DDos Attack and Ajax

Since Saturday there has been a massive denial of service attack on my site. Apparently, at least according to my excellent and ever-watchful ISP, the weakness has been plugins that use Ajax. So much so that I’ve had to deactivate a number of plugins that use Ajax which is a real drag.

This from my ISP:

Someone’s been using a botnet of some sort to try and brute force the
password on your wp-login.php url. I’ve put apache authentication in front of this now and you should be able to get in with the password you use for the /awstats url. Let us know if this creates any problems.

And then this:

They are going after this url as well.
“POST /wp-admin/admin-ajax.php HTTP/1.1”
I’ve put the second auth in front of /wp-admin/ as well now.

And then this:

To stop the attack from causing trouble, one of the things we blocked was the ajax call mechanism, that allows for interactive calls to the site. If the related post plugins work by making internal http requests to the site, asking for that content, that could well be the cause.

Am I alone in this?

Bill