Securing WordPress websites with YubiKey
Some reports suggest 25-30% of websites on the internet are developed using WordPress, so there is plenty of interest from hackers to break into them and use them for purposes other than what they are intended for. Having a website hacked or compromised in some way can be very serious, starting with a downgrading in Google Search Engine Results, being blacklisted altogether, and perhaps being the target of criminal activity. Most attacks are by scripted robots seeking to break admin passwords of the website hosting and application installations.
In terms of the website hosting, it’s worth disabling FTP access to the hosting, and then only using secure FTP if needs be. The passwords for SFTP should be complex and encrypted to try and maintain the integrity of the hosting server. In order to minimise the script accessing the WordPress installation, the use of Captcha on the admin directory is advisable.
Chances are the FTP access and access to the WordPress admin directory may be out of your control – very much depending on the Internet Service Provider’s configuration setup. There are a couple of things that can be done to make scripted access to admin accounts less likely – firstly install a Plugin to limit failed login attempts and secondly make use of two-way authentication with a YubiKey.
An effective Plugin to reduce scripted attempts at working through any password lists is the ‘Limit Login Attempts‘ Version 1.7.1 by Johan Eenfeldt – available from within the WordPress admin console. The default settings do a good job of slowing repeated access attempts, and worth checking regularly that the Plugin is still enabled by attempting to login with the wrong credentials.
The Plugin for enabling two-factor authentication with a YubiKey is available from the Yubico website at http://wordpress.org/extend/plugins/yubikey-plugin/, version 0.96. The configuration requires the YubiKey being authenticated on the Yubico website to capture the Yubico API ID and Yubico API key, then enter these in Settings / YubiKey from the Dashboard. For each admin user account looking to use a YubiKey for two-factor authentication, select the Use Yubico server for the Yubikey authentication otion, then enter the Key ID 1 (First 12 chars from your key output, just press the Yubikey button in this field) and Key ID 2 if applicable.