Ten and a half hours of being beaten upon is no way to live. Unfortunately, there’s not a whole lot that could have been done about it short of fleeing, and I don’t flee well:
Our admin team is continuing to roll out the fix and monitoring where needed. They are confident the source of the connectivity issues are due to large-scale brute force attacks to wp-login pages. These attacks are overloading affected servers and the fix being applied will limit the rate these attacks are hitting wp-login pages. In addition to the fix that’s being applied everywhere, we’re also mitigating the attack by blocking IP addresses all around our data centers.
While they didn’t get too specific, it was most likely something like this that brought us down, and there’s a practical limit to how much you can harden something like WordPress without killing its usability.
It’s still slow around here, but it’s not dead, and there’s a lot to be said for not being dead — though it was two hours before I was actually able to log in.