Spam requests and ddosing

My multiple sites keep getting ddosed by somebody who is just holding down the refresh button all the time, the guy is in my school and I cant just block his ip because nobody will be able to go on my site in school. I have been looking for a wordpress plugin but I cant find any that will stop floods and I have no idea how to code in html or php or how to put php in my site. If anybody knows any plugins that are FREE then please tell me. I found one called Project SECURITY from codecanyon and it says it stops all sorts of attacks and flood attacks too. But I can afford 35$ cause im doing my GCSE’s now and I dont get much money. I could pay like maybe 10$ max. So if anybody has any code and tell me how to put it in my site or any plugins I would be very grateful.
I use wordpress with a free hosting plan which has limited amount you can refresh it. And please dont tell me to make my site more lightweight cause its a game site which I cant really make any smaller. I tries using cloudflare but it dosent help, even if I turn it to under attack mode :frowning:

Well, if someone is sending excessive requests to your site, no Wordpress plugin can stop it. After all, for the plugin to take effect, the page request needs to be processed first, which means Wordpress must be loaded up, the plugin infrastructure need to be looked up and prepared and only then can the plugin do anything.

If you’re using your own domain name, you could try to enable Cloudflare. Cloudflare might cache some of the requests making sure your account doesn’t have to serve all of them or even block the person specifically.

I tried turning on all types of caching but it still takes my site down

Im just wondering if this is possible:

When somebody makes a request for my website, the count goes up by 1. And if the person makes more than 30 in a minute or something, then they get blacklisted for an hour or get redirected to a different website because that would solve people who just get macros and leave them on. Is anything like that possible? Could it be integrated in something other than wordpress?

Log ip’s with a wordpress plugin or just check your cpanel for the ip ddossing you and block it with a .htaccess file

Order Deny,Allow
Deny from

of course you have to change to the actual ip.

But what if the person uses a school wifi, nobody at school can play it and I can’t even get on the website then

then you use cloudflare and enable them ‘im under attack’ feature which makes users have a 5sec redirect thus making it hard for ddossers to still continue.

ya but what you do is just wait through the 5 seconds and then start refreshing

Unfortunately, there is just no way to truly prevent this from happening if you’re not willing to block the IP on the network level, since there is no fool proof way to differentiate between a legitimate user and a malicious user on the same IP, or at least not as early as you need to.

I guess the only thing I can do it buy some premium hosting, but I only did the website for fun, not anything serious anyway.