What is a DDoS Attack?
DDoS attacks on your website are invariably crafted to damage your online business in some way. This may be done by overloading your website so it becomes painfully slow to load, and unreliable in operation or offline for lengthy periods during peak visitor time periods. This can be done via DoS (denial of service) or DDoS (distributed denial of service) attacks and/or prolonged BFL (Brute Force Login) attacks. These attacks are no longer costly if outsourced on the Dark Web, estimates range from from UDS$5 to US$7 per hour.
DDoS attacks are sometimes a premeditated campaign by a business competitor eager to harm your business. Or perhaps an ex-member of your staff or a disgruntled customer. They are often generated by criminals for extortion (ransomware attacks), or data theft for sale, or commercial espionage to determine your wholesale rates or steal proprietatary information.
“Ready to DIY? See my Step-by-Step Guide to Cloudflare Security Rules for WordPress.“
I offer specialised protection against botnet attacks and traffic spikes as part of my comprehensive WordPress security services & site hardening designed for NZ businesses. What knowledge I have has been earned the hard way – at the bleeding edge of customer support, trying to protect my own VPS and the client sites it contains, plus client sites on other hosting providers’ servers…
Several years ago, my VPS came under a sustained and severe attack that rendered it unusable for hours on end. At the time, I was surprised by the lack of (non-technical) guidelines available online to help me find ways to reduce the impact of what was being done to my server. Since then, I’ve also assisted a number of clients to extricate their website from DDoS attacks by a combination of both network DDoS protection AND migration to premium hosting with both server-level DDoS protection and enhanced security.
I deal with these “digital neighbourhoods” daily. For someone managing 60+ clients, understanding the distinction between “background radiation” and an “active siege” is critical for your sanity and their security.
“Normal” Activity vs. Screening
On a typical small business website, 40% to 55% of all traffic is automated.
- The Breakdown: About 15% is “Good Bots” (Google, Bing, site monitors), and 25-40% is “Bad Bots.”
- Apparently, Cloudflare filters out upwards of 80% of the background “static”through its worldwide threat mitgation network. Most of what your clients see in their analytics is the “clean” human traffic, while the “Firewall Events” log in Cloudflare shows the graveyard of blocked attempts.
The “Active Threat” Threshold
Background noise becomes an active threat when it shifts from probing to persistent exploitation.
- The Numbers: For a small site, more than 500-1,000 blocked events in a 24-hour period from a single IP or a specific ASN (network provider) is a red flag.
- Target Points in Logs:
- 404 Spikes: A bot looking for /admin, /.env, or /wp-content/plugins/old-plugin/.
- Login Failures: A surge in POST requests to your login URL.
- High Request-Per-IP: A single user agent requesting 50+ pages in one minute.
Low and Slow: The Silent Threat
Yes indeed… Sophisticated botnets – especially those targeting financial data – really do use “Low and Slow” tactics.
Instead of 10,000 requests in 1 minute (which triggers rate limiting), they might do 1 request every 5 minutes from 1,000 different “clean” residential IP addresses. This mimics a human user perfectly and is designed specifically to bypass traditional firewall rules. Some of these guys are real sneaky…
This is why botnet management analyis using behavioral pattern recongnition is now as, if not more, important than traditional IP blocking.
Ransomware: Volume vs. Stealth
Ransomware attackers generally avoid high-volume attacks initially.
- The Breach: They prefer stealth and subterfuge. They want to creep in via a single compromised credential or an itty-bitty unpatched vulnerability (Layer 7).
- High Volume Attacks: High-volume DDoS is often used as a diversion. They flood and drown your server with traffic so your IT team is so damned busy just trying to keep the site up. While you’re not looking, the sneaky bastards are deftly moving sideways through your network to encrypt your database!
- The triple threat extortion”: In 2026, some groups will 1. encrypt your data, 2. steal it and offer it for dispersal, and then 3. launch a DDoS attack to pressure you into paying.
Full list of known/named botnets and DDoS operators targeting Australia and New Zealand.
How to prevent a DDoS Attack?
You can’t prevent a DDoS attack because the decision just isn’t yours to make. Botnets are forever searching for new victims, and DDoS operators are hunting 24x7x365. That said, you definitely CAN take prophylactic measures to ensure your website is well protected and hardened against attacks at multiple levels. Pre-emptive DDoS protection services are an important step in ensuring that a DDoS attack doesn’t take your website down when it occurs. DDoS attack mitigation is about steps you can take in the event of an attack while it is in progress… This is a technically challenging scenario.
Invariably, if your website is on a normal Shared Hosting plan, you probably don’t have a Cloudflare plan either. And even if you do, there are hours of work in customising your Security Rules to defend against the specific type of attack you are facing. When that starts to take effect, your attacker has probably already figured out what your IP Address is from the historical records at somewhere like SecurityTrails.com.
When the attacker knows your IP address, he/she can potentially bypass the Cloudflare firewall – unless you know how to overcome that by adding a custom mod_rewrite text block into your website’s .htaccess, you are defenceless.
There’s a 2-step dance needed to get out of the line of fire:
- Get the site onto Cloudflare first. That gets your IP address “proxied,” so it’s not readily exposed and can’t be recorded.
- Now you can apply a set of Security Rules to slow the attacker down while you determine exactly what type of attack it is, and what the optimal Security Rules are to defend against it.
- As soon as you are on Cloudflare, you may then need to get your website IP address changed. Do that while you are behind the screen that Cloudflare provides! Either your hosting provider can shift you to a new server, issue a static IP Address OR you can quickly change to a premium shared hosting plan. Providers like A2 Hosting or Fastcomet have high-end shared hosting options with more resilience than a “cheap and cheerful” hosting plan.
