- DDoS attacks aim to overwhelm your server resources with junk traffic.
- WordPress is vulnerable because every uncached request triggers PHP execution.
- XML-RPC is a common vector for amplification attacks.
- Effective filtering must happen in front of the site, not on the server.
What Is a DDoS Attack?
A Distributed Denial of Service (DDoS) attack floods your server with so much traffic that it can't serve legitimate visitors. Attacks range from simple volumetric floods to application-layer attacks that mimic real user behaviour.
WordPress sites are particularly vulnerable because each uncached page request triggers PHP execution and database queries. Even a moderate flood can overwhelm a WordPress server that handles legitimate traffic just fine.
Why WordPress Is a Target
WordPress powers over 40% of all websites (per W3Techs' long-running survey), making it the most popular target for automated attacks. Attackers know the default URLs (wp-login.php, xmlrpc.php, wp-admin), the common plugin vulnerabilities, and the typical server configurations.
The XML-RPC interface is a particularly common attack vector. It allows multiple WordPress API calls in a single HTTP request, amplifying the impact of each malicious request.
Filtering Attack Traffic Before It Reaches You
Effective protection must operate in front of WordPress, not within it. By the time a malicious request reaches PHP, the damage is already done — server resources are consumed regardless of whether WordPress ultimately rejects the request.
On G7Cloud, every site sits behind ScaleShield, our web application firewall and bot protection layer. Known exploit patterns, credential-stuffing attempts and automated junk traffic are filtered at the edge, before they reach your container — so attack traffic is dropped without consuming the resources that serve your real visitors.
You'll also know quickly if something does get through: per-minute uptime monitoring with email, webhook and Slack alerts is built into the platform, so an availability problem pages you rather than waiting for a customer to mention it.
Building a DDoS-Resilient WordPress Site
Beyond a protective layer in front of the site, there are steps you can take to improve your WordPress site's resilience: disable XML-RPC if you don't need it, limit login attempts, use strong passwords and 2FA, and keep WordPress and plugins updated.
But the most important step is choosing a hosting setup where filtering happens before your server and your site has dedicated resources of its own. No amount of WordPress-level hardening can compensate for a hosting environment that crumbles the moment traffic gets hostile.
About G7Cloud Engineering
Articles written by the engineers who build and run G7Cloud — UK managed hosting and the AI Website Builder. We write about what we operate every day: containers, backups, databases, and the small-business websites that run on them.
More about G7Cloud →