WordPress DDoS Attack Site Down Fix
What Is Actually Breaking When Your WordPress Site is Under DDoS Attack
When your WordPress site becomes unresponsive due to a Distributed Denial of Service (DDoS) attack or overwhelming bot traffic, it’s not just “too much traffic.” It’s a specific technical component of your hosting stack failing under pressure. Understanding this mechanism is crucial for an effective fix.
CAUSE 01
Web Server (Apache/Nginx) Connection Exhaustion
Bots flood your server with requests, quickly consuming all available worker processes or connections. Apache’s MaxRequestWorkers (or MaxClients) or Nginx’s worker_connections limits are hit, preventing legitimate users from establishing a connection. New requests are queued indefinitely or simply dropped, leading to 503 Service Unavailable or connection timeout errors.
CAUSE 02
PHP-FPM Process Pool Depletion
Each WordPress request typically requires a PHP process to execute. A high volume of concurrent bot requests exhausts your PHP-FPM (FastCGI Process Manager) process pool. When all pm.max_children are busy, new PHP requests wait or fail, manifesting as slow page loads, blank pages, or gateway timeouts (504 errors) from the web server.
CAUSE 03
Database Server Overload (MySQL/MariaDB)
Even if PHP processes are available, they often bottleneck at the database. Excessive concurrent PHP requests translate into too many database connections, hitting max_connections. Furthermore, many bot requests (especially those targeting search, comments, or login) trigger complex or unoptimized queries, leading to slow query execution and high CPU/I/O on the database server, causing the entire site to grind to a halt.
CAUSE 04
wp-cron.php Being Abused by Bots
By default, WordPress triggers wp-cron.php on every page load for visitors. While normally benign, under a DDoS attack, bots repeatedly hitting your site can cause wp-cron.php to execute thousands of times per minute. This effectively turns the attack into a self-DDoS, consuming PHP processes, database connections, and server resources needlessly, making your wordpress site unresponsive due to bot traffic.
How To Confirm Your WordPress Site is Under DDoS Attack
Before diving into fixes, it’s critical to confirm that your site is genuinely under a DDoS attack or experiencing severe bot traffic, rather than just poor performance from unoptimized code or a resource-starved host. Look for these specific indicators:
Symptom: Site is completely down or returns 503/504 errors intermittently.
Technical Indicator: Server logs show a massive spike in requests from diverse (or sometimes a few concentrated) IP addresses, often with unusual user agents. High CPU/RAM usage on the server, even for simple requests.
Symptom: Pages load extremely slowly, especially backend or dynamic content.
Technical Indicator: PHP-FPM status shows all processes are busy. MySQL/MariaDB SHOW STATUS LIKE 'Threads_connected'; reveals connection counts at or near max_connections. Slow query logs are filling up.
Symptom: Hosting provider suspends your account or sends excessive resource usage warnings.
Technical Indicator: This is a strong sign of resource exhaustion, often from a DDoS or WordPress brute force attack suspended hosting or using excessive bandwidth. Check their provided resource usage graphs.
Symptom: Your site’s backend (wp-admin) is also slow or inaccessible.
Technical Indicator: Direct hits to wp-login.php, xmlrpc.php, or REST API endpoints are flooding your access logs. This often points to a WordPress brute force attack on login page or WordPress XMLRPC and application password brute force attack, which can escalate into a DDoS-like scenario.
Specific Indicator of Compromise (IOC)
While a DDoS is about traffic volume, sometimes attackers inject code to assist their efforts or maintain access. Check your wp-config.php file for unusual entries, especially at the very top or bottom, or within the database connection block. Look for lines that attempt to disable security features, modify headers, or connect to external resources. Additionally, examine the wp-content/mu-plugins/ directory for any unexpected files (e.g., .php files you didn't install) as these execute automatically and can be used to maintain persistence or launch further attacks.
