In contact with

How to protect yourself from a DDOS attack by requesting al_profileEdit.php on a WordPress site?

Good afternoon, colleagues. I need your help.
There is a site on shared hosting and CMS WordPress.
If I understand correctly, then a DDOS attack is underway on the site - every day, several dozen similar requests per minute appear in the logs, which heavily load the server.
The first one looks like this:
178.129.92.121 - - [02/Apr/2016:18:40:52 +0300] "GET /al_profileEdit.php?__query=edit&al=-1&al_id=vk HTTP/1.0" 403 2862 " mysite.ru/ category/post.html " "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
The second one has a slightly different tail after al_profileEdit.php and looks like this:
178.129.92.121 - - [02/Apr/2016:18:40:52 +0300] "GET /al_profileEdit.php?__query=edit&act=contacts&al=-1&al_id=vk HTTP/1.0" 403 2862 " mysite.ru/category/ post.html " "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.110 Safari/537.36"
Where:
— mysite.ru/category/post.html is my URL convention 'a accessed by the attacker. Most likely, just the most “heavy” was chosen as the victim article;
- instead of 403 there is also 404;
- instead of 2862, there are other values, for example, 2892 or 30392.
There is no al_profileEdit.php on my site. In the results of search engines, this file is associated with the social network VKontakte.
The attack is conducted every day from different IP addresses, here are some of them :
109.187.175.241
109.187.180.170
178.129.26.148
178.129.92.121 Maybe add some code to .htaccess to disable this kind of requests? Or are there other ways? PS There is another thought that this is not an attack, but an attempt by some parser or spammer bot to somehow interact with the VKontakte widget located on the site. Or still an attack, but somehow related to this widget.