How to Prevent DDoS Attacks on WordPress (for Free)

How to prevent DDoS attacks on WordPress? An upgrade from a simpler DoS (Denial of Service), DDoS attacks leverage multiple botnets to send fake targeted traffic to a domain in order to overwhelm its servers. Basically, there is so much fake traffic, that real traffic can’t get through.

As Cloudflare puts it, think of DDoS attacks as traffic jams on your freeways, so much so, that the regular traffic can’t reach its destination. DDoS attacks are designed to clog your servers with phony requests, to overload them, and in return, it incapacitates them to serve real site users.

The damage of a DDoS attack haunts everyone, and typically, we hear about it when it happens to big organizations. However, the threat of one happening to you is not that far fetched.

To protect your WordPress site from a potential DDoS attack, you do not necessarily have to spend a fortune. What follows, discusses four for free, and easy solutions you can implement.

Solution 1: Put Your WordPress Site on Cloudflare

A renowned company focused on “building a better internet,” Cloudflare goes above and beyond on its promise, especially for WordPress site owners.

According to the company itself, all free plans come with limited DDoS protection, and SSL certificate support. And while limited might discourage you, you’d be glad to know that it actually defends your site against the most common types of DDoS attacks — that is, the ones that happen at layers 3, 4, and 7 of the OSI model. In fact, layer 7 attacks are more deadly, so the fact that Cloudflare is even offering safeguards against it — for free, is pretty big of them, in my opinion.

Setting your WP site on Cloudflare is not hard at all! You can learn how to do so, in my previously written post. And although, my focus was on getting a free CDN (hey another Cloudflare benefit), simply by being on Cloudflare grants you automatic DDoS protection.

Plus, technically, having a CDN can fortify your site further against an attack because resources are pulled from a CDN rather than your site (thus limiting server load). An additional kick you can get out of this is that CDN providers have their own DDoS insulation measures in place, so you’re double protected — so to speak.

Bonus Cloudflare Feature: Enable “I’m Under Attack” Mode

God forbid, but let’s say you think you’ve been a victim of a DDoS attack, Cloudflare lets you enable I’m Under Attack mode whereby all site visitors will face an interstitial challenge before accessing the site.

Doing this will buy you time, and limit your server load, while you figure out how to fix the issue. And even before, Cloudflare lets you set various levels of “site security” for a better peace of mind.

cloudflare security settings for your site
Cloudflare already provides pretty strong security features, even on free plans.

If none of these free features sounds enticing to you, Cloudflare does have paid plans for additional benefits. However, I’d advise that you check out the solutions of the free plan first. It’s highly customizable!

Solution 2: Disable XMLRPC

Very recently, I had a brute force login attack on my site. After preventing it further, I wrote a post about it, where I discuss what XMLRPC is. As a matter of fact, most of my login attacks were attempted this way.

Long story short, XMLRPC allows for remote access and remote functionalities, and by default, it’s enabled on WordPress sites.

And granted that it may be a great handy feature for those who really need it, it makes your site extremely vulnerable to security risks. I personally believe that no one should have XMLRPC turned on. You’re just asking for trouble!

To disable XMLRPC, check out my post.

Solution 3: Disable WordPress Rest API for Non-Logged-In Users

Similar to XMLRPC, the WordPress Rest API allows for extra endpoints to your WordPress site. Mostly reserved for developers and technical reasons to make updates, tweaks, and fixes, it does open up your site for attacks.

The actual concept of REST API is beyond my grasp at the moment (and not the primer of this post), know that it’s a security risk. The WP REST API can be accessed in two ways:

  1. While being logged in to your WP site.
  2. While not being logged in.

A simple way to check if you can access REST API is by going to You’ll see a bunch of code.

As a cautionary measure, if you’re not super heavy on Dev work, and you’re not a big company that mints millions of dollars a day — in a manner of speaking (while being on WP), in my opinion, you should disable REST API for users who aren’t logged in.

To do so, install this plugin (It’s extremely light, so it won’t really affect your site speed), and you’d be all set. To verify if it is indeed disabled, try visiting after being logged out. You shouldn’t be able to access it, and the HTTP response code should be 401/a.k.a, forbidden.

disabling wp rest api for non logged in users
If disabled correctly, REST API won’t be accessible to users who are not logged in.

You May Also Want to Check Out:

Solution 4: Blacklist Suspicious IP Addresses

I’ve discussed the Limit Login Attempts Reloaded Plugin, in my post about brute force. There are similar ones out there. Essentially, a feature you’re looking for is an ability to blacklist an IP Address, or an IP Address range from your WordPress site.

There is a way for you to directly tweak your .htaccess file, if you’re more comfortable in that manner; however, if you don’t want to risk breaking your site, or aren’t 100% aware of what you’re getting yourself into, use the plugin I am recommending. It also comes with other free handy functionalities as well.

blacklisting ip addresses in wordpress
With this plugin, you can blacklist IP addresses and usernames.


In the ever-expanding world of the Internet, and our constant need to stay ever-so-connected all the time, realize that you’re also inviting a lot of malicious behavior. There are always going to be bad actors who’d try to take advantage of people who do not know better. As you guys read, I clearly didn’t, and ended up being a victim of a brute force login attack.

The responsibility to look after your own interests online — when it comes to your business, blog, an eCommerce store, or whatever you may have, falls on you. Luckily, there are tons of resources available out there written by good actors, to help you in your journey of securing your site as much as you can.

And hopefully, with this post, you can stop being utterly clueless on how to prevent DDoS attacks on WordPress. Stay vigilant; stay alert. Hackers don’t rest, so neither should you!