Immediate Fix Steps for WordPress Under DDoS Attack
These steps are ordered for immediate impact and assume you have SSH/cPanel/hosting panel access. Act quickly; every minute counts.
Activate Cloudflare "Under Attack Mode" or Similar WAF
If your site is behind Cloudflare or another Web Application Firewall (WAF) like Sucuri, activate their "Under Attack Mode" or equivalent feature immediately. This will present a JavaScript challenge to visitors, effectively filtering out most bot traffic before it reaches your server. If you don't have one, consider temporarily changing your DNS to point to a free Cloudflare account or similar service to get immediate protection.
✓ 5-10 minutes. Essential first step if a WAF is available.
Analyze Access Logs & Block Malicious IPs/User Agents
SSH into your server and examine your web server access logs (e.g., /var/log/apache2/access.log or /var/log/nginx/access.log). Look for common IP addresses making an unusually high number of requests, or specific user agents that don't belong (e.g., empty, suspicious strings, or known botnets). You can use commands like awk '{print $1}' access.log | sort | uniq -c | sort -nr | head -n 20 to find top IPs.
Block these IPs using your server's firewall (ufw, iptables, or CSF/LFD if installed) or via .htaccess for Apache, or Nginx configuration. For Apache, you can also block specific user agents.
# Example .htaccess block for specific IPs
<Limit GET POST>
Order Allow,Deny
Allow from All
Deny from 192.168.1.100
Deny from 10.0.0.0/8
</Limit>
# Example .htaccess block for User-Agent
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "badbot|anotherbadbot" [NC]
RewriteRule ^(.*)$ - [F,L]✓ 15-30 minutes. Requires SSH access and familiarity with server logs.
Disable wp-cron.php & Set Up System Cron
To prevent wordpress wp-cron being abused by bots, disable the default WordPress cron behavior. This stops wp-cron.php from firing on every page load. You'll then need to set up a proper system-level cron job to ensure scheduled tasks still run.
Add the following line to your wp-config.php file, ideally just above /* That's all, stop editing! Happy publishing. */:
define('DISABLE_WP_CRON', true);Then, create a system cron job (via cPanel cron jobs or SSH crontab -e) to run wp-cron.php every 5-15 minutes:
*/5 * * * * wget -q -O - https://yourdomain.com/wp-cron.php?doing_wp_cron >/dev/null 2>&1
✓ 10-15 minutes. Crucial for mitigating self-DDoS from bot traffic.
Limit Access to xmlrpc.php and wp-login.php
These files are frequent targets for brute-force and DDoS attempts. If you don't use XML-RPC (e.g., for Jetpack, mobile apps, or remote publishing), disable it. For wp-login.php, you can restrict access to known IP addresses if your team works from static IPs.
Add this to your .htaccess file (for Apache) or Nginx config:
# Block XML-RPC access <Files xmlrpc.php> Order Deny,Allow Deny from All </Files> # Restrict wp-login.php to specific IPs (replace with your IPs) <Files wp-login.php> Order Deny,Allow Deny from All Allow from 192.168.1.1 Allow from 172.16.0.0/16 </Files>
✓ 5-10 minutes. Significantly reduces attack surface. See also: WordPress Brute Force Attack on Login Page and WordPress XMLRPC and Application Password Brute Force Attack Fix.
Review & Disable Unnecessary Plugins/Themes
Sometimes, a vulnerable or poorly coded plugin/theme can be exploited, or simply consume excessive resources under load, exacerbating a DDoS. If you can access wp-admin, deactivate plugins one by one to see if performance improves. If not, you can rename the wp-content/plugins directory via FTP/SSH to disable all plugins at once. Similarly, switch to a default theme (e.g., Twenty Twenty-Four) by renaming your active theme's directory.
✓ 10-20 minutes. Helps identify resource hogs or exploited components.
