Title: ddosNull Shield — DDoS &amp; Bot Protection
Author: ddosnull
Published: <strong>July 2, 2026</strong>
Last modified: July 2, 2026

---

Search plugins

![](https://ps.w.org/ddosnull-shield/assets/banner-772x250.png?rev=3591960)

![](https://ps.w.org/ddosnull-shield/assets/icon-256x256.png?rev=3591960)

# ddosNull Shield — DDoS & Bot Protection

 By [ddosnull](https://profiles.wordpress.org/ddosnull/)

[Download](https://downloads.wordpress.org/plugin/ddosnull-shield.1.1.26.zip)

 * [Details](https://wordpress.org/plugins/ddosnull-shield/#description)
 * [Reviews](https://wordpress.org/plugins/ddosnull-shield/#reviews)
 *  [Installation](https://wordpress.org/plugins/ddosnull-shield/#installation)
 * [Development](https://wordpress.org/plugins/ddosnull-shield/#developers)

 [Support](https://wordpress.org/support/plugin/ddosnull-shield/)

## Description

**Stop bots and DDoS attacks before they reach your WordPress site — without touching
your DNS, hiring a developer, or slowing down your pages.**

ddosNull Shield silently monitors your WordPress traffic in the background. Only
visitors identified as malicious are intercepted. Real customers never notice it’s
there.

#### Up and Running in Under 60 Seconds

No server access, no terminal, no config files.

 1. Install the plugin from your WordPress admin
 2. Click **Connect to ddosNull** and sign in (or create a free account)
 3. Protection activates immediately

#### Why WordPress Stores Get Attacked

Modern attackers don’t try to flood your “pipe” anymore. They send requests that
look exactly like real browsers — thousands of them — forcing your server to work
100x harder. Your pages slow down, customers abandon their carts, and your checkout
stops processing. It’s called a **Layer 7 attack**, and standard firewalls let them
straight through.

ddosNull’s AI is specifically trained to spot these invisible patterns and stop 
them before they impact your store.

#### What ddosNull Shield Protects You From

**DDoS & Bot Traffic**
 The ddosNull cloud analyzes your traffic patterns continuously.
Malicious IPs are pushed to your site automatically — blocked the moment they show
up, with zero performance impact on normal page loads. All analysis runs on ddosNull’s
servers, not yours.

**Carding Attacks (WooCommerce) — [ddosNull Shield Pro](https://ddosnull.com/pro/)**

Carding bots probe thousands of stolen credit cards on your checkout page, racking
up chargeback fees and putting your payment gateway account at risk. ddosNull evaluates
each checkout submission against multiple behavioral signals — and blocks bots before
any order is ever created. Legitimate shoppers check out without any interruption.
Checkout protection is available with [ddosNull Shield Pro](https://ddosnull.com/pro/).

**Smart Challenges, Not Hard Blocks**
 Not every suspicious request is an attack.
Sometimes it’s a real customer on a slow VPN. ddosNull uses a proof-of-work challenge(
ALTCHA) that resolves silently in the background for most real visitors. Only confirmed
bots are hard-blocked. Google reCAPTCHA v2 is also supported as an alternative.

#### Zero Risk — Try It in Dry Run Mode

Install ddosNull Shield and enable **Dry Run Mode** from your dashboard. Every request
is scored, but 100% of traffic is allowed through. You’ll see a detailed log of 
exactly which IPs would have been blocked — and why. When you’re confident, activate
protection with one click.

#### Works Everywhere WordPress Works

No DNS changes. No proxy. No re-routing your traffic through a third-party network.
ddosNull Shield works directly inside WordPress at the PHP layer — compatible with
any host, including WP Engine, Kinsta, SiteGround, shared cPanel and Plesk hosting,
and Cloudflare.

#### What Our Customers Say

_“DDoSNull saved us during our peak holiday sales season. We were hit by a massive
Layer 7 attack and didn’t even notice until we got the notification that it had 
been mitigated. It’s set-and-forget protection. I sleep better at night.”_
 — Sarah
J., CTO of an E-commerce Store

_“As a DevOps consultant, I recommend DDoSNull to all my clients running WordPress.
The one-click setup is a dream, and it provides enterprise-grade protection without
the enterprise-grade price tag or complexity. It just works.”_
 — Mike C., DevOps
Consultant

