What is 🐱‍💻 Denial-of-Service attack and How to protect WordPress from DDoS attacks

🐱‍💻 Denial-of-Service or DoS attack in short, a DoS attacks tries to create fake traffic to overload your WordPress website, so much so that it becomes unavailable due to hositng/server limits. An extension to DoS is the DDoS attack with stands for Distributed Denial of Service. This one originates from multiple IP addresses.

TCP-State exhaustion attackMillions of TCP connections are sent that overwhelm the stable tables, causing the website to go down or its performance is reduced.
Volumetric attacksHuge volume of ICMP echo request/reply packets is sent to flood the network devices like hubs or switches and consume entire bandwidth of a network. During the attack no other clients are able to connect with the target website.
Fragmentation attacksMillions of fragmented packets are sent to the website, making it difficult for the server to reassemble them; which denies access to any valid users.
Application Layer AttacksNumerous application requests (XML-RPC or WP REST API) are sent to the target that exhaust hosting resources so it will not be able to service any valid clients.
SYN floodingHackers use compromised devices (zombies) and simultaneously flood the website with multiple SYN packets. The website will be overwhelmed by the number of SYN requests, and either goes down or its performance is reduced.
PlashingFraudulent updates are sent to the hardware causing permanent damage and making them unusable. The only solution is to re-install the hardware.

What damage can be done with DDoS attacks:

  • Website response will be slow for any legit visitors, or even inaccessible.
  • You can loose sales or AdSense earnings
  • Website ranking will slowly drop on Google

Here is what you as a WordPress website owner can do to protect your WordPress website from DDos attacks:

The WordPress REST API provides an interface for applications to interact with your WordPress site by sending and receiving data as JSON (JavaScript Object Notation) objects. It is the foundation of the WordPress Block Editor, and can likewise enable your theme, plugin or custom application to present new, powerful interfaces for managing and publishing your site content.

To disable WP REST API on your WordPress website add the following inside .htaccess

# WP REST API BLOCK JSON REQUESTS 
# Block/Forbid Requests to: /wp-json/wp/
# WP REST API REQUEST METHODS: GET, POST, PUT, PATCH, DELETE
RewriteCond %{REQUEST_METHOD} ^(GET|POST|PUT|PATCH|DELETE) [NC]
RewriteCond %{REQUEST_URI} ^.*wp-json/wp/ [NC]
RewriteRule ^(.*)$ - [F]

NOTE: You should not disable the REST API; doing so will break WordPress Admin functionality that depends on the API being active.

To limit WP REST API usage to logged in users only without any plugin add the following code inside your active theme functions.php file:

add_filter( 'rest_authentication_errors', function( $result ) {
    // If a previous authentication check was applied,
    // pass that result along without modification.
    if ( true === $result || is_wp_error( $result ) ) {
        return $result;
    }

    // No authentication has been performed yet.
    // Return an error if user is not logged in.
    if ( ! is_user_logged_in() ) {
        return new WP_Error(
            'rest_not_logged_in',
            __( 'You are not currently logged in.' ),
            array( 'status' => 401 )
        );
    }

    // Our custom authentication check should have no effect
    // on logged-in requests
    return $result;
});

Or to limit WP REST API to localhost:

function restrict_rest_api_to_localhost() {
    $whitelist = [ '127.0.0.1', "::1" ];

    if( ! in_array($_SERVER['REMOTE_ADDR'], $whitelist ) ){
        die( 'REST API is disabled.' );
    }
}
add_action( 'rest_api_init', 'restrict_rest_api_to_localhost', 0 );

XML-RPC – a feature intended for pingbacks and tracking was introduced in WordPress 3.5 and enabled by default on every WordPress version since then. Although WordPress now has its own REST API, the xmlrpc.php file is still present inside the core and can be misused for various cyber-attacks.

Hackers use the pingback feature of WordPress along with the xmlrpc.php file to execute DDoS attacks. They target the endpoint or a page that can be hit several times and takes longer to respond. This way a single hit can have a maximum impact on server resources and in our case, XMLRPC serves the hacker well in exposing such endpoints.

The overwhelming HTTP GET and POST requests jam the regular traffic and eventually crashes the server.

To disable WordPress XML-RPC simply add the following inside .htaccess

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>

You can whitelist a certain IP address in case you still wish to access your WordPress site via XMLRPC. For that, you need to add the following command:

<Files xmlrpc.php>
<RequireAny>
Require ip 1.1.1.2
Require ip 2001:db8::/32
</RequireAny>
</Files>

NOTE: When XML-RPC is disabled Jetpack, WP mobile app, or any other solution that connects with your WordPress site via XMLRPC cannot connect with your site anymore.


Web Application Firewalls (WAF) play a critical role in the protection of WordPress websites on any hosting server. They form the backbone for defensive against cloud-based exploits that compromise security or harm the availability of the website and data.

Here are some of the best Open Source WAF’s to secure your WordPress website:

And some paid WAFs:

Was this post helpful?

Leave a Comment