“We would get a lot of feed attacks, which is aggressive DDoS-style attacks where bots would hit our feed.”

www.wpbeginner.com | @wpbeginner | performance, firewall, web services, wordpress

Website Security

Why Sucuri

  • Reliable Network
  • WordPress Security
  • Proven Website Solution
  • Peace of Mind

Favorite Features

  • Web Application Firewall
  • Site Monitoring
  • Improved Performance (CDN)
  • Daily/Monthly Reports

The Story of WPBeginner

Beginning with WordPress

WPBeginner was founded by Syed Balkhi as an effort to educate anyone who is new to the WordPress platform. The site focuses on the “how” and “why” of using the WordPress content management system. Powering more than 25% of all websites worldwide, WordPress has quickly become the world’s most popular CMS. The far reaching appeal of WordPress likely stems from the platform’s flexibility and accessibility for beginners. Anyone can find free themes that span from photography to eCommerce. The dashboard is easy to use, and SEO friendliness is built in.

These features work in concert to provide high value along with low barriers to entry for sole proprietors and small, medium, and large scale business ventures alike. Similarly, WPBeginner derives its purpose from helping a wide range of people and businesses succeed online. The organization works to minimize entry level confusion and truly empower visitors to take advantage of the WordPress open source community. By offering tips, tricks, warnings, widgets, plugins, reviews and how-to’s, WPBeginner illuminates the path to a functional WordPress-based web presence. In 2013, WPBeginner put out a review of Sucuri detailing the benefits of our WordPress plugin. Though the statistics are difficult to track, it could easily be stated that WPBeginner has helped launch and or save thousands of websites and businesses

Give a Little, Gain a Lot

Having assisted so many, it is no surprise WPBeginner has grown to its current vast reach. As one of the most popular sites online, understandably it receives a high volume of daily traffic. The site currently serves more than 300,000 page views daily (on average) and a monthly total exceeding 9 million. It is no simple task to build an infrastructure able to sustain a site as popular as WPBeginner. Maintaining functionality, speed and availability in the face of attacks is a separate set of hurdles altogether.
WPBeginner.com was no exception to the rule. Over time, the site’s traffic began to present its own share of challenges. Serious challenges.

We would get a lot of feed attacks, which is aggressive DDoS-style attacks where bots would hit our feed and scrape it. We would try to block the caches, but there were times we would get tens of thousands of people with requests coming from just one IP address trying to get feed access, trying to bust the cache. Anytime they were able to bust the cache, they could DDoS the site.

In addition to suffering DDoS attacks, there was the issue of brute force attempts. The issue is so prevalent among the WordPress community that WPBeginner published a blog post about the malicious attempts years ago. To offer perspective, during one month (from August 2015 to September 2015) Sucuri tracked more than 1 billion brute force attempts on WordPress websites. The increased server load and consistent attacks weighed heavily on the site and caused performance problems that required the attention of a specialist and a large amount of Syed’s valuable time in direct management. When presented with this problem, Syed turned to a recommendation.

A Proven Solution

The young entrepreneur, Syed (who is also the founder of OptinMoster and List25) always had both an appreciation for and an understanding of website security. However, a few years ago, Syed entrusted his personal website security with Sucuri in a move to maximize his time. The experience was greatly successful. Following several challenges with his other venture, Syed moved List25.com behind Sucuri’s Web Application Firewall (WAF) in early 2015. In the first few months after the move, he took note of a few important facts. The site had logged nearly 180,000 blocked malicious attempts.

From May 2015 to Mid-August, the top 5 blocked occurrences were: Spam Comments, ~70,986 (39%); DDOS attempts, ~27,907 (15%); Bad Bot access, ~18,565 (10%); Brute Force attempts, ~15,047 (8%); Evasion attempts ~10,575 (5.8%). All attempts were successfully thwarted, yet none of these attempts required Syed’s direct input, management or any significant involvement from his team. This consistent result lead Syed to include WPBeginner.com in his Sucuri account.

The issues we’ve experienced in the past motivated this move. After I tested the Sucuri service on List25 and my personal site, I just committed to getting additional sites added to my account.

High Expectations

Drawing from previous experience, Syed established high expectations from Sucuri security services, in particular the Web Application Firewall. To be advantageous, the firewall needed to successfully mitigate potential attacks (regardless of size or complexity) and reduce the amount of time Syed and his team spent engaging in security space for WPBeginner. Within weeks, the statistics showed that the expectation had both been met and exceeded.


Within the first three months, WPBeginner.com saw more than 450,000 blocked attacks. That is more than double the number of blocked attacks List25 saw in its first 3 months on the firewall.

The top 11 frequent types of blocked attacks were:

TypeBlocked Attempts
1. Exploit blocked by virtual patching84,011
2. Blocklisted IP address72,495
3. Bad bot access denied72,495
4. Backdoor location denied29,690
5. DDOS attempt blocked29,676
6. Fake bot access29,571
7. Evasion attempt denied21,887
8. Exploit blocked by virtual patching17,078
9. Exploit blocked by virtual patching14,857
10. Spam request blocked14,857
11. Scanning tool blocked13,842

Though definitely a positive result, there was yet another equally intriguing fact. An often overlooked benefit of Sucuri’s WAF became blatantly obvious in the months following WPBeginner’s move onto CloudProxy. Syed states, plainly:

Our server load has come down on WPBeginner – insanely! Security is a big thing and is the primary reason we use Sucuri, but the added benefit is the speed aspect – because everything goes through the WAF and it’s that much faster.

Managing more than 9 million site visits per month is not a simple task. Maintaining site availability, especially at WPBeginner’s level of popularity, requires ingenuity and attention in many different areas. Still, page load time and overall server load can easily become impactful issues. In this instance, WPBeginner’s server core use had previously peaked north of 3 cores and could quickly become overwhelmed in the event of a DDOS or Brute Force attempt was made. After taking advantage of Sucuri’s Web Application Firewall, the situation was remedied.

For me, the biggest advantage of using Sucuri is that I don’t have to get a server admin anymore. I don’t need a 5th admin, because before, the 5th admin’s job was to monitor the server and recognize and mitigate any attacks. I had a 5th admin, part-time and I was paying $2,500/month to keep him on retainer.

Note: Many of our loyal customers are part of our referral program and earn money by referring new customers to Sucuri. It is our goal to provide such excellent service that you want to share it with others. Learn more about our referral program or contact us if you wish to be featured in a case study!

The communication was perfect and I have a strong confidence that should something happen in the future I have a team in place to protect me.

Steve Woody, CEO at Academy of Online Mastery

Start Protecting Your Sites Today

Gain peace of mind by securing all your websites. We fix hacks and prevent future attacks. A cloud-based platform for every site.