There’s been a lot of press recently about increased attacks on WordPress sites, and I run WordPress. At first I considered it BS since it seemed ike a standard brute force attack. Not that I didn’t think attacks were going on, a view of logs on my own small servers shows attacks all the time. But Brian Krebs published an article about it and I figure he has a better BS detector than me in these matters. So maybe there has been an increase. I figure I’m pretty safe, I don’t use the default accounts and I do use long, complex unique random passwords.
Some reading I did also indicated that the volume of logon attempts could cause resource problems on the server, so I decided I would try to specifically block them. After a few other attempts I decided to go the plugin route and used the plugin Limit Login Attempts. It’s a nice simple plugin that does what its name says. I dislike adding plugins to WordPress but I made a exception in this case. Eventually I hope to figure out a way to block this at the server level. But this will give me some protection and any easy way to get stats on whether or not my site is actually being attacked this way.
I’ve always been good about keeping WordPress and my web server updated with the latest patches, but I decided to reboot it this past Friday to make sure all those updates were really in the running software. Maybe it’s because I come from the windows world where patch reboots are a monthly reboot, but I figured it would be a good thing after having the server online for 220 days. So apologies to anyone trying to access the site this past Friday during a certain 9 minutes (I decided to do a full backup with everything shutdown for good measure).
It’s only been a day, but so far the only lookout has been from my testing
Apple (and other) 2-Step Verification
Apple added 2-step verification to their iCloud and iTunes accounts. I have to admit I like it. I especially like that they turn off any sort of password recovery that could be socially engineered. If I lose all the registered devices and the emergency recovery key then I’m screwed. But I’ve always wanted the option to tell these high-value vendors to disable password resets based on those stupid “pet name” security questions. I usually answer them with garbage, but the fact they exist worries me. Not necessarily for every little account, but for any that protects something of value.
I’ve also been going through and adding two-step verification to my other accounts that support it. Some places have apps that generate a token, or use the Google Authenticator App, but codes sent via SMS seem to be the most common. I guess SMS can be spoofed, but I suspect that doing so would have to be highly targeted and take more effort than I’d be worth.