Array / 8 min read

WordPress denial-of-service (DoS) attacks: how to protect your website.

WordPress denial-of-service attacks (DoS) are among the oldest and most persistent security threats website admins deal with. And with WordPress’s market share being so large, it’s no surprise that so many of these attacks target sites built with this CMS.

This article will explore the following:

  • What DoS attacks are, how they work, and their types.
  • What attackers can gain from DoS attacks.
  • The signs that will help you identify a DoS attack.
  • How to protect your website from it.

Keep reading to learn how to avoid one of the most common ways to shut down a WordPress website.

What are denial-of-service attacks?

1 and 0 coding

Denial-of-service (DoS) attacks are cyberattacks designed to shut down a service, network, or website by disrupting it so that legitimate visitors cannot use it. Attackers overwhelm the victim’s systems with excessive traffic requests, exceeding their capabilities to the point of rendering it inaccessible.

The information systems affected by DoS attacks include email, WordPress sites, online banking, and more. DoS attacks often aim at large or high-profile organizations such as government institutions, eCommerce platforms, and banks.

How do WordPress denial-of-service attacks work?

In legitimate user-server interactions, users send authorization requests to servers. When the server replies, the users can access the server. They can now navigate the web pages, use its services, etc.

In malicious interactions that lead to a DoS, attackers send multiple requests with fake (“spoofed”) return IP addresses, so the server cannot establish a legitimate connection with them. When the server doesn’t receive confirmation from the user (because the return address is fake), it will keep trying to establish a connection for a brief period, then abandon it after the period passes.

But after that, the attackers send a new batch of requests with fake return addresses, and the process restarts. If the server receives an amount of traffic that exceeds its capabilities, it’ll eventually stop functioning properly. Like a restaurant flooded with more customers than it can serve.

When the attackers want monetary gain, they often direct their efforts to financial companies or any other organization whose revenue depends on staying online 24/7. The attackers ask for a ransom: a sum of money in exchange for recovering control of the system.

Types of WordPress denial-of-service attacks

A magnifying glass on a keyboard

Unintended DoS attack

It is a non-malicious type of DoS. It happens when a sudden but legitimate flood of visitors crashes a server’s capabilities to handle traffic. Two websites known for directing massive amounts of traffic to external sites are Slashdot (a tech news site) and Reddit (a website that houses thousands of diverse communities).

If a post containing a link to an external site becomes extremely popular, thousands or millions of users may follow it and unintentionally participate in a temporary DoS attack.

Application-layer floods

Application-layer floods are the typical DoS attack: a bad actor sends many requests from fake return addresses and overwhelms the victim’s systems until the service is interrupted due to excessive traffic.

The attacker can send thousands or even millions of requests every second, denying service to all legitimate users in the process.

Distributed DoS attacks (DDoS)

This type of attack is fundamentally the same as application-layer floods but involves multiple devices sending excessive traffic to the victim rather than a single one. Most of the devices participating in the attack have been compromised by some malicious tactic, such as malware installations.

Having multiple devices gives attackers more computing power to perform the attack, makes it easier to hide their origin and identity, and makes it harder for the victim to stop the attack.

In the late 90s and early 2000s, it was easier for attackers to install malware into unsuspecting users who had vulnerable operating systems. This malware would manipulate hundreds or thousands of computers to join in sending traffic to the victim of the DoS attack. OS security has improved, making this method harder to pull off, but it’s still possible.

What do attackers gain from WordPress denial-of-service attacks?

DoS attacks have various motivations. The attacker(s) could be trying to make a political point by disrupting a governmental system, being malicious for pleasure, or (most commonly) trying to profit by holding a website hostage until the owners pay them to restore control.

DoS doesn’t often result in data loss or theft, but they still disrupt the victim’s operations, costing them time and money to restore normalcy. The most common reasons why attackers perform DoS include the following:

  • Making a profit from blackmailing victims into paying for ransom (as mentioned above).
  • Getting hired to perform industrial or business sabotage. Many “DoS-for-hire” groups commit cybercrimes for a fee. Often, they’re hired to sabotage one of the client’s business competitors.
  • Selling or renting access to compromised computers under the attacker’s control, which the client can use to perform their own DDoS attacks.
  • Stealing credit card information, social security numbers, and other personally identifiable information (PII) during the attack, which they can later use or sell.
  • Causing financial loss to the victim by interrupting revenue streams and generating post-attack costs.