#### Features

 * AI-driven Layer 7 DDoS protection with automatic IP blocking
 * ALTCHA proof-of-work challenge (resolves silently for most real visitors)
 * Google reCAPTCHA v2 support as an alternative challenge
 * Checkout / carding bot protection for WooCommerce — [ddosNull Shield Pro](https://ddosnull.com/pro/)(
   premium)
 * Hard-block mode for confirmed malicious IPs (403 response)
 * IPv4 and IPv6 CIDR range support
 * URL whitelisting with regex support
 * User-agent blacklisting and whitelisting
 * IP whitelisting
 * Dry Run Mode for zero-risk evaluation
 * Cloudflare compatible (reads CF-Connecting-IP header)
 * Optional early loading for better performance (opt-in)
 * Compatible with any WordPress host — no server access required

**A free ddosNull account is required.** Sign up and connect your site directly 
from the plugin settings page.

### Pricing

ddosNull Shield is free to install and use. Connecting your site requires a free
ddosNull account. All paid plans come with a **30-day money-back guarantee** and
no long-term contracts.

**Free — $0/month**

 * 1 WordPress site
 * 15,000 protected requests/month
 * Layer-7 DDoS mitigation

Paid plans are available with higher request limits and support for multiple sites.
[ddosNull Shield Pro](https://ddosnull.com/pro/) adds WooCommerce checkout protection.
See [https://ddosnull.com/#pricing](https://ddosnull.com/#pricing) for details.

### External Services

This plugin connects to the following external services to provide its protection
features.

**ddosNull** (https://app.ddosnull.com)

This is the core service that powers the plugin. It provides AI-driven DDoS and 
bot traffic analysis, maintains a global IP reputation database, and coordinates
automatic blocking across protected sites.

Data sent:
 * Server load averages (1 min, 5 min, 15 min) * Anonymized access-log
lines (visitor IP addresses, request paths, HTTP status codes, timestamps) * ALTCHA
proof-of-work tokens submitted by visitors, for server-side verification

Data received: blocked IP lists, whitelisted IPs, protected URL patterns, blacklisted/
whitelisted user-agents, DDoS mode flag, scan results.

[Privacy Policy](https://ddosnull.com/privacy/) · [Terms of Use](https://ddosnull.com/terms/)

**Google reCAPTCHA** (https://www.google.com/recaptcha/)

Only used when you choose reCAPTCHA v2 as the challenge type in settings (the default
is ALTCHA, which does not involve Google). When active:

 * The reCAPTCHA JavaScript library is loaded from `https://www.google.com/recaptcha/
   api.js` and shown to visitors who need to be challenged. Google may collect device
   and browser signals as part of this interaction.
 * When a visitor submits the reCAPTCHA, their response token is sent from your 
   server to `https://www.google.com/recaptcha/api/siteverify` to verify it.

[Privacy Policy](https://policies.google.com/privacy) · [Terms of Service](https://policies.google.com/terms)

**ipify** (https://api.ipify.org)

Used once at plugin startup to detect the server’s own public IP address when it
is not available in the PHP server environment. The result is cached locally for
12 hours. No personal data is transmitted.

[Terms of Service](https://www.ipify.org/) · [Privacy Policy](https://www.ipify.org/)

### Source Code

The `assets/admin.js` file is a compiled and minified JavaScript bundle built from
React/TypeScript source. The human-readable source code is publicly available at:

https://github.com/disprozzy/ddosnull-shield-js-source

Build tools: Node.js, Vite, React, TypeScript. To rebuild: `npm install && npm run
build:admin`.

## Screenshots

[⌊Plugin dashboard showing connection status, server load, banned IP statistics,
and recent scans.⌉⌊Plugin dashboard showing connection status, server load, banned
IP statistics, and recent scans.⌉[

Plugin dashboard showing connection status, server load, banned IP statistics, and
recent scans.

[⌊Settings panel with shield toggle, challenge type selector, and early loading 
option.⌉⌊Settings panel with shield toggle, challenge type selector, and early loading
option.⌉[

Settings panel with shield toggle, challenge type selector, and early loading option.

[⌊ALTCHA proof-of-work challenge page shown to suspicious visitors.⌉⌊ALTCHA proof-
of-work challenge page shown to suspicious visitors.⌉[

ALTCHA proof-of-work challenge page shown to suspicious visitors.

## Installation

 1. Upload the `ddosnull-shield` folder to `/wp-content/plugins/`, or install it directly
    from the WordPress plugin directory.
 2. Activate the plugin through the **Plugins** menu in WordPress.
 3. Go to **ddosNull Shield** in the admin sidebar.
 4. Click **Connect to ddosNull** and sign in or create a free account.
 5. Protection activates immediately after connecting.

## FAQ

### Will this slow down my WordPress site?

No. The plugin intercepts requests before WordPress loads the full page, and all
traffic analysis happens on ddosNull’s servers — not yours. There is zero performance
impact on normal page loads.

