My multiple sites keep getting ddosed by somebody who is just holding down the refresh button all the time, the guy is in my school and I cant just block his ip because nobody will be able to go on my site in school. I have been looking for a wordpress plugin but I cant find any that will stop floods and I have no idea how to code in html or php or how to put php in my site. If anybody knows any plugins that are FREE then please tell me. I found one called Project SECURITY from codecanyon and it says it stops all sorts of attacks and flood attacks too. But I can afford 35$ cause im doing my GCSE’s now and I dont get much money. I could pay like maybe 10$ max. So if anybody has any code and tell me how to put it in my site or any plugins I would be very grateful.
I use wordpress with a free hosting plan which has limited amount you can refresh it. And please dont tell me to make my site more lightweight cause its a game site which I cant really make any smaller. I tries using cloudflare but it dosent help, even if I turn it to under attack mode 
Well, if someone is sending excessive requests to your site, no Wordpress plugin can stop it. After all, for the plugin to take effect, the page request needs to be processed first, which means Wordpress must be loaded up, the plugin infrastructure need to be looked up and prepared and only then can the plugin do anything.
If you’re using your own domain name, you could try to enable Cloudflare. Cloudflare might cache some of the requests making sure your account doesn’t have to serve all of them or even block the person specifically.
I tried turning on all types of caching but it still takes my site down
Im just wondering if this is possible:
When somebody makes a request for my website, the count goes up by 1. And if the person makes more than 30 in a minute or something, then they get blacklisted for an hour or get redirected to a different website because that would solve people who just get macros and leave them on. Is anything like that possible? Could it be integrated in something other than wordpress?
Log ip’s with a wordpress plugin or just check your cpanel for the ip ddossing you and block it with a .htaccess file
Order Deny,Allow
Deny from 127.0.0.1
of course you have to change 127.0.0.1 to the actual ip.
But what if the person uses a school wifi, nobody at school can play it and I can’t even get on the website then
then you use cloudflare and enable them ‘im under attack’ feature which makes users have a 5sec redirect thus making it hard for ddossers to still continue.
ya but what you do is just wait through the 5 seconds and then start refreshing
Unfortunately, there is just no way to truly prevent this from happening if you’re not willing to block the IP on the network level, since there is no fool proof way to differentiate between a legitimate user and a malicious user on the same IP, or at least not as early as you need to.
I guess the only thing I can do it buy some premium hosting, but I only did the website for fun, not anything serious anyway.