AC Agency
SEO, SEM & More Solutions

AC Agency
SEO, SEM, Web Marketing & Automation

Protecting WordPress from DDoS Attacks: securing load-scripts.php and load-styles.php files

I typically use the Wordfence plugin to enhance security and mitigate attacks on WordPress, which often lacks robust out-of-the-box protection. While Wordfence is a powerful tool, it doesn’t cover everything—specifically, it doesn’t provide an option to block DDoS attacks targeting two common WordPress files: load-scripts.php and load-styles.php.

These files are responsible for concatenating scripts and CSS styles in WordPress. Unfortunately, they don’t require authentication or special privileges, meaning any IP can request them thousands of times per second, potentially overwhelming your server and causing it to crash due to resource exhaustion.

You can mitigate this risk by enabling Wordfence’s WAF (Web Application Firewall), which can apply rate limiting and block suspicious IPs. However, if you prefer a more manual approach, here are some steps you can take:

1. edit your "wp-config.php" file

Add the following line to your wp-config.php file to disable script concatenation if it’s not essential for your site:

				
					define('CONCATENATE_SCRIPTS', false);
				
			

2. edit your ".htaccess" file

To block requests to load-scripts.php and load-styles.php, add the following code to your .htaccess file, before the WordPress rules:

				
					<FilesMatch "^(load-scripts\.php|load-styles\.php)$">
Order Deny,Allow
Deny from all
#Allow from 123.456.789.000
</FilesMatch>
				
			

This will block all requests to these files by default. If needed, you can allow specific IPs by uncommenting and adjusting the Allow from line.

3. edit the "functions.php" file (of your child theme)

For additional protection, you can add the following code to your child theme’s functions.php file or a custom plugin:

				
					<FilesMatch "^(load-scripts\.php|load-styles\.php)$">
Order Deny,Allow
Deny from all
#Allow from 123.456.789.000
</FilesMatch>
				
			

This ensures that these files aren’t loaded at all, providing another layer of protection against potential attacks.

By following these steps, you can better safeguard your WordPress site from DDoS attacks targeting load-scripts.php and load-styles.php.

Have a safer day!

Do you really think this is worth sharing?
Well, it’s up to you...

Related Posts