A distributed denial-of-service attack sounds like something that only happens to major banks and government websites. And while the largest attacks do target those kinds of infrastructure, DDoS attacks come in a wide range of sizes and motivations - and smaller websites are not immune.
Understanding how these attacks work, and what protection shared hosting actually provides, helps you make sensible decisions about your site's security posture.
How DDoS Attacks Work
The core principle is simple: flood a target with more traffic than it can handle until legitimate users cannot reach it. "Distributed" means the traffic comes from many sources simultaneously - typically a botnet of thousands of compromised devices - making it much harder to block than traffic from a single IP address.
There are two main categories:
Volumetric attacks overwhelm bandwidth. These send massive amounts of raw data - gigabits per second in large attacks - with the goal of saturating the network connection between the server and the internet. A small website on shared hosting generates a fraction of a gigabit of legitimate traffic in a day; a volumetric attack might throw hundreds of gigabits at the network in minutes.
Application-layer attacks (Layer 7) are more surgical. Instead of flooding the network, they send legitimate-looking HTTP requests - page loads, form submissions, search queries - at rates far beyond what the server's software can process. A site that handles 100 visitors per minute might receive 10,000 requests per minute from an application-layer attack, each one requiring PHP execution, database queries, and full page rendering.
How Shared Hosting Protects You (and Where It Doesn't)
Shared hosting provides meaningful protection against volumetric attacks through infrastructure that no small website owner could afford independently. Your hosting provider's upstream network handles traffic at scale, and large volumetric attacks get mitigated at the network level - traffic is filtered or null-routed before it reaches the servers running your website.
The honest caveat: very large volumetric attacks can affect entire server clusters, which can impact all accounts on a shared server. This is rare, but shared hosting is not impervious.
Where you remain more exposed is application-layer attacks. These requests look like normal web traffic at the network level - they are legitimate HTTP requests. Your PHP code still executes, your database still queries, your server still works to generate responses. Enough of this traffic can exhaust server resources allocated to your account even without overwhelming the network itself.
What You Can Do to Mitigate the Risk
Cloudflare free tier is the most accessible and effective mitigation tool available to small website owners. When you put Cloudflare in front of your site, all traffic passes through Cloudflare's network before reaching your server. Cloudflare's system identifies and absorbs volumetric attack traffic. For application-layer attacks, Cloudflare can issue browser challenges or block suspicious IPs before requests ever reach your hosting server.
Enabling Cloudflare involves pointing your domain's nameservers to Cloudflare and enabling their proxy (the orange cloud icon) on your DNS records. Your server's real IP is then hidden from public view, which prevents attackers from bypassing Cloudflare by targeting your IP directly.
Rate limiting restricts how many requests a single IP can make in a given time window. WordPress sites can implement this at the application level using security plugins like Wordfence, which includes rate limiting for login attempts and general traffic. For more granular control, rate limiting rules can be added via .htaccess on Apache servers.
A web application firewall (WAF) inspects incoming requests and blocks patterns associated with malicious traffic. Cloudflare's free tier includes basic WAF features. Wordfence includes a WAF tuned specifically for WordPress.
What dotCanada Does for Shared Hosting Customers
Our network infrastructure includes upstream DDoS mitigation that absorbs volumetric attacks at the provider level. For application-layer concerns, we encourage all customers to use Cloudflare in front of their sites and to keep their WordPress installations and plugins updated - outdated software is the most common vector for the kind of application-layer abuse that affects shared hosting accounts.
If your site comes under sustained attack, contact our support team. We can work with you on IP-level blocks, rate limiting configurations, and in severe cases, temporary traffic filtering while the attack is mitigated.
