Belts ‘n’ braces
Do you mandate twofactor authentication (2FA) on the systems you manage? It’s ever easier to do, and thus there are ever fewer excuses not to.
Take WordPress, for example. A very popular, flexible CMS used by some big businesses as well as smaller ones and individuals, and thus a popular target for crackers. Two simple actions make it significantly harder to compromise: remove or rename the “admin” user, and mandate 2FA for all admin logins.
There are a number of 2FA plugins for WordPress: we use ‘Two-Factor’ by George Stephanis, an open source implementation that’s hosted on Github (no connection, just satisfied users).
It supports 2FA using one-time passwords, such as the (excellent) “Authy” (Android, iOS) and – arguably even better – Universal 2nd Factor, such as the YubiKey. There are other options too, including emailing a one-time password.
If you’re responsible for a WordPress site, you can set this up, for free, easily. Just be aware that user configuration of two-factor is done from the WordPress “Users” admin pages, not the plugin pages.
Look – you have 2FA on your website! Mandating 2FA for all SSH logins is a little more involved, but you’re already on the way.