9 Jun
2013
9 Jun
'13
10:32 p.m.
The only thing I'd perhaps add to that excellent article is to setup Google
Authenticator using the Google Authenticator plugin and enable it on at
least all your administrator level accounts so that weak/compromised
passwords or passwords shared with other sites become far less of a problem.
While it's called Google Authenticator it has no tie-in to Google's
services. It's a open algorithm that generates a 6 digit code based on a
shared secret and the time. Clients are available for all the major
smartphone platforms. The Wordpress plugin adds a third box to the login
page and validates the 6 digit number is correct as well as your username
and password, such that just knowing a valid username and password for an
account with Google Authenticator enabled isn't sufficient to get access to
Wordpress.
There's been lots of discussion on OATH HOTP (of which Google Authenticator
is an implementation) on the excellent Security Now podcast. Well worth a
listen if you're interested in these things. Because it's an open standard
it's beginning to be adopted for other services too (Dropbox, Amazon,
Facebook, LastPass, Evernote to name a few).
Fail2Ban has been invaluable today. My VPS ended up blocking over 600
separate hosts all trying to log in to one of our installs in the space of
an hour!
Alex