### Do I need to change my DNS or use a proxy?

No DNS changes, no proxy, no re-routing your traffic. ddosNull Shield works directly
inside WordPress. Your DNS, CDN, and existing Cloudflare setup stay exactly as they
are.

### What if I accidentally block a real customer?

Use Dry Run Mode first. You’ll see a report of exactly who would have been blocked
before any blocking occurs. ddosNull also uses smart challenges (not hard blocks)
for suspicious-but-not-confirmed traffic, so edge cases like VPN users get a quick
verification step instead of a flat rejection.

### Does this work on shared hosting?

Yes. Because ddosNull Shield works at the PHP/WordPress layer, it runs on any host
that supports WordPress plugins — including shared cPanel and Plesk hosting. No 
server-level access is required.

### What happens if ddosNull goes down?

Your WordPress site keeps running normally. The plugin stores the last known block
list locally and continues enforcing those rules if the ddosNull cloud is temporarily
unreachable. Nothing breaks.

### How does the carding protection work?

Checkout / carding protection is available with [ddosNull Shield Pro](https://ddosnull.com/pro/),
distributed from ddosnull.com. When active, it collects lightweight browser signals
on the checkout page — things like screen dimensions, JavaScript environment, and
session timing. Orders that arrive too fast, without a real browser, or from known
automation tools are blocked before the order is created. Legitimate shoppers experience
no friction.

### What is the ALTCHA challenge?

ALTCHA is a privacy-friendly proof-of-work challenge that runs silently in the browser.
Most real visitors pass it automatically without clicking anything. It requires 
no Google account and collects no personal data.

### Can I use Google reCAPTCHA instead?

Yes. Switch the challenge type to reCAPTCHA v2 in the plugin settings and enter 
your site key and secret key from Google.

### What is Early Loading?

When early loading is enabled, the plugin installs a small must-use plugin file 
so the intercept runs before regular plugins load — giving better performance under
heavy traffic. The setting is opt-in and can be toggled on or off at any time from
the plugin settings page.

### Is there a free trial or money-back guarantee?

Yes. All paid plans include a 30-day money-back guarantee — no questions asked. 
You can also start on the Free plan (15,000 requests/month) before upgrading. There
are no long-term contracts; you can cancel at any time and protection remains active
through the end of your current billing period.

### Is my customer data private?

Your traffic never passes through ddosNull’s servers. The plugin only shares anonymized
metadata — IP addresses, request counts, and access log lines — to power threat 
detection. ddosNull never sees your customers’ personal data, payment information,
or page content.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“ddosNull Shield — DDoS & Bot Protection” is open source software. The following
people have contributed to this plugin.

Contributors

 *   [ ddosnull ](https://profiles.wordpress.org/ddosnull/)

[Translate “ddosNull Shield — DDoS & Bot Protection” into your language.](https://translate.wordpress.org/projects/wp-plugins/ddosnull-shield)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/ddosnull-shield/), 
check out the [SVN repository](https://plugins.svn.wordpress.org/ddosnull-shield/),
or subscribe to the [development log](https://plugins.trac.wordpress.org/log/ddosnull-shield/)
by [RSS](https://plugins.trac.wordpress.org/log/ddosnull-shield/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.1.26

 * Block IPs reported in the fake_ua_ips list with a 403, even when their request
   presents a whitelisted user-agent string (this list is for IPs caught by the 
   backend spoofing a whitelisted UA to evade blocking).

#### 1.1.25

 * Fix challenge redirect dropping query-string parameters when the destination 
   URL contains unencoded ampersands (e.g. filter parameters). The full URL is now
   preserved through the challenge form using a hidden field populated from the 
   raw query string.

#### 1.1.24

 * Remove WordPress.org directory assets (banners, icons, screenshots) from plugin
   zip; these are uploaded separately via SVN.
 * Remove branding footer from 403 block page to comply with WordPress.org guidelines.
 * Fix Early Loading (MU Plugin) state detection in Pro plugin reading wrong MU 
   file name.

#### 1.1.23

 * WordPress.org submission: add icon, banner, and screenshot assets.
 * Add == Pricing == section and money-back guarantee info to readme.
 * Internationalize all user-facing strings in challenge and block pages with load_plugin_textdomain
   and generate .pot file.
 * Add source reference comment to admin.js.
 * Redirect to plugin dashboard on first activation.
 * Expand External Services section: document data transmitted to each service and
   add Terms of Use / Privacy Policy links for all three external endpoints (ddosNull,
   Google reCAPTCHA, ipify).
 * Split plugin into free (Layer-7 DDoS/bot protection) and Pro (adds WooCommerce
   checkout protection) tiers to comply with WordPress.org remote-feature-gating
   guidelines.