- Pray that you have a good backup…
Once you have a new hosting plan, the hardest part can be getting a working version of your website loaded up on it and tested.
I’ve had a few experiences like this before… any attack, and I’m getting the client onto Cloudflare ASAP, AND insisting on an IP Address change, one way or another.
DoS Attack Examples & Experiences
2026 DDoS Attack
In late February, I was flattered to discover that my own business was the subject of a Layer 7 Post Bomb attack. I didn’t realise that I was that important… But perhaps a direct competitor providing website maintenance services felt threatened by my long-overdue revamp of my website, and that I was making rapid search engine ranking gains. My website was looking much more attractive to potential new customers, and I had expanded my maintenance plan offerings…
This attack was a much bigger and far more sophisticated challenge than I’ve ever dealt with before. A couple of database tables got corrupted, and the website server almost melted from the 6Gb of swap files thrashing the NvME drives… It took some getting under control because the bombardment of POST requests with 800kb attachments overwhelmed the ability of the server to process requests. The attacks were being launched at multiple points on the website architecture and were coming in microbursts from multiple data centres in multiple countries.
2025 DDoS Attack
In late 2025, an Auckland client (TopTeachingTasksMembers.com) was being harassed by a series of DDoS attacks, we assume by an unscrupulous competitor. By attacking during peak membership access times, this was severely impacting the website’s performance and usability. My solution was to relocate the site from A2Hosting to new hosting provider, under the cover of a Cloudflare account with DDoS protection. This prevented the attacker from discovering the site’s new IP Address. We implemented Cloudflare Security Rules. Problem solved…
2022 DDoS Attack & DDoS Mitigation Example:
I provide SEO consultancy to a Wellington retailer. Their e-commerce website was subjected to thousands of Brute Force Login attacks over many months throughout 2022. These were repelled via a web application firewall and tight brute-force login protection. We are convinced that this was a deliberate campaign by an aggressive wholesale business owner who was furious at having his product supply overtures declined. When the hacking attacks failed to crack the site’s security, the attack profile shifted to DDoS attacks at peak times.
A DDoS attack at peak times is very effective at stopping business transactions. Both the front end and back end of the website are unusable. These attacks were sustained for a few minutes and came at 10 to 15-minute intervals. Basically, the site is crippled for the duration of the attacks. When the attack eases off, you can log in and/or commence a purchase – but the attack resumes before you can complete your task. The site times out, or gives server errors etc.
The attack can target either the Domain Name or the IP Address…
What We Did to Mitigate Attacks
The first step in DDoS mitigation services was to shift the site to Cloudflare – they provide free network-level DDoS services along with other layers of security. There are two challenges to resolve:
- An E-commerce site needs a means to ensure the cart and account pages etc are not indexed by Cloudflare. The fastest and most cost-effective way to do this is to use Cloudflare’s WordPress APO service which costs US$5 per month.
- At this point, the Domain is shielded from DDoS attacks, but not the IP address. Cloudflare proxies the IP address, which makes it slightly more difficult for an attacker, but some online research on historical IP Addresses for the domain will quickly reveal the last known IP the site used. So, now that Cloudflare was operational, we then changed the Hosting Plan so the site now operated on a new IP Address on a completely different server. The IP Address is never revealed so the site is now completely shielded from DDoS attacks by Cloudflare.
In mitigating this attack, we also made a second hosting switch to A2Hosting’s premium Turbo Hosting. This provided server-level DDoS, enhanced security tools plus exceptional performance via Litespeed server, NVMe drives, HTTP/3 etc.. I used this plan myself and I was happy to recommend A2Hosting!
We also implemented Cloudflare Firewall Rules to block all countries EXCEPT New Zealand and known good bots such as approved search engines etc.
DDoS attacks may or may not be coming from genuine IP Addresses, or spoofed addresses. Regardless of that, it stands to reason that if you restrict the pool of IP Addresses that can access the site to New Zealand addresses only, you minimise the resources that can be arrayed against the target.
How well did that DDoS mitigation succeed?
Basically, the problem ended abruptly. No further disruptions to the website have occurred since the above process was completed.
Other Security Topics
Does VPS Resilience mitigate DDoS Attacks?
When the DDoS attacks and BFL attacks on my own server first began (a Monday), the server load jumped from the usual 3 – 4 to a massive 239, and the disruption was sustained for almost an hour. All sites were inaccessible, as were WHM and cPanel. The exim stats database was corrupted and required repair.
Attacks continued daily throughout the week, with the impact declining with each step taken… On Tuesday the server load hit 170, but on Wednesday after adding in the Syn Flood protection and starting the installation of firewall software on sites that were being hit hardest, the load peaked at 49 but everything kept running.
By Friday, all sites had firewall software installed, and the peak server load during the daily attack reached 9 – things slowed down but nothing broke. It was also possible to monitor what was happening on WHM – to see which sites were being targeted, and what was consuming server resources.
DDoS Mitigation
At that point, I began a DDoS mitigation process by targeting resource-intensive plugins and their settings, completed the installation of a caching plugin on all sites, and added Heartbeat Control on all sites. Backups on all sites were set to off-peak hours. Cloudflare was added to the busiest sites…
Since all of that effort was completed, the server load has not exceeded 5, and for much of the time runs at .85 to 1.5 with occasional spikes to 4. Overall, things are in much better shape than before!
Because I had to make up the game plan day by day, it took longer than it needed to have due to the research required in each stage.
This article was produced in the hope that it might help someone else confronted by similar circumstances. If that’s your situation, I wish you good luck – and if you need help, feel free to ask.
“Ready to stop worrying about downtime? Learn more about my managed WordPress security services and get protected today.”
