Maxinames
Back to Security
SecurityUpdated

DDoS Protection Explained

What we mitigate automatically, when to add a CDN/WAF like Cloudflare, and what to do if your site is under active attack.

A Distributed Denial of Service (DDoS) attack tries to take your site offline by flooding it with traffic from many sources at once. Maxinames includes baseline DDoS protection on all plans; this article explains what is automatic and what you should add yourself.

What we do automatically

  • Network-level filtering — our upstream provider absorbs and filters volumetric attacks (typical L3/L4 floods) before they reach the server.
  • Rate limiting — abusive request patterns from individual IPs are throttled at the web server level.
  • Connection caps — too many simultaneous connections from one source are dropped.

For most sites this is enough — sustained large-scale attacks against small websites are uncommon.

When you should add more protection

  • You run a high-traffic e-commerce site or membership platform.
  • Your business is in a sector frequently targeted (gaming, crypto, controversial publishing, financial services).
  • You have been attacked before.
  • You handle login pages or APIs that get bot traffic.

Add a CDN with WAF

The simplest, most effective extra layer is a CDN with Web Application Firewall capabilities. Recommended:

  • Cloudflare — free plan covers most attacks; paid plans add advanced WAF rules and DDoS analytics.
  • BunnyCDN Shield — affordable WAF + CDN combo.
  • Sucuri — security-focused CDN aimed at WordPress.

Setup takes about 15 minutes — point your nameservers (or specific records) at the CDN, and it absorbs attacks before they reach the Maxinames network.

If you are under active attack

  1. Do not panic. Most attacks subside within hours.
  2. Open a support ticket immediately so we can apply server-side mitigations.
  3. If you are not on a CDN, sign up for Cloudflare and switch your nameservers to it. Their free plan absorbs most attacks within minutes of activation.
  4. Save the attack timeline (start, peak, end) and any IP ranges you can identify — useful for post-mortem.

Application-layer attacks

L7 attacks target specific endpoints (login forms, search, checkout). For these, add:

  • CAPTCHA on login and form pages (Cloudflare Turnstile, hCaptcha).
  • Rate limiting on login attempts (most CMSes have a plugin for this).
  • Caching on dynamic pages so traffic spikes do not hammer your database.

Still need help?

Our support team replies to tickets around the clock.

Contact supportBrowse all articles

Related articles

Security

Malware Scanning and Removal

Confirm an infection, restore from a clean backup, manual cleanup with Imunify, and how to prevent reinfection.

Security

Account Security Best Practices

Strong passwords, 2FA, software updates, limited access, regular backups, and a workable incident plan — the security checklist.

Technical Troubleshooting

Diagnosing Slow Site Performance

Find the cause of a slow site: images, caching, plugins, database. PageSpeed-grade improvements you can make this week.