Over the weekend, Incapsula mitigated a unique DDoS attack against a large gaming website, in which they have discovered a DDoS attack using thousands of legitimate WordPress blogs without the need for them to be compromised.
This article also mentions another recent report, released by them (The Hacker News), involving another method of DDoS attack using DNS amplification as a method of attack.
I've been testing out WordPress on my 1and1.com virtual server and it is pretty locked down...I've still had at least one compromise (someone uploaded php-based exploit code onto the server via a plugin, which I've since removed). WordPress constantly gets attacked and even though I'm running extra layers of security, it's taking 100% of my attention to ensure that nothing is amiss...it takes the fun out of administrating a CMS, IMO. :/