Under attack Bandwidth Limit Exceeded

I’ have a wordpress blog and now I cannot access it due to

509 Bandwidth Limit Exceeded
The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later

I have never exceeded the 2% server limit in 10 years.

My hosting service does not help me even offering me an upgrade (for a fee) to unlimited space.

My stats show repeated attack attempts.

I have now enabled the ddos protection on my free cloudflare account but being offline I think until the end of the month I can not do anything.

I am desperate, I have read that for a protection I would have to spend another 200 dollars a year for the plus plan with firewall which for me, as I have a small blog, would be really too much added to plugins and hosting.

I noticed a peak of usage in January but it hadn’t reached the maximum 250GB and I didn’t agree on anything. In January nothing and in March this attack that made me exceed and block from my hosting service

I am thinking of closing the site after 13 years and i am really very sad

I’ve blocked some IP via my cpanel block service but there is many addresses that points on my Wp-login and other pages.

Do you have any solution to propose to me?

That in my eyes would not help, as you do not run out of Space, but out of bandwith.

As this Error is not getting triggered and shown at Cloudflare it most probably was triggered by your hoster and is not related to Cloudflare.

To solve your problem on long term you just should switch to a hoster which offers you something like “unlimited bandwith” which never gets shut down, but maybe limited, which is ok if you exeed the amount you pay for.

So this is easy. Go backup your site on your prigin server, move to another provider and be happy.

On long term you can maybe focus on these things:

  1. caching more at Cloudflare as you just have 2GB cached at Cloudflare, which means a lot of traffic has to be served my your origin server
  2. if possible optimize your Files even on the prigin server, specially if you serve big pictures as you can save a lot of datas and therefore traffic by this.
  3. cach things longer (if it makes sense) on the visitors browsers so they will not have to request these files to often.

Thank you for your answer

I looked at the visitors. There are attempts to access the wordpress login page and hundreds of suspicious attempts. I have a small blog and I don’t even get to 2% of the maximum 250 GB per month. In the last few days before the block, amount of absurd bandwidth.

If I move to an unlimited bandwidth plan and these attacks continue my site will still be slowed down and it wouldn’t have served any purpose I think.

My hosting already has an unlimited plan that would cost you about $40 more a year than currently

Thats wrong. If you cache your static sites statically and maybe even cache them at Cloudflare (with Cache Everything) you can make sure these sites even do get served if you remove the origin server, so serving statically cached content is mostly not getting bottlenecked by a overloaded server.

As you run WordPress I would recommend any good Application WAF and maybe in future even the new comming BOT-Fight methods they will roll out, so also Cloudflare can help you there.
Setting up “Under Attack mode” for those spammed URls might help a little bit.

I already tought $40 more a month then currently… but frankly $40 more a year are ($40/12) $3.4 a month more then currently. Thats actually really not much. Or are you expecting to get a perfect unlimited solution for free?

You definitely can set up a good solution which will solve your problem for free, if you do have the knowledge, but I actually find it very strange that people are complaining about things are “really very sad” and thinking about shutting down a beloved 13 years old project

which isnt even worth them $40 more a year. I do not know what you pay a year now and how much “$40 more a year” would be but if you are looking for a cheap and still reliable VPS Server I would think about $40-$60 (monthly!) is a reasonable price. If you can not afford this you may be are better going with w WebHost-Package which are very cheap but mostly not performing good at all.

As $40 more a year seems not to be in your budget I guess you will have to try to configurate Firewalls and PageRules which are applying additional checks for the spammed URLs, but apparently even here on Cloudflare you do not get the very best solution for something like free or $3.4 a month.

Anyway I would recommend you testing the new BotFight mode and playing around with it. to maybe block off some of the unwanted traffic by following this tutorial:


Sorry. Yesterday I was really down. 40 dollars a year certainly does not make a difference.

My hosting already offers me Cloudflare & Railgun
I’ve now enabled Always online, Under Attack mode and Bot Fight mode on Cloud flare Firewall (free plan).

I am considering some WAF including Wordfence Central, im watching also Securi (but i think that it not work with Cloudflare).

I am inquiring about the switch to the premium plan, which I hope will also have the immediate effect of having my band reset and still be online immediately.

ok I have now uploaded with unlimited space, I have subtracted the remaining months of the old plan from the price. With 15 dollars I go until full to the end of July.

Installed Wordfence and find that most attackers points on /wp-xmlrpc.php page.
My Wordpress installation was very old .
I found a lot of information on the danger of leaving active the no longer used wp-xmlrpc.php.
I removed access to wp-xmlrpc.php with a specific plugin.
A scan allowed me to delete many outdated plugins.

I have removed under attack mode from Cloudflare and set a high security level.

Wordpress now seems even faster.
I already use WP-speed of light for caching

I am very satisfied.

Thanks for the great support

Hi kraestal
Sorry to say that this is not a server or hosting issue but a security issue. If your server and website does not have the proper security you will always be under attack. As for the hosting, a good decent hosting will take a look and lead you to the right direction but unfortunately a cheap hosting is not the answer. Also after you check your security and head then to Cloudflare set it up and use Cloudflare DNS and you should be fine. If you need a hosting recommendations go ahead and pm. Hope that helps.

1 Like

I installed Wordpress manually in 2009 (non from my hosting automated services) maybe that old setting remain activated.

I cant send PM here now but i’m intresting about know about more secure hostings and to know an opinion about my one