DDOS protection is not working properly

Hello guys. I’ve been under DDOS attacks many times in the last year, and it’s really bothering me as my website is on a shared hosting account.

Whenever it happens, the hosting company shuts my website down. Then I enable under attack mode in Cloudflare, then the hosting company brings the website back live. However, keeping my website in the “under attack mode” decreases my traffic a lot.

Today I was hit by another DDOS attack. This time I enabled under attack mode again. But it did not help. The hosting company says there is still a very high number of requests on my website. So I had to block those IP addresses which made the most requests manually in Cloudflare.

I also have the Wordfence plugin on my website for additional protection against DDoS attacks. But I just cannot get rid of them. Could you please let me know how can I protect myself agains DDOS attacks forever? Is there a way at all?

Thanks in advance

May I ask what is your domain name?
Sounds to me like they are hitting directly to the IP address.
Furthermore, if a shared account, maybe the server is busy due to other hosting accounts, and not just, or so, only by your hosting account / website / domain.

May I also ask what security options have you tried to enable and setup at Cloudflare dashboard?
Are the DNS records :orange: cloud? (being proxied via Cloudflare)

Are you sure the IP addresses are not the Cloudflare one’s?
Has the hosting enabled Cloudflare to connect to their server using below article?:

May I also ask who is your hosting company?

Regarding Wordfence, you are using WordPress, but do you also use some caching plugin too to spare some traffic and high load usage for your hosting account?
Nevertheless, is Wordfence setup good to detect Cloudflare? (there is an option regarding the Visitor IP address if using Cloudflare)

Also, to which URLs are the attacks comming?
If using WordPress, think about protecting your xmlrpc.php as a common way for an attack, or wp-login.php bruteforce, etc. - see below the links.

There is a way to protect temporarly. There are also great suggestions for a DDoS attack, see below:

Here are the Cloudflare security options available to you, for example using Bot Management Tool, Access Rules, Firewall Rules, Security Level, etc.:

Regarding Cloudflare Firewall, here are really good tips to check out:

Some suggestions regarding WordPress and Cloudflare Firewall rules can be found here too:

2 Likes