If your website slows to a crawl, pages time out, or customers can’t log in, you may be facing a Denial-of-Service (DoS) attack. These attacks don’t need clever hacks — they overwhelm your site with traffic or expensive requests so genuine visitors can’t get through. For a business, that means lost sales, more support calls and shaken trust.

What’s going on

A DoS attack aims to saturate a bottleneck — CPU, memory, bandwidth, database connections or application workers — so your website can’t respond normally. Unlike its bigger cousin, a DoS typically comes from a single source (one computer or a small set). Distributed attacks (DDoS) use many sources at once, often a botnet, making filtering much harder.

How attacks create disruption (in plain English)

• Floods of traffic: More packets or page requests than your site can handle.
• Resource exhaustion: Forcing heavy searches or dynamic pages repeatedly until servers run out of capacity.
• Legacy tricks: Older methods like Ping Flood, “Ping of Death” and Smurf still appear where networks are misconfigured.

Why this matters to your business

• Revenue & conversions: Slow or unavailable pages stop enquiries and checkouts.
• Reputation & trust: Visitors who see errors may not return.
• SEO impact: Prolonged 5xx errors can hurt crawl rates and search visibility.
• Operational drain: Firefighting pulls your team away from growth work.

Warning signs you’re under attack

• Sudden, widespread slowness or timeouts across your site.
• Specific pages (logins, search, reports) fail while static assets still load.
• Spikes in one route’s requests, higher 5xx/429 errors, growing queues or cache-miss storms.
• Edge/network anomalies: connection backlogs, unusual ICMP/UDP activity.

Immediate steps (calm and practical)

1. Shield traffic with a WAF: Put the site behind a reputable web application firewall to filter obvious abuse and provide virtual patching while you work.
2. Rate-limit hotspots: Add per-IP and per-endpoint limits to logins, search and other heavy routes.
3. Make pages cheaper to serve: Increase caching on static and semi-static content; cap expensive query parameters.
4. Scale or shed load safely: Use temporary 429/503 responses and circuit breakers to protect back-end services.
5. Monitor the right signals: Requests per second by route, error rates, worker utilisation, cache hit ratio and edge counters.
6. After the storm: Review what saturated first, turn ad-hoc fixes into permanent rules, and update runbooks.

Prevention and ongoing protection

• Managed updates & maintenance: Keep WordPress core, plugins and themes current.
• Security monitoring: Continuous alerts for unusual traffic and performance anomalies.
• WAF in front of WordPress: Block malicious requests and apply layered malware protection and malware removal workflows if needed.
• Backups: Off-site, automated backups for fast recovery.
• Good hygiene: Least-privilege access, strong passwords and 2FA for all admins.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

Want calm, effective defence against DoS and DDoS without the jargon? We can help you harden WordPress security and keep customers online. Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.