This post is also available in:
Français (French)
Distributed denial of service (DDoS) attacks are reaching record levels in 2025, and a worrying trend is emerging: cybercriminals are massively exploiting unpatched vulnerabilities, particularly in connected devices and poorly secured infrastructures. Here’s a look at the numbers, methods, and best practices to protect your WordPress site.
An unprecedented wave of DDoS attacks
According to NetScout, more than 27,000 botnet-orchestrated DDoS attacks were recorded in March 2025 alone. Service providers were targeted on average every two minutes, with peaks of more than 1,600 attacks per day. Attacks lasted an average of 18 minutes, longer than the global average, reflecting a shift toward more persistent and targeted campaigns.
Source : ITPro, NetScout
Why are unpatched vulnerabilities targeted?
IoT devices and networking equipment, often chosen for their low cost, are rarely updated or patched. This leaves the door open to known vulnerabilities, sometimes several years old, such as CVE-2017-16894 or CVE-2021-27162. Attackers leverage these weaknesses to build massive botnets capable of launching large-scale, coordinated attacks.
Ports 80 and 443 (web and HTTPS) are the most frequently targeted, and multi-vector attacks (e.g., SYN Flood, DNS Flooding) are increasing, making defense more complex.
Organized and motivated groups
Groups like NoName057(16) claim hundreds of attacks each month, often politically motivated, against governments, infrastructure, or strategic companies. More than 500 IP addresses and 575 different domains were targeted in March, demonstrating the scale and sophistication of the campaigns.
Attacks originate from multiple countries, with Mongolia leading the way in IoT infections, but Germany and the United States are also among the main sources, particularly through the exploitation of cloud resources or poorly protected companies.
WordPress: a prime target
WordPress, which powers over 40% of the world’s websites, is not immune. Outdated plugins and themes account for 97% of the security vulnerabilities recorded on the platform. In May 2025, the OttoKit plugin (over 100,000 active installations) was the target of massive exploitation of two critical flaws, allowing attackers to take control of vulnerable sites.
Sources : The Hacker News, Wordfence
How to protect yourself effectively?
- Update WordPress, your plugins, and themes as soon as a fix is available. Enable automatic updates if possible.
- Disable or remove unused extensions: Every outdated plugin is a potential target.
- Use a web application firewall (WAF) to filter malicious traffic before it reaches your site.
- Protect your administrator access with strong passwords and two-factor authentication.
- Monitor activity logs and set alerts for suspicious behavior.
- Choose a secure web host that offers anti-DDoS solutions and regular backups.
In summary
DDoS attacks exploiting unpatched vulnerabilities are on the rise in 2025. Neglectful patching and plugin management expose WordPress sites to major risks. With cybercriminals becoming increasingly organized and well-equipped, regular updates and vigilance remain your best allies for protecting your site and your visitors.
Sources : ITPro, NetScout, The Hacker News, Wordfence, Patchstack