Security for WordPress

Recently someone turned on a big bad botnet and has been attempting to bruteforce the admin accounts for WordPress installs across the internet. This event is yet another reminder that passwords are passé  and can be a weak point in many systems worldwide.

Here are a few things you can do to help protect yourself from this kind of attack:

1) Multi-factor Authentication

If you already use multi-factor authentication for your DreamHost panel login, you’re well acquainted with the way it works. You may have even read our previous blog post about multi-factor authentication here . But, what you may not know is that there are ways to use this extra layer of security for your WordPress installs as well. For example this plugin allows you to use Google Authenticator to help protect your WordPress install. This is a great way to enhance the security of your WordPress powered website.

2) Use Strong Passwords

Whether multi-factor authentication is available or not, you can add an extra layer of protection by having a strong password.  One way to create a strong password is by using passphrases.  Password strength is illustrated rather well in this xkcd comic.  (It’s important to note that since “correct horse battery staple” is a known value, it does not make for a good passphrase.)

3) Don’t Reuse Passwords/Passphrases

Avoid the temptation of having a password that Sauron would be proud of. Instead, use something like KeePassLastPass, or 1Password to keep you from reusing passwords, no matter how tempting it might be.  By not reusing passwords or pass phrases, you can make sure that even in the event of a compromise of one of your passwords, your other passwords remain isolated from that breach. This way the compromise doesn’t potentially spread throughout the rest of your online life.

In addition to all of these steps, checking the “Extra Web Security” box in your DreamHost panel allows us to help you mitigate these kinds of attacks.  As soon as we noticed that these recent attacks were happening we updated our Web Application Firewall to block the vast majority of these brute force attempts.   We’ve seen and blocked attempts like this tens of millions of times since we updated our Web Application Firewall!