In the wake of the massive attack on the WordPress infrastructure, it makes sense to take a moment and talk about security. First and foremost, if you run a copy of WordPress yourself, you must apply updates rigorously. Most of the updates that come out have some form of security patches included in them, and these are important. Second, make sure you aren’t using an account named “admin”, “root”, “administrator” or the like. These are the easiest for the kiddies to target. Third, run something like the Login Security Solution plugin. This prevents brute-force password-guessing attacks by disabling logins from IPs that try lots of passwords against the same username over and over again. It’s not perfect, but it won’t harm legitimate users badly and it will cut down on the number of attacks the botnets can try against your sites.

Finally, look at using a service like Duo Push. It’s easy to integrate into WordPress – signing up for a free account, installing the plugin, and associating my phone with my administrative account took me less than 10 minutes to do this afternoon – and it changes your account password into a two-factor password. That being something you know, like the random string of letters, numbers and special characters that make up your password and something you have, your smart phone, your landline, or your YubiKeys keyfob. This way, even if someone guesses your password, they can’t actually use it unless they also have your phone or whatever with them, and honestly, if they have your phone and can guess your password, you have bigger problems that the security of your WordPress site.