How do you stop a distributed denial-of-service (DDoS) attack? Through a mix of proactive prevention and a solid plan for the worst-case scenario.
DDoS attacks are a growing problem in their frequency, size, and sophistication. According to Statista, the worldwide number of attacks almost doubled from early 2023 to late 2024, peaking at more than half a million in a quarter — that's almost 5,600 attacks per day.
Source: statista.com
These attacks don't just hit government sites or major corporations — even small websites can be targeted. That's why, as a professional in charge of maintaining a website's uptime and performance, understanding how to prevent and stop a DDoS attack is critical.
This article covers how DDoS attacks work, how to recognize them, and what to do before, during, and after an attack.
What is a DDoS attack and how does it work?
A DDoS attack against a website or internet service sends overwhelming amounts of traffic to the underlying server or network to make it slow or unavailable. The "distributed" part of DDoS refers to the fact that the attack is carried out by multiple devices at once, usually from different areas of the world.
The devices employed in a DDoS attack are often part of a botnet — a network of machines infected with malware that allow them to be controlled remotely. They can include anything from routers and laptops to home appliances with online capabilities. In 2025, researchers discovered a botnet made of an estimated 30,000 webcams and video recorders.
The spread-out nature of DDoS attacks makes them difficult to trace and fight. The source of the malicious traffic is harder to identify, and distributed attacks can send more requests than single-source assaults. Carrying out such attacks is also increasingly easy with DDoS tools and botnets-for-hire available on the dark web.
The good news is that, due to the effort and cost involved with a DDoS attack, most of them don't last long. According to Netscout, about 70% of DDoS attacks don't exceed 15 minutes, and 90% are shorter than an hour.
Types of DDoS attacks
There are three broad types of DDoS attacks that each target different parts of a website's infrastructure:
- Volumetric attacks: This is the most common type. It aims to consume all available bandwidth by flooding the network with massive amounts of traffic.
- Application layer attacks: A type of attack that overwhelms your website's server and network with repeated HTTP or database requests.
- Protocol attacks: Also called state-exhaustion attacks, they target network equipment and infrastructure like load balancers and firewalls.
Attackers may also combine several types to make fighting off the attack more difficult.
Why do websites become targets?
Common reasons for being on the receiving end of a DDoS attack are:
- Ideological reasons: Some attacks are politically motivated and target government websites or institutions aligned with causes that the perpetrators don't agree with.
- Hacktivism: Hacktivist groups have been known to use DDoS attacks to protest war, censorship, or foreign policy decisions.
- Extortion: Criminals may launch attacks to extort money in exchange for stopping the disruption.
- Cyberwarfare: Attacks also happen between countries to disrupt each other's essential services during a conflict.
- Business competition: Competitors may try to knock rival businesses offline during a key sale or launch.
- Experimentation: Inexperienced hackers might carry out DDoS attacks "for fun" or to test their skills.
- Opportunity: Many attacks are automated and simply happen because a website is vulnerable. It's random and can even happen to a personal website.
Potential consequences of being attacked
When your website becomes suddenly unavailable to visitors, it can have many negative effects:
- Loss of sales, leads, ad revenue, and other sources of income
- Damaged customer trust, loyalty, and confidence in your product
- Lowered rankings in search results
- Expensive post-attack cleanup and hosting bandwidth fees
Some attackers use DDoS as a smokescreen for other malicious activity, like hacking your site.
A real-world DDoS example
To give you a better idea of what these types of attacks look like, let's look at some examples.
The largest attack ever reported was a 5.6-Tbps DDoS attack in 2024. At its peak, it was sending 666 million packets per second and lasted 80 seconds. The attack happened as part of a larger campaign of cyber attacks occurring during that period.
How to detect a DDoS attack
The first step in fighting a DDoS attack on your website is spotting it. Here are some telltale signs to watch for:
- Your website or parts of it become extremely slow to load or stop responding altogether, accompanied by error messages and timeouts
- A sudden and sustained spike in traffic, especially from unusual locations and IP addresses
- Server resource usage suddenly maxes out without a corresponding increase in legitimate visitors
- Your hosting provider, monitoring tools, and other parts of your DDoS prevention setup alert you to unusual activity or downtime
Effective DDoS prevention strategies
Stopping a DDoS attack on your website requires a two-pronged approach: setting up a multi-layered defense system that makes these types of assaults difficult and preparing a response plan.
1. Use a hosting provider equipped to deal with DDoS attacks
Your hosting provider is your website's first line of defense. It's in charge of the architecture targeted by DDoS attacks. If your host crumbles, your site goes down with it.
The right type of web hosting plays an important role. Unlike traditional, single-server hosting, cloud hosting like WP Cloud can dynamically add computing resources, helping to mitigate DDoS traffic.
In addition, look for hosting features that actively help prevent a DDoS attack. For example, all WordPress.com plans come with built-in DDoS mitigation. They don't have traffic or visitor limits, so you don't have to worry about extra costs in the aftermath of a DDoS attack.
2. Invest in website security
Keeping your website secure helps protect against a DDoS attack, as well as being a best practice.
To secure your site, do the following:
These options are all available with a managed hosting provider like WordPress.com. Best of all, if your site still ends up hacked, cleanup is free.
3. Optimize website performance
Another factor in DDoS mitigation is site performance. A well-optimized site can better withstand unexpected traffic surges. While that won't stop the attack itself, it can help your site remain partially usable and responsive.
A helpful first step is to test your website with something like WordPress.com's Website Speed Test Tool and follow the recommendations to improve your site's performance.
Common ways to make your website more optimized are:
Hosting is also a performance factor. On WordPress.com, performance features include servers with high-frequency CPUs and a global edge cache and CDN with 28+ locations, as well as high burst capacity. On Commerce and Business plans, you can activate the Site Accelerator CDN to deliver images and static files more quickly. More information is available in the site performance docs.
