One of the sites I administer was recently attacked to the point the security module triggered an alert.
I know there are many amature bloggers and web developers out there who use Wordpress.
There are some pretty simple steps to raising the level of security on your site and this simple presentation takes you though them.
2. http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
Purpose built password cracking machine cluster.
Capable of 350 billion password guesses per second.
958
(6.6 Thousand Trillion) Combinations in 5.5 hours
http://passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Cracking_HPC_Passwords12.pdf
Dec 14, 2009 – Rockyou data breach exposes
32 MILLION user accounts and passwords
April 2013 – “Yahoo email accounts have
been hacked for the fourth time in as
many months”
http://siliconangle.com/blog/2013/04/30/yahoo-mail-hacked-again-serious-questions-raised-about-its-ability-to-protect-users/
These, and many more examples like it mean you need to begin using higher
level of security for everyday tasks.
3. What would you do if you received this email
from your WordPress site's security plug-in?
What prompted me to create this document?
I have recently been helping a customer recover from a public domain email hack
- See my Article LINK: “2 Factor Authentication – why everyone needs it.“ for more information
I received the pasted email from a security plug-in of one of the sites I administer
which shows that attempts were made from a Russian Federation IP address to
compromise the site administration console.
4. As described in the article:
LINK: "Anatomy of a hack"
Your bare minimum defence is a STRONG password:
● Minimum of 11 characters
● upper- and lower-case letters, numbers, and letters.
● No pattern based passwords,
● eg qwerty12345, P@as$w0rd4321, lastnamefirstname etc
So what can you do? Part 1
5. ● Utilise a password manager.
● Some good considerations and example given here:
LINK "Which Password Manager"
● A very comprehensive comparison of 25 popular Password managers here:
LINK "Password managers"
● Secure the Password Manager
● “Do what cryptographers do: use a passphrase.”
● go to LINK "diceware", and follow the instructions there for generating a near*
foolproof passphrase.
● *nothing is ever absolutely secure
So what can you do? Part 2
6. ● Those takeaways again:
● Don't try to be password clever - The only thing that works is random
● Use a computer to achieve a truly random password
● Use a secure password manager, to manage your passwords.
● Secure your password manager with the cryptographer-approved
method of generating the only passphrase that you will actually need to
remember
So what can you do?
7. AND!Utilise the growing number of freely available 2 factor authentication devices
The remainder of this presentation will guide you, step-by-step through
configuring 2 factor authentication in your WORDPRESS site(s).
In this example, I use:
The Wordpress plugin – Google Authenticator
&
The Android app – Google Authenticator.
These are, by no means the be-all & end-all components to use, but they
are easy which is always a big advantage.
1st
- let's setup Wordpress!