Website slow? Could be a DDoS attack — how to protect your site.
March 26, 2026
CONSUME CREATIVELY
This content is available in:
TEXT
The internet is under attack.
Your website probably isn’t the target, but it’s in the crossfire.
On March 19, 2026 (like, this month) the U.S. Department of Justice announced it had just taken down the world’s largest botnet operation. Four coordinated botnets. Over 3 million hijacked devices worldwide. Hundreds of thousands of them right here in the US. Record-breaking attacks hitting 30+ Tbps (that’s terabits per second, not tablespoons, though honestly both would be a lot). Imagine 30,000 streaming movies downloading simultaneously, all aimed at one target.
The suspects? Allegedly a 23-year-old in Ottawa and a 15-year-old in Germany.
We’re not making this up.
Here at MayeCreate, we’ve been watching this play out in real time, and this March has been unlike anything we’ve seen since 2019. More attacks. More frequency. More clients seeing weird activity on their sites. The internet is genuinely under siege right now, and the ripple effects are reaching well beyond the targets these botnets were aiming at.
If you run a small business or nonprofit, you’ve probably thought “nobody would bother hacking my little website.” Fair. You’re not a bank. You’re not a government agency. You’re not exactly a prime target for cyber warfare.
Here’s the thing: it doesn’t matter.
DDoS attacks, the kind the DOJ just disrupted, aren’t surgical strikes aimed at specific victims. They’re more like flooding an entire city block to get to one building. Your site just happens to be on the block.
The good news? You’re not helpless. But first, let’s make sure we’re all speaking the same language.
What the heck is a DDoS attack anyway?
DDoS stands for Distributed Denial of Service. Which sounds very technical and important, but the concept is pretty simple.
Imagine your website is a coffee shop. On a normal day, customers trickle in, order their drinks, and leave happy. A DDoS attack is like someone hiring thousands of people to crowd into your shop all at once, not to buy anything, just to stand there. Real customers can’t get in. Your staff is overwhelmed. The shop grinds to a halt.
Now imagine those thousands of people are actually infected computers, security cameras, Wi-Fi routers, and (this is not a joke) off-brand Android TV boxes sitting in people’s living rooms. All hijacked without their owners knowing, weaponized into what’s called a botnet. One signal from the attacker and they all flood your digital door at the same time.
That’s a DDoS attack. And your website going down isn’t even necessarily the point. Sometimes it’s just a distraction while something sneakier is happening in the background.
Why are they doing this? And why now?
Two reasons: it’s never been cheaper or easier to launch an attack — anyone with a grudge and a credit card can literally rent a botnet for a few hours. And increasingly, DDoS is a weapon of choice for geopolitical actors using the internet as a battlefield, with everyday businesses caught in the crossfire.
Your website doesn’t have to be on anyone’s hit list to end up offline. Sometimes you’re just on the same hosting server as someone who is.
So what can you do about it?
Here’s where it gets practical. There are two layers of protection and they work very differently. The simplest way to think about it:
Layer 1: Stop attackers before they ever reach your site.
Layer 2: Lock everything down so it’s harder to get in.
Layer 1 is more powerful. We’re going to start there.
Layer 1: Stop them before they reach your door (off-site protection).
The most effective protection against DDoS attacks doesn’t live on your website at all. It lives between your website and the rest of the internet.
A Content Delivery Network (CDN) is your best friend here.
A CDN acts as a buffer. It sits in front of your site, absorbs traffic, filters out the bad stuff, and only lets legitimate visitors through. If a flood of malicious traffic comes rushing in, it gets stopped at the CDN level before it ever hits your actual server. The attackers are essentially punching a wall that isn’t even you.
Cloudflare offers a free CDN that provides meaningful protection for most small business websites. For a low monthly fee you can upgrade to their full firewall option, which adds significantly more control and filtering.
“But wait – doesn’t setting up a CDN require black magic and a computer science degree?”
Not really. Most hosting companies have made CDN setup pretty streamlined at this point. There may be a small bit of DNS configuration involved, especially if your website and your domain registrar are in different places, but it genuinely sounds scarier than it is. If you can follow step-by-step instructions, you can do this. And if you can’t be bothered, your webmaster can handle it for you. And it’s way cheaper than paying them to unhack your site later.
This is the single highest-impact thing you can do for your site’s security. Everything else on this list matters, but nothing comes close to keeping attackers from reaching your door in the first place.
Layer 2: Lock down the house (on-site protection).
Once you’ve got off-site protection in place, it’s time to make sure your actual website is as difficult to crack as possible. Think of this as your deadbolt, alarm system, and motion-sensor lights. Multiple layers that make a bad actor decide your site is too much trouble.
The stuff your webmaster should handle:
1.Install a solid security plugin.
We use Defender Pro, which handles a lot of the items on this list automatically. It limits failed login attempts, monitors for suspicious activity, blocks known malicious IPs, and sends alerts when something’s off. Set it up, configure your alerts, and let it do its job.