#### 1.1.22

 * Fix early loading toggle always showing as off: detect MU plugin state from file
   existence rather than the stored setting, which could be missing if the file 
   was installed via a different code path.

#### 1.1.21

 * Add protected_urls support: URL patterns (nginx-style regex or plain prefix) 
   that force visitors through the verification challenge unless their IP or user-
   agent is whitelisted.

#### 1.1.20

 * Fix fatal error on sites using early loading: new option-key constants were not
   defined in the MU plugin loader before intercept.php ran.
 * Rebuild admin JS.

#### 1.1.19

 * Store ip_list, block_with_403, and whitelisted_ips in separate wp_options entries
   with a 24-hour object-cache layer; cache is invalidated on each update.
 * Store ip_list as a PHP array instead of a newline-delimited string, removing 
   per-request parsing overhead.
 * Clear the dynamic block list and disable DDoS mode when the ddosNull backend 
   is unreachable, preventing the ALTCHA challenge from looping indefinitely.

#### 1.1.18

 * Improved checkout fraud detection.

#### 1.1.17

 * WordPress coding standards: replace parse_url with wp_parse_url, fopen/fclose
   with WP_Filesystem, unlink with wp_delete_file, rmdir with WP_Filesystem.
 * Sanitize and unslash all superglobal reads ($_SERVER, $_COOKIE, $_POST).
 * Add nonce verification to altcha and reCAPTCHA challenge form submissions.
 * Prefix global variables in uninstall.php and remove unprefixed helper variable
   in main plugin file.
 * Update tested-up-to to WordPress 7.0; align plugin name across header and readme.

#### 1.1.16

 * Serve 403 block page from a bundled local template with no external CDN dependencies.
 * Fix cron schedule recovery for existing installs affected by the identifier rename
   in 1.1.15.

#### 1.1.15

 * Vendor ALTCHA JS locally, removing cdn.jsdelivr.net dependency.
 * Use local plugin icon in admin menu and challenge page instead of remote URL.
 * Add GPL-2.0+ license header to plugin file.
 * Prefix all identifiers (cookie, transient, cron schedule) to avoid conflicts 
   with other plugins.
 * Use WP Filesystem API for must-use plugin file installation.
 * Add uninstall.php to clean up settings, transients, and log files on deletion.
 * Add opt-in early loading via must-use plugin dropper (toggle in Settings).
 * Add readme.txt for WordPress.org submission.

#### 1.1.14

 * Add hard block (403) support for blacklisted user agents.

#### 1.1.13

 * Revert block_with_403 ordering change from 1.1.12.

#### 1.1.12

 * Fix: hard-blocked IPs could bypass the block via whitelisted URLs.

#### 1.1.11

 * Checkout protection now gated on a server-signed flag to prevent client-side 
   tampering.

#### 1.1.10

 * Add regex support for whitelisted URLs (prefix with `~` for case-sensitive, `
   ~*` for case-insensitive).

#### 1.1.9

 * Challenge and block pages now set no-cache headers to prevent caching plugins
   from storing them.

#### 1.1.8

 * Add optional early loading via must-use plugin (opt-in from settings).

#### 1.1.7

 * Admin: protection suspended banner with link to dashboard; stats hidden when 
   account limit is reached.

#### 1.1.6

 * Full IPv4 and IPv6 CIDR range support for blocked and whitelisted IP lists.

#### 1.1.4

 * Add CIDR range support for IP lists.

#### 1.1.3

 * Log challenge page hits with HTTP 429 status for accurate scan analysis.

#### 1.1.2

 * Fix IP detection to read X-Real-IP header for nginx reverse proxy setups.

#### 1.1.0

 * Enable Shield protection by default on fresh installs.

## Meta

 *  Version **1.1.26**
 *  Last updated **11 hours ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.5 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [bot protection](https://wordpress.org/plugins/tags/bot-protection/)[DDOS Protection](https://wordpress.org/plugins/tags/ddos-protection/)
   [firewall](https://wordpress.org/plugins/tags/firewall/)[security](https://wordpress.org/plugins/tags/security/)
   [woocommerce](https://wordpress.org/plugins/tags/woocommerce/)
 *  [Advanced View](https://wordpress.org/plugins/ddosnull-shield/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/ddosnull-shield/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/ddosnull-shield/reviews/)

## Contributors

 *   [ ddosnull ](https://profiles.wordpress.org/ddosnull/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/ddosnull-shield/)