goes so far if every request still has to hit your origin server.

Disable or restrict XML-RPC

xmlrpc.php is a legacy feature used for remote publishing and pingbacks. It is also one of the most abused DDoS amplification vectors in WordPress, because a single request can trigger hundreds of internal operations.

If you do not need it, disable it. If you need it for a specific plugin such as Jetpack, restrict access by IP or use a plugin that limits which methods are exposed.

Turn off pingbacks and trackbacks

Pingbacks let one WordPress site notify another when it links to it. Attackers use pingback floods to coordinate Layer 7 attacks across thousands of compromised WordPress sites. Disable pingbacks under Settings → Discussion, and make sure your own site cannot be used as part of someone else’s botnet.

Rate-limit wp-login.php and admin-ajax.php

wp-login.php is the standard brute force target. admin-ajax.php handles all sorts of dynamic requests and is often hammered in Layer 7 floods. Through your WAF, your host, or a plugin, put rate limits on both. Legitimate users almost never hit these endpoints ten or more times per second.

Keep WordPress core, plugins, and themes updated

DDoS attackers often chain their floods against known vulnerabilities. An outdated plugin with a resource-intensive endpoint is a gift. Enable automatic updates for minor versions, and review plugins quarterly. Remove what you do not use.

Hide your origin IP

If an attacker can bypass your WAF by hitting your server directly, everything upstream becomes useless. Once you are behind a WAF, configure your host to only accept traffic from the firewall’s IP range. Never publish your origin IP in DNS records, email headers, or error pages.

Harden your hosting

Not all hosts are equal. Look for one that offers:

• Automatic scaling or burst capacity for traffic spikes.
• Network-level DDoS filtering (most hosts handle Layer 3 and 4 well).
• Isolated resources rather than oversold shared environments.

If you are on shared hosting and take traffic seriously, upgrading is often the cheapest security improvement you can make.

Monitor and log traffic

You cannot respond to what you cannot see. Use a monitoring tool or your WAF dashboard to watch for traffic anomalies: sudden spikes, unusual geographic patterns, repeated hits to the same endpoint. Alerts give you minutes of warning, which is often the difference between a blip and an outage.

What to do if your WordPress site is already under attack

If your site is down or crawling right now, the priority shifts from prevention to mitigation. In order:

1. Confirm it is a DDoS: Check server logs and traffic patterns, not just “the site is slow.”
2. Route traffic through a WAF if you are not already. Most providers, including Sucuri, offer emergency onboarding.
3. Block obvious patterns such as known-bad IP ranges, user agents, or request paths.
4. Contact your host: They may be able to null-route attack traffic at the network level.
5. Preserve evidence (logs, timestamps, and request samples) for post-incident review.

The full walkthrough is here: How to Stop a DDoS Attack in 5 Steps.

Choosing DDoS protection for WordPress

Not every DDoS service is built for WordPress. When evaluating a provider, look for:

• Layer 7 specialization: Network-layer protection is table stakes. Layer 7 is where WordPress lives.
• Emergency onboarding: Some providers take hours to activate. If you are already under attack, that is too slow.
• CDN and caching built in, so protection also improves normal-day performance.
• WordPress-aware rules that understand wp-admin, xmlrpc.php, and the REST API.
• Virtual patching for plugin vulnerabilities you cannot immediately update.

Sucuri’s Website Firewall is designed for exactly this. It blocks Layer 3, 4, and 7 DDoS attacks, specializes in application-layer mitigation, and includes a global Anycast CDN, all without installing anything on your WordPress server.

Learn more about our DDoS Protection.

FAQ

Can WordPress handle a DDoS attack on its own?

No. WordPress is a publishing platform, not a security layer. Even well-configured WordPress sites need upstream filtering (a WAF, a CDN, or both) to survive a serious DDoS attack.

Is a WordPress security plugin enough to stop DDoS?

Plugins can help with hardening, such as disabling XML-RPC, limiting login attempts, or blocking bad IPs, but they cannot stop traffic from reaching your server, because they run on your server. By the time a plugin sees a DDoS request, it is already consuming resources. A cloud-based WAF is the only reliable way to block attack traffic before it arrives.

Will DDoS protection slow my WordPress site down?

A properly configured WAF and CDN usually make WordPress faster, not slower. Cached pages are served from edge locations closer to your visitors, and filtering happens in milliseconds.

Does Sucuri protect WordPress from DDoS attacks?

Yes. Sucuri’s Website Firewall is built to defend WordPress sites specifically, with Layer 7 specialization, plugin-aware filtering, and emergency mitigation for sites that are already under attack.

How fast can I enable DDoS protection if my site is already being attacked?

With Sucuri, activation is a DNS change. Traffic starts routing through the firewall as soon as your DNS record propagates, typically within minutes. Emergency mitigation can begin immediately after signup.

DDoS attacks against WordPress aren’t going away, but they don’t have to take your site with them. A hardened configuration plus a cloud-based WAF turns most attacks into background noise rather than outages.