2.Change your login URL.
Every WordPress site defaults to /wp-admin as the login page. Hackers know this. Changing it to something non-obvious is a simple move that cuts down a huge amount of automated attack traffic. Most bots are just hitting the default address and moving on.
3.Block bad IPs proactively.
If your business doesn’t serve international customers, consider locking down traffic to US-based IPs only. Less riffraff knocking on the door means less noise to sort through. Defender Pro does an OK job of this but when we want to get more specific (and right now we do) we use Advanced IP Blocker to exclude whole countries and connect to databases of known malicious IPs and block them outright.
4.Use SFTP for site emails.
The technical version: configure your site to send emails through SFTP rather than the default mail server. The plain English version: it makes your contact forms and notification emails significantly harder to spoof or exploit for spam attacks.
5.Keep PHP up to date.
PHP is the engine running under your WordPress site. Outdated PHP versions have known security vulnerabilities. It’s like leaving a window cracked in a not-great neighborhood. Keeping it current closes those gaps.
6.Set up alerts and monitor them.
You want to know about a flood of failed login attempts before it becomes a problem, not after. Configure your security plugin to send daily or weekly reports. Weird email form activity, slow load times, strange entries in Google Search Console. These are your early warning system. Use them.
The stuff you can do yourself:
1.Audit your user accounts. Do it right now.
Log into your WordPress dashboard and look at your user list. Any account with “admin” in the username needs to go. That is the first thing automated attacks look for. Remove those accounts or change the usernames immediately. People who don’t work for you anymore – delete them. Any rando accounts with names like “Joe Blow” – also on the chopping block.
2.Use strong passwords. Actually strong ones.
Not your dog’s name with a 1 at the end. We’re talking long, random, and unique. A password manager makes this painless.
3.Turn on two-factor authentication.
Even if someone somehow gets your password, 2FA means they still can’t get in without your phone or access to your email. This is one of the easiest and most effective security steps you can take.
4.Set up alerts and monitor them.
You want to know about a flood of failed login attempts before it becomes a problem, not after. Configure your security plugin to send daily or weekly reports. Weird email form activity, slow load times, strange entries in Google Search Console. These are your early warning system. Use them.
5.Keep your site and plugins updated.
Every outdated plugin is a potential door. Hackers actively scan for sites running old versions of popular plugins with known exploits. Updated = significantly harder target.
5.Remove unused plugins.
If you installed something two years ago and haven’t used it since, get rid of it. Abandoned plugins don’t get security updates and become vulnerabilities over time.
MayeCreate Client?
If you’re on Safe Site or Safe Site Plus – here’s where you stand.
The good news is we’ve handled most of this for you: security plugins, IP blocking, regular updates, monitoring, the works.
That said, the level of what we can do, including CDN coverage, varies depending on your site’s age, setup, and hosting configuration. Not every Safe Site client has a full CDN in place yet. If you’re not sure where your site stands, reach out and we’ll take a look at your current setup and talk through options.
One thing that’s always on you regardless of your plan: your user accounts.
Review them. Remove anything with “admin” in the username. Make sure everyone with access has a strong password and 2FA enabled. We can lock the doors all day, but if someone on your team is using “admin / password123” to log in, you’ve got a problem.
If something looks weird – contact your webmaster immediately.
Here’s the thing about your webmaster: they’re managing a lot of websites, and while they’re checking in regularly and get notified when a site goes completely down, they can’t watch every site in real time. By the time an automated alert fires, something has already gone wrong.
You are your website’s best first line of defense, because you know what normal looks like.
Set up monitoring alerts in your security plugin (Defender Pro makes this pretty easy) so you get a daily or weekly summary of what’s happening on your site. Then actually read it. If something looks off, that’s your cue to pick up the phone.
Weird signs to watch for:
- Your site is suddenly loading very slowly or not at all
- You’re getting a flood of spam from your contact forms
- Strange words or links showing up in your Google listing
- New users being added to your Google Search Console that you didn’t add
- A ton of failed login attempt notifications
The earlier you flag something, the easier it is to fix. A small problem ignored for a week becomes a much bigger problem. If something feels off, call your webmaster now. Not eventually.
This isn’t slowing down. But you can be ready.
Your website doesn’t have to be a casualty. The steps above aren’t glamorous, and most of them aren’t expensive, but they make a real difference between a site that weathers the storm and one that ends up collateral damage in someone else’s fight.If you want to know where your site stands, we’re happy to take a look →
Who Manifested This Madness?
This fabulous human, that's who.
Monica Maye Pitts
Monica is the creative force and founder of MayeCreate. She has a Bachelor of Science in Agriculture with an emphasis in Economics, Education and Plant Science from the University of Missouri. Monica possesses a rare combination of design savvy and technological know-how. Her clients know this quite well. Her passion for making friends and helping businesses grow gives her the skills she needs to make sure that each client, or friend, gets the attention and service he or she deserves.
