Ok, things almost taken care of. Site is back up, with better protection this time. Secure SSL connections are not available yet,  so you won't be able to log in just yet. We'll get this sorted in a bit.

The DDoS attack was performed by DD4BC, a group of bored underprivileged children, I assume.  They take advantage of the fact that most websites use cloudflare for convenience and they manage to find the direct server IP address, which they then attack.
We have switched to incapsula, who emphasize ddos mitigation and protection much more than cloudflare.

So be careful anyone using cloudflare. Not really much protection if your server's ip can be found so easily.