Contact Your Hosting Provider
Even with the above steps, a severe DDoS can overwhelm shared hosting environments. Inform your hosting provider immediately. They have server-level tools and network-level protections that you don't. They can often implement null-routing for malicious IPs, increase resource limits temporarily, or advise on specific server-side configurations. Provide them with details from your log analysis.
✓ 5 minutes. Essential for large-scale attacks.
Our Process: How WebFixHQ Resolves WordPress DDoS Attacks
When your business is losing money, you need more than generic advice. Our senior WordPress engineers don't just apply a checklist; we dig deep to understand and eliminate the root cause of your wordpress ddos attack site down situation.
- Real-time Server Health & Log Analysis: We gain immediate SSH access to your server to monitor CPU, RAM, I/O, and network connections in real-time using tools like
htop,netstat, andlsof. Concurrently, we perform deep dives into Apache/Nginx access logs, error logs, PHP-FPM logs, and MySQL slow query logs to identify attack vectors, bot signatures, and resource bottlenecks. - Advanced Traffic Filtering & Blocking: Beyond basic IP blocking, we implement sophisticated rules at the web server (
mod_rewrite, Nginxgeomodule) or firewall level to block specific user agents, referrer spam, request patterns, and geographical regions known for malicious activity. If a WAF is present, we optimize its ruleset. - WordPress Core & Database Integrity Check: We verify the integrity of your WordPress core files against official checksums to detect any hidden backdoors or injected code that might be assisting the attack or maintaining persistence. We also scrutinize your database for suspicious tables, user accounts, or options that could be contributing to the resource drain.
wp-cron& Endpoint Hardening: We ensurewp-cronis properly disabled and configured as a system cron. We harden critical endpoints likexmlrpc.php,wp-login.php, and the REST API, applying precise access controls or disabling them if not essential for your site's functionality.- Performance Optimization & Resource Allocation: Post-mitigation, we analyze your site's performance profile to ensure it can handle legitimate traffic efficiently. This includes reviewing PHP memory limits, database query optimization, and caching strategies to prevent future resource exhaustion.
- Comprehensive Security Audit: Our fix includes a full security audit to identify and patch any underlying vulnerabilities that might have been exploited or could lead to future attacks, providing you with a hardened, resilient WordPress installation.
Site Down? Every Minute Costs You.
Our senior engineers will diagnose and fix your WordPress DDoS attack fast, getting your site back online and secure.
Get Your Site Fixed Now →Frequently Asked Questions About WordPress DDoS Attacks
Why is my WordPress site slow and unresponsive due to bot traffic?
Your site is likely experiencing resource exhaustion. Bots are flooding your server, consuming all available web server connections, PHP processes, or overwhelming your database with too many queries. This prevents legitimate users from accessing your site, making it appear slow or completely down.
How quickly can WebFixHQ fix a WordPress site under DDoS attack?
For immediate mitigation and restoration of service, our engineers can often get your site back online within a few hours of gaining access. A full, comprehensive fix including hardening and a security audit typically takes longer, but our priority is always to restore functionality as fast as possible.
Can I fix a WordPress DDoS attack myself?
Yes, if you have advanced technical knowledge of server administration, access to server logs, and experience with firewalls and web server configurations. However, it's a complex and time-sensitive issue. Incorrect changes can worsen the problem or leave your site vulnerable. Many users find professional help more efficient and reliable.
What does it cost to fix a WordPress site under DDoS attack?
Our initial website audit is a fixed, transparent price of $80. After the audit, we provide a precise quote for the full fix, which varies based on the attack's complexity and the extent of damage. We ensure you know the full cost upfront before any work begins.
What if my site is slow but it's not a true DDoS attack?
Our diagnostic process will differentiate. Sometimes, a poorly optimized theme, plugin, or misconfigured server can cause resource exhaustion that mimics a DDoS. We'll identify the actual bottleneck, whether it's a genuine attack or a performance issue, and apply the correct fix to get your site running optimally.
FAQ