WordPress taken down in mystery DDoS attack

Popular blogging site WordPress has suffered a severe distributed denial-of-service (DDoS) attack that took servers offline for several hours.

WordPress, which hosts over 25 million blogs, posted a statement at 3:30pm GMT saying that the site had come under an "extremely large" DDoS attack, involving many gigabits and tens of millions of packets a second being fired at its servers.

"DDoS attacks typically involve botnets of compromised computers around the world bombarding a site with traffic, effectively clogging it up and preventing legitimate users from accessing its content," said Sophos senior technology consultant Graham Cluley in a blog post.

"In the past I've described a DDoS attack as being like 15 fat men trying to get through a revolving door at the same time."

WordPress founder Matt Mullenweg told V3.co.uk that the attack had taken down the site's datacentres in Chicago, San Antonio and Dallas, and was the most sustained and serious in the organisation's history.

The motive behind the attacks seems to be political, and appeared to revolve around a foreign-language blog the site was hosting, but there is no hard proof as yet.

WordPress is now back online after around six hours of downtime.

"Businesses in a similar predicament should get in touch with their upstream bandwidth providers as soon as possible to work on technical mitigation, and communicate frequently and transparently with their customers," said Mullenweg.

The popularity of WordPress has made it a frequent target for attackers seeking to inject exploit code. This outage is the worst since network problems last year caused by an unscheduled change to a core router.