WordPress.com targeted by DDoS attack

WordpressWordPress.com, home to many millions of blogs around the world, is currently being hit by an “extremely large” distributed denial-of-service (DDoS) attack.

According to the company, some users may experience performance and connectivity problems as a result.

Here’s part of the statement we received from Sara Rosso of Automattic, the owners of WordPress.com:

WordPress.com is currently being targeted by a extremely large Distributed Denial of Service attack which is affecting connectivity in some cases. The size of the attack is multiple Gigabits per second and tens of millions of packets per second.

We are working to mitigate the attack, but because of the extreme size, it is proving rather difficult. At this time, everything should be back to normal as the attack has subsided, but we are actively working with our upstream providers on measures to prevent such attacks from affecting connectivity going forward.

WordPress DDoS statement

You can see a better quality screenshot of this statement here via TwitPic.

DDoS attacks typically involve botnets of compromised computers around the world, bombarding a site with traffic – effectively “clogging it up” and preventing legitimate users from accessing its content.

Sign up to our free newsletter.
Security news, advice, and tips.

In the past I’ve described a DDoS attack as being like 15 fat men trying to get through a revolving door at the same time.

Sophos’s Naked Security site runs on the VIP version of the WordPress.com platform, and our writers have had some difficulties posting today because of this disruption. However, Sophos customers should have had no problems accessing the main Sophos website or receiving updates to their security products – which do not rely on the WordPress.com infrastructure.

It’s unclear what has motivated the DDoS attack, but hopefully normal service will be resumed as soon as possible.

Update: Automattic and WordPress.com founder Matt Mullenweg shared some more information with TechCrunch:

“There’s an ongoing DDoS attack that was large enough to impact all three of our datacenters in Chicago, San Antonio, and Dallas – it’s currently been neutralized but it’s possible it could flare up again later, which we’re taking proactive steps to implement.”

“This is the largest and most sustained attack we’ve seen in our 6 year history. We suspect it may have been politically motivated against one of our non-English blogs but we’re still investigating and have no definitive evidence yet.”

Update 2: WordPress has just notified me that their systems are back to normal.

WordPress statement


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.