There’s been a major attack on all WordPress (and Joomla) websites worldwide. When I last read about it, over 150 000 IP addresses were involved in the botnet.

My (fantastic) service provider, Site5, with whom I host all of my customers’ sites as well as my own, mitigated the attack through the course of a few days.

However, this is yet another reminder that standard username and password security is a miserable failure.

ADN user @zero posted a link to the Google Authenticator for WordPress yesterday, and after using it for a short time, I have to recommend it for all WordPress users.

There are some caveats though:

  • Don’t have spaces in your Description field, when generating the QR Code. Some implementations of the Google Authenticator don’t like that.
  • Generate an application password if you use WordPress on a mobile device. Write this down before pressing “save” because it is hashed when saved.
  • If your server and your mobile device are out of sync by a few minutes, there’s a setting called “relaxed mode” which will allow for 4 minute drift either way.

That’s pretty much it! As for 1Password (which I use), I have to recommend disabling auto-submit, for obvious reasons. That said, I’ve heard a rumour that they’re building in two-factor authentication at a later stage.

Even so, with 1Password and the Google Authenticator mobile application, this is a fairly simple solution to a massive security risk, and I recommend it.

One Reply to “Two-Factor Authentication for WordPress”

  1. One thing I’d also recommend is to rename your admin account, if you have it on WordPress. The botnet is specifically targeting that username.

Comments are closed.