Spam bots and denial-of-service attacks are a reality for many website owners. Depending on timing and scale, they can be an annoyance or a detriment to your business's bottom line. Services like Cloudflare, Fastly, and Vercel are popular choices for mitigating these attacks with sophisticated techniques beyond the firewall rules many hosts (WordPress.com included) employ to examine and potentially block incoming traffic.
WordPress.com’s defensive mode introduces similar, sophisticated DDoS protection that further enhances your site's security. It works by issuing proof-of-work challenges to browsers visiting the site. Legitimate users will briefly see a challenge page while their browser completes the work before accessing the site. The feature is powered by our global edge network, but it can still be enabled independently of our global edge cache feature.
What is defensive mode?
If you notice an inordinate amount of traffic to your website that is slowing it down, this setting filters spam traffic by requesting that they complete a proof-of-work challenge. When visitors come to your website for the first time, they will see the following screen:
This proof-of-work challenge page has a unique random puzzle embedded in it, along with JavaScript that can solve the puzzle. The puzzles are designed to take a typical CPU a few seconds to solve, and they deter botnets, which are not able to run the scripts to solve the puzzles.
How to enable it
This system protects all sites hosted on WordPress.com. Sites on Free, Personal, and Premium hosting plans are managed for you. For sites on Business or Commerce hosting plans, this setting can also be managed manually from your site's Hosting Dashboard.
Here’s how to enable it:
- Visit your Sites page by clicking on the WordPress logo in the upper left corner of your dashboard.
- Click on your site title.
- Click on the “Server Settings” tab on the site overview page.
- Scroll down to the Defensive mode section.
- Select a duration and click the “Enable defensive mode” button
Note that WordPress.com staff may proactively enable defensive mode on your behalf, regardless of what hosting plan you have, if your site is attacked.
Get it all on WordPress.com
Many hosts charge extra for capabilities like this, or they require integration with a third-party provider. On WordPress.com, defensive mode is included on every plan and can be managed manually on Business and Commerce plans.
This is just one more reason why WordPress.com stands out as the premier managed host for WordPress sites. With staging sites, SSH and WP-CLI access, or GitHub deployments, we’re always working on new tools to make WordPress.com an essential component of your development workflow.
What other features would you like to see on WordPress.com? How can we make WordPress.com an even more powerful place to build a website? Let us know in the comments below.