WordPress hit by 'extremely large' DDoS attack

Blog host WordPress is the target of a distributed denial-of-service attack today that the company says is the largest in its six-year history.

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
Josh Lowensohn
2 min read

Blog host WordPress.com was the target of a distributed denial-of-service (DDoS) attack earlier today described by the company as the largest in its history.

As a result, a number of blogs--including those that are a part of WordPress' VIP service--suffered connectivity issues. That includes the Financial Post, the National Post, TechCrunch, along with the service's nearly 18 million hosted blogs.

According to a post by Automattic employee Sara Rosso on the company's VIP Lobby (which had been down at the time of the attacks, though was archived by Graham Cluley over at Naked Security), the size of the attack reached "multiple Gigabits per second and tens of millions of packets per second." Rosso had also said putting a stop to the attack was "proving rather difficult."

Rosso had also said the company would be handling its VIP sites ahead of general users.

Denial-of-service attacks are designed to overwhelm Web sites with requests, effectively shutting them down. The ones that are distributed present a much larger challenge to combat, since they can come from a wider variety of networks and hosts.

Update at 10:35 a.m. PT: In an e-mail to CNET, WordPress founder Matt Mullenweg said the attack had affected three of the company's data centers, and was the largest its seen in the company's six-year history. Mullenweg also said that the attack "may have been politically motivated against one of our non-English blogs," but that that detail had not been confirmed. Full e-mail below:

There's an ongoing DDoS attack that was large enough to impact all three of our data centers in Chicago, San Antonio, and Dallas--it's currently been neutralized but it's possible it could flare up again later, which we're taking proactive steps to implement.

This is the largest and most sustained attack we've seen in our six-year history. We suspect it may have been politically motivated against one of our non-English blogs but we're still investigating and have no definitive evidence yet.

The company has also posted a notice on its product uptime status blog:

WordPress' uptime notice.
WordPress' uptime notice. CNET

Update at 11:47 a.m. PT: WordPress now says the problem's been fixed. "Our systems are back to normal. We'll continue to monitor them and post updates here if needed," the company said on its status page. No word yet on if the company had gotten to the bottom of which of its blogs had been the target of the attack.