4. Monitor network traffic and uptime
You can only identify a DDoS attack when you have the data to spot the signs of one.
An uptime monitoring service sends you alerts via email, SMS, or push notification when your site becomes unresponsive or goes offline. In addition, connecting your site to Google Analytics or a similar solution will help you understand traffic patterns and notice sudden spikes from single countries, IP ranges, or unknown referral sources.
If possible, you may also monitor server performance metrics like CPU load, memory usage, and bandwidth consumption for warning signs.
5. Use a CDN
A CDN is not just a great tool for improving website performance, but also a good countermeasure to DDoS attacks. It's able to absorb some of the malicious traffic and continue serving site visitors even when another region or the main server is under attack. Cybersecurity experts on Reddit agree that it's one of the most effective methods.
Look for a provider with an anycast network. This is a setup with one IP address shared across servers in different locations, which allows malicious traffic to be spread out (or diffused) throughout it. This greatly reduces the risk of downtime because no single machine bears the full brunt of the attack.
Cloudflare is a popular CDN provider and it helped stop the record-breaking DDoS attack mentioned earlier in this article. Sites hosted on WordPress.com benefit from integrated Cloudflare features that don't require extra setup.
6. Set up a web application firewall
A web application firewall (WAF) acts as a gatekeeper between your website and incoming traffic. It can filter requests before they reach your site and thus block common DDoS vectors and diffuse attacks early.
Firewall plugins are one way of adding a WAF to your site. Many security plugins and CDNsinclude a WAF as part of their service.
Finally, your hosting provider can also set up a firewall for you. For example, WordPress.com includes a powerful firewall in every plan, which it manages and updates for you.
7. Apply rate limiting
Rate limiting controls the number of requests a single user or IP address can make to your server in a given time. During a DDoS attack, it acts as a throttle to reduce the impact of malicious traffic without completely blocking legitimate users. This buys time for other defenses to respond and is often part of a firewall.
Rate limiting can apply to login attempts (such as those covered by brute-force protection on WordPress.com), API requests, visits to specific URLs, or other levels of the network.
Use allowlists to exclude known legitimate IP numbers from rate limiting to allow yourself and other website users to continue taking action against an ongoing attack. Use blocklists to keep away repeat offenders or known botnets.
8. Develop a response plan
Even with solid defenses in place, no site is fully immune to DDoS attacks. Creating a clear plan for the worst-case scenario will help you quickly identify, mitigate, and recover from an attack. Do the following:
- Define team roles and responsibilities, for example, who is responsible for monitoring your alarm systems so you can discover attacks quickly.
- Document key contacts, communication channels, and login credentials, like your hosting provider's emergency support.
- Create a checklist of steps to follow when you suspect a DDoS attack is happening, including how to enable emergency WAF/CDN settings.
- Plan out your customer communication strategy in case your site becomes unavailable.
- Practice the response plan with your team along with training for general security practices.
How to deal with a DDoS attack in progress
These steps will help you weather a DDoS attack:
1. Stay calm
Remember, a DDoS attack is more of an inconvenience than it is a real danger to your site. In most cases, your data is safe. Plus, DDoS attacks are usually short-lived and survivable with proper action.
So, take a deep breath, avoid rushed decisions, and start implementing your response plan.
2. Confirm you're actually dealing with an attack
Not every site slowdown or outage is caused by a DDoS attack. There are other possible reasons, like plugin errors, server misconfiguration, a hosting outage, or sudden traffic increases due to a blog post going viral.
Confirm the cause so you can respond appropriately. Look for warning signs such as:
- Sudden and unusual spikes in visits or requests in traffic logs or analytics
- Repeated requests to the same page or endpoint, like "wp-login.php"
- A flood of requests from a small number of IP ranges or geographic regions
- Messages or alerts from your WAF or CDN provider
3. Contact your hosting provider
Your hosting provider can and should be your strongest ally to stop a DDoS attack. They have the tools, infrastructure, and expertise to help mitigate the impact.
Reach out to your provider's support team as soon as you suspect a DDoS attack. They can check whether they see the same thing on their end, and may already be taking action behind the scenes.
4. Set your WAF and CDN to emergency mode
Most firewalls and CDNs offer special settings for high-threat situations to keep your site online. For example, on WordPress.com you can enable defensive mode to activate an automated browser challenge for visitors in order to filter out automatic bot traffic.
5. Keep website visitors informed
During a DDoS attack, communication is key to maintaining customer and visitor trust. Use your social media profiles or a status page hosted on another service to share updates and reassure your audience.
Inform users that you're aware of the issue and are actively working to resolve it. Let customers know which services are affected, especially if you run an e-commerce or membership site. Provide estimated timelines if possible, but avoid making promises you can't keep.
6. Be patient
DDoS attacks are scary but mostly short-lived. Once your mitigation measures are in place, the best course of action is to simply wait it out.
Focus on monitoring your systems and adjusting filters rather than overreacting or making major changes. Keep an eye on traffic patterns so you know when the attack ends. Then, slowly go back to business as usual but stay vigilant for other threats, like a compromised site or a second wave of attacks.
7. Conduct a post-mortem
After the attack, evaluate its impact and how well your defenses worked. Check which assets were targeted, as well as which parts of your strategy worked and which didn't. Use the knowledge you gather to improve existing systems and strengthen your site fortifications.
Equip yourself against DDoS attacks on your website
The defense against DDoS attacks starts long before one hits your site. By combining smart infrastructure choices, proactive security practices, and a clear response plan, you can dramatically reduce the risk and impact of an attack.
Looking for hosting with built-in DDoS protection and expert support? Choose WordPress.com and focus on growing your site, not defending it.
