Starting on Black Friday and going solid through Cyber Monday (after which it slowed only a little), my blog has been getting hit by a distributed brute-force password attack. All weekend, I would get pings that WordPress had blocked yet another IP address, and I couldn’t help but be of two minds. On the one hand, I had to laugh a little – over two hundred IP addresses had been blocked, and I don’t believe they would be able to brute force a 150 bit password with four guesses each. On the other hand, it’s not the IP addresses that are blocked