Signs of a WordPress denial-of-service attack

The common signs of a DoS attack are:

  • Unusually slow servers and poor network performance due to the spike in traffic.
  • An unusually slow computer if the attack targets a specific device on the network.
  • Extremely high email traffic. Attackers may send a stream of spam emails to disable a server.
  • Unusual traffic patterns, like spikes during otherwise low-traffic hours.
  • Getting a “503 Service Unavailable” error response from the server, meaning it is not ready to handle a request.
  • A single IP address or a small cluster of them makes many requests in a limited period.
  • The inability to access a specific website or any website.
  • Sudden loss of connectivity for devices on the same network.

How to protect your WordPress site from denial-of-service attacks?

A man typing and holding a lock

Network monitoring is the best way to identify a DoS attack. The network admins will recognize the unusual traffic patterns and take action to minimize the damage. Note that for a large enough attack (one that transmits massive amounts of data per second, like several gigabytes or more), it’s unlikely that any countermeasure will be effective.

But that doesn’t mean there are no methods to prevent DoS attacks. The following are what experts agree are the best ways to protect your site from them.

Disable XML-RPC in WordPress

XML-RPC is a protocol that allows the WordPress core installation to communicate with other systems. It uses HTTP as the transport mechanism and XML for encoding. XML-RPC is necessary to use the WordPress app from your Android or iOS smartphone, which allows you to manage your website on the go. 

While useful, this protocol may open your website to receiving unwanted traffic during a DoS attack. So, if you’re willing to sacrifice managing your website from your phone, you can protect it a bit more by disabling the XML-RPC feature.

The easiest way to disable it is by using the “Disable XML-RPC-API” plugin, which will immediately block it. After that, you’ll be unable to use the WordPress mobile app with the email addresses associated to your website.

Other methods don’t involve a plugin but require modifying your website’s or server’s code. If you have no experience coding, using the plugin may be the best. Otherwise, learn to introduce short code snippets into your site or hire a developer.

Use a CDN

Content Delivery Networks (CDNs) are networks of geographically separated servers that work together to increase network performance. When your server is part of a CDN, other servers in the network store parts of your website’s data and provide it to worldwide users in a way that reduces the load your server has to bear.

Many CDNs offer security services, such as detecting suspicious traffic and protecting your server from receiving it.

Use a web application firewall (WAF)

WAFs are firewall software that helps protect websites by filtering, blocking, and monitoring HTTP traffic that enters and leaves the web app. It’s a great way to prevent common cyber threats like SQL injections, cross-site scripting (XSS), and DoS attacks.

As explained above, network monitoring is the best way to detect and identify the kind of unusual traffic associated with DoS attacks. Depending on the configuration, WAFs can protect your site by rejecting packets from illegitimate users or preventing more than a specified amount of requests within a specific period. 

There are dozens of WAFs available for WordPress websites. Explore them and determine which works best for your needs, keeping in mind that many are premium.

Invest in a web hosting service with protections against denial-of-service attacks

Many web hosting providers offer plans with built-in DoS protection similar to WAFs, such as dropping suspicious traffic and keeping your server’s IP address private to protect it from being targeted.

Explore web hosting plans to determine which one offers DoS protection.

Get a dedicated denial-of-service protection service

This option is not viable or even necessary for most businesses, given its price. Still, large financial services companies or eCommerce platforms that can’t afford to stay offline for long should consider specialized DoS protection services.

Costs can rise to thousands of dollars a month for these services, but they can save businesses much more than that when they prevent even a single attack.

Prevent denial-of-service attacks to your WordPress site

DoS attacks are a common way to shut down a WordPress website’s services by overloading their servers with malicious traffic requests. They’ve been used for decades and continue to be a prevalent security issue.

With the information in this article, you’re now aware of the most common types of DoS attacks and the best ways to protect your site from them. Use this knowledge and take the necessary steps to prevent future DoS attacks, saving you a lot of time, headaches, and resources in the process.

If you found this post useful, read our blog for more WordPress insights, guides, and tips.