There’s been a major attack on all WordPress (and Joomla) websites worldwide. When I last read about it, over 150 000 IP addresses were involved in the botnet.

My (fantastic) service provider, Site5, with whom I host all of my customers’ sites as well as my own, mitigated the attack through the course of a few days.

However, this is yet another reminder that standard username and password security is a miserable failure.

ADN user @zero posted a link to the Google Authenticator for WordPress yesterday, and after using it for a short time, I have to recommend it for all WordPress users.

There are some caveats though:

  • Don’t have spaces in your Description field, when generating the QR Code. Some implementations of the Google Authenticator don’t like that.
  • Generate an application password if you use WordPress on a mobile device. Write this down before pressing “save” because it is hashed when saved.
  • If your server and your mobile device are out of sync by a few minutes, there’s a setting called “relaxed mode” which will allow for 4 minute drift either way.

That’s pretty much it! As for 1Password (which I use), I have to recommend disabling auto-submit, for obvious reasons. That said, I’ve heard a rumour that they’re building in two-factor authentication at a later stage.

Even so, with 1Password and the Google Authenticator mobile application, this is a fairly simple solution to a massive security risk, and I recommend it.

One Reply to “Two-Factor Authentication for WordPress”

  1. One thing I’d also recommend is to rename your admin account, if you have it on WordPress. The botnet is specifically targeting that username.

Leave a Reply

Your email address will not be published.