When a WordPress or WooCommerce site feels suddenly slow, the first question many owners ask is simple:
Am I being DDoSed?
It is a reasonable question, but also an easy one to answer badly. A real attack, bad bot traffic, a broken plugin, and an overloaded origin can all create similar symptoms at first glance.
The right move is not to panic. It is to diagnose the slowdown in the right order.
What a DDoS Usually Looks Like
On WordPress, attack pressure often appears as:
- sudden traffic spikes
- repeated hits on the same expensive paths
- slow or inconsistent checkout
- admin lag
- 502/503 errors during bursts
- rising origin load without real-user growth
That still does not prove DDoS by itself. It only tells you the site is under unusual pressure.
Rule Out the Boring Failures First
Before you call it an attack, check the simpler explanations:
- recent plugin or theme update
- database slowdown
- cache issue
- failing external API dependency
- hosting incident
- cron or background job backlog
A self-inflicted performance failure can look a lot like attack traffic if you only watch the top-line symptoms.
Look at the Traffic Shape
The next question is whether the traffic pattern is normal.
Things that increase suspicion:
- bursts on login, XML-RPC, search, cart, or checkout
- repeated requests from many IPs hitting the same dynamic routes
- user agents that look automated or low-quality
- origin load that rises without a matching conversion or engagement lift
That combination usually points more toward abusive traffic than ordinary growth.
Watch the Dynamic Routes, Not Just the Homepage
A site can be “up” while the most valuable routes are under pressure.
Pay attention to:
- login
- search and filters
- account pages
- cart
- checkout
- admin
These routes tell you more about whether the slowdown is security-related than the homepage alone.
What to Do in the First 15 Minutes
If the site is actively degrading:
- confirm whether the issue is site-wide or route-specific
- check current origin load and error rate
- inspect request patterns on the most expensive paths
- reduce or challenge obvious junk traffic at the edge if possible
- avoid random plugin installs or broad server changes while you are still diagnosing
The goal is to stabilize first and explain second.
Why Manual IP Blocking Usually Fails
During real attack pressure, manual blocking rarely scales well enough.
Modern abusive traffic is often distributed, rotated, or mixed into otherwise normal-looking request volume. Blocking one or two IPs may help briefly, but it rarely changes the economics of the incident.
That is why the better question is not “which IP do I block?” but “which requests should never reach origin at all?”
The More Useful Conclusion
Sometimes the answer is yes, you are being DDoSed. Sometimes the better diagnosis is:
- you are under Layer 7 bot pressure
- your origin is overloaded by expensive junk traffic
- your site is misconfigured and looks like an attack victim
From an operations perspective, those differences matter. But they all lead toward the same practical lesson:
the more expensive the route, the earlier bad traffic needs to be filtered.
Diagnose Before You Guess
“Am I being DDoSed?” is the right starting question, but not the right final answer.
What matters is determining whether the slowdown is caused by:
- normal growth
- self-inflicted application problems
- distributed junk traffic
- a real attack
The better your diagnosis, the less likely you are to waste time on the wrong fix while the site continues to suffer.