Distributed Denial of Service (DDoS) attacks remain one of the most disruptive threats facing websites today. Unlike malware or data breaches that target your data, DDoS attacks target your availability — they flood your server with so much traffic that legitimate visitors cannot access your site. For businesses that depend on their website for revenue, even an hour of downtime can mean significant financial losses.
If you host your website on shared hosting, you might assume DDoS protection is someone else's problem. It is not. Understanding how DDoS attacks work and what protections are in place will help you prepare for and survive an attack.
How DDoS Attacks Work
A DDoS attack uses hundreds or thousands of compromised computers (a "botnet") to send traffic to a target simultaneously. The goal is to overwhelm the target's resources — bandwidth, CPU, memory, or connection capacity — so that it cannot serve legitimate requests.
There are three main categories of DDoS attacks:
Volumetric Attacks
Volumetric attacks flood the target with massive amounts of traffic to saturate the network bandwidth. Common techniques include UDP floods, ICMP floods, and DNS amplification attacks. These attacks are measured in gigabits per second (Gbps) and can reach hundreds of Gbps or even terabits per second in the largest attacks.
DNS amplification is particularly dangerous: the attacker sends small DNS queries to open DNS resolvers with the source IP spoofed to the target's address. The DNS resolvers send their responses (which are much larger than the queries) to the target, amplifying the attack by a factor of 50x or more.
Protocol Attacks
Protocol attacks exploit weaknesses in network protocols, particularly TCP. The most common is the SYN flood, where the attacker sends a flood of TCP SYN packets (connection requests) without completing the three-way handshake. The server allocates resources for each half-open connection until it runs out of capacity.
Other protocol attacks include Ping of Death, Smurf attacks, and fragmented packet attacks. These are measured in packets per second (pps) and target the server's connection handling capacity rather than bandwidth.
Application-Layer Attacks
Application-layer (Layer 7) attacks are the most sophisticated and hardest to detect. They target specific web application functions with requests that look legitimate but are designed to consume disproportionate server resources. Examples include:
- HTTP floods — sending thousands of seemingly legitimate HTTP GET or POST requests
- Slowloris — opening many connections and sending HTTP headers very slowly, keeping connections open indefinitely
- WordPress XML-RPC floods — exploiting WordPress's XML-RPC endpoint to amplify requests
- Search query floods — sending complex search queries that force expensive database operations
Application-layer attacks are measured in requests per second (rps) and are difficult to distinguish from legitimate traffic because each individual request looks normal.
How DDoS Attacks Affect Shared Hosting
On shared hosting, your website shares server resources with many other accounts. This creates a unique challenge during DDoS attacks:
- Collateral damage — a DDoS attack targeting any site on the server can affect all sites on that server
- Limited resources — shared servers have finite CPU, memory, and bandwidth that are exhausted faster than dedicated servers
- IP-based blocking — if your shared server's IP is the target, the hosting provider may null-route the IP, taking all sites on that IP offline
- Account suspension — some hosts suspend the targeted account to protect other customers, which means your site goes down either way
This is why choosing a hosting provider with robust DDoS protection infrastructure matters. Providers like MassiveGRID implement network-level DDoS mitigation that filters attack traffic before it reaches the shared server, protecting all accounts without requiring individual account suspension.
Layers of DDoS Protection
Effective DDoS protection requires multiple layers, each handling a different type of attack:
Network-Level Mitigation
The first line of defense is at the network level, upstream of the hosting server. This is where volumetric and protocol attacks are filtered. Enterprise hosting providers connect to DDoS scrubbing services that can absorb terabits of attack traffic, filter out the malicious packets, and forward only legitimate traffic to the server.
Network-level mitigation uses techniques like:
- BGP blackholing — routing attack traffic to a null route (last resort, drops all traffic including legitimate)
- Traffic scrubbing — passing traffic through cleaning centers that filter malicious packets
- Anycast routing — distributing traffic across multiple data centers to absorb attacks
- Rate limiting — capping the number of packets per second from individual sources
MassiveGRID operates in Tier III+ data centers with enterprise DDoS mitigation capabilities that can absorb large-scale attacks without affecting hosted websites.
Server-Level Protection
At the server level, DDoS protection focuses on application-layer attacks that pass through network-level filters. Tools include:
- Connection limits — restricting the number of simultaneous connections from a single IP
- Request rate limiting — capping requests per second from individual sources
- Web Application Firewall (WAF) — identifying and blocking malicious HTTP requests
- fail2ban — automatically banning IPs that show attack patterns
- SYN cookies — kernel-level protection against SYN flood attacks
Application-Level Defenses
Website owners can implement additional defenses at the application level:
- CAPTCHA on forms — prevents automated form submissions
- Login rate limiting — limits login attempts per IP per time period
- Caching — serving cached pages reduces the server resources needed per request
- CDN usage — distributing content across a CDN absorbs traffic and reduces origin server load
What You Can Do to Protect Your Site
While your hosting provider handles network and server-level DDoS protection, there are practical steps you can take to improve your site's resilience:
1. Use a CDN with DDoS Protection
Services like Cloudflare (even the free tier) proxy your traffic through their global network, which can absorb DDoS attacks before they reach your hosting server. Enable the proxy (orange cloud icon) for all DNS records to benefit from their DDoS protection.
2. Disable XML-RPC in WordPress
WordPress's XML-RPC interface (xmlrpc.php) is frequently exploited for amplification attacks. If you do not use the WordPress mobile app or XML-RPC-based plugins, disable it by adding to your .htaccess:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>3. Implement Caching
A well-configured caching plugin (WP Super Cache, W3 Total Cache, LiteSpeed Cache) reduces the server resources needed for each page request. During a DDoS attack, cached pages can be served with minimal CPU and database load, allowing your site to survive longer under attack.
4. Monitor Your Traffic
Use your cPanel's AWStats or Webalizer to establish baseline traffic patterns. When a DDoS attack occurs, you will notice a sudden spike in traffic from unusual geographic locations or a surge in requests to specific URLs. Early detection allows you to take action faster.
5. Have a Response Plan
Know your hosting provider's DDoS response process before you need it. Find out:
- How to contact emergency support during an attack
- Whether they offer DDoS mitigation or simply null-route attacked IPs
- Whether you can temporarily enable additional protection during an attack
- What their SLA says about DDoS-related downtime
DDoS Protection Comparison: Hosting Provider Features
| Protection Level | Budget Shared Hosting | Premium Shared Hosting | HA Hosting (MassiveGRID) |
|---|---|---|---|
| Network DDoS mitigation | Basic or none | Moderate (1-10 Gbps) | Enterprise (multi-Tbps) |
| Application-layer protection | Basic ModSecurity | ModSecurity + rate limiting | Imunify360 + WAF + IPS |
| Response to attack | Null-route or suspend | Basic filtering | Traffic scrubbing + filtering |
| Impact on other accounts | High (shared IP) | Moderate | Minimal (isolated infrastructure) |
| SLA during attack | Usually excluded | Limited guarantees | Uptime SLA maintained |
| Cost of DDoS protection | Not included | Basic included | Included at all tiers |
MassiveGRID's high-availability cPanel hosting is built on infrastructure designed to maintain availability during attacks, with high-availability architecture that eliminates single points of failure.
What to Do During an Active DDoS Attack
If you suspect your site is under DDoS attack, take these steps:
- Confirm it is a DDoS attack — check your cPanel resource usage and error logs. A genuine DDoS will show a massive spike in connections or requests from many different IPs.
- Contact your hosting provider — they have the tools to implement network-level filtering. Do this immediately.
- Enable Cloudflare "Under Attack" mode — if you use Cloudflare, this mode adds a JavaScript challenge that blocks most bot traffic.
- Block attacking IPs — if the attack comes from a limited number of IPs, use cPanel's IP Blocker or your .htaccess file to block them.
- Enable maintenance mode — if your site is struggling, a lightweight maintenance page consumes far fewer resources than your full application.
- Document everything — note the attack start time, traffic patterns, and any actions taken. This helps with post-incident analysis and insurance claims.
Preventing Future Attacks
After surviving a DDoS attack, take steps to improve your defenses:
- Set up a CDN with DDoS protection if you have not already
- Review and harden your WordPress installation
- Ensure your hosting provider offers adequate DDoS mitigation for your needs
- Consider upgrading to a hosting plan with dedicated resources and better isolation
- Implement all items on your hosting security checklist
Frequently Asked Questions
Can shared hosting survive a DDoS attack?
It depends on the attack size and your provider's infrastructure. Small application-layer attacks can often be absorbed by server-level protections like ModSecurity and Imunify360. Large volumetric attacks require network-level mitigation that only enterprise hosting providers offer. Budget shared hosting with no DDoS protection will go offline during even a modest attack.
Will my hosting provider tell me if I am being DDoS attacked?
Policies vary. Some providers proactively notify customers during attacks and work with them to mitigate the issue. Others simply null-route the attacked IP or suspend the account without notice. Before choosing a host, ask about their DDoS notification and response procedures.
Is Cloudflare enough to protect against DDoS attacks?
Cloudflare's free tier provides solid protection against most DDoS attacks, especially volumetric attacks against HTTP/HTTPS traffic. However, if your server's actual IP address is known, attackers can bypass Cloudflare by targeting the IP directly. To maximize Cloudflare's protection, keep your origin IP address secret and ensure all traffic routes through Cloudflare's proxy.
How long do DDoS attacks typically last?
Most DDoS attacks are short, lasting from a few minutes to a few hours. Attackers typically move on when they see their attack is being mitigated or when they achieve their goal (extortion payment, competitor disruption, etc.). However, persistent attackers may launch repeated attacks over days or weeks, especially if the motivation is personal or competitive.
Can I be held responsible if my hosting account is used in a DDoS attack?
If your website or hosting account is compromised and used as part of a botnet to attack other targets, you could face account suspension and potentially legal liability. This is why keeping your site secure — with malware scanning, CageFS isolation, strong passwords, and regular updates — is essential. A compromised WordPress site can be turned into a DDoS attack tool without your knowledge.