There’s been a major attack on all WordPress (and Joomla) websites worldwide. When I last read about it, over 150 000 IP addresses were involved in the botnet.
My (fantastic) service provider, Site5, with whom I host all of my customers’ sites as well as my own, mitigated the attack through the course of a few days.
However, this is yet another reminder that standard username and password security is a miserable failure.
ADN user @zero posted a link to the Google Authenticator for WordPress yesterday, and after using it for a short time, I have to recommend it for all WordPress users.
There are some caveats though:
- Don’t have spaces in your Description field, when generating the QR Code. Some implementations of the Google Authenticator don’t like that.
- Generate an application password if you use WordPress on a mobile device. Write this down before pressing “save” because it is hashed when saved.
- If your server and your mobile device are out of sync by a few minutes, there’s a setting called “relaxed mode” which will allow for 4 minute drift either way.
That’s pretty much it! As for 1Password (which I use), I have to recommend disabling auto-submit, for obvious reasons. That said, I’ve heard a rumour that they’re building in two-factor authentication at a later stage.
Even so, with 1Password and the Google Authenticator mobile application, this is a fairly simple solution to a massive security risk, and I recommend it.
One thing I’d also recommend is to rename your admin account, if you have it on WordPress. The botnet is specifically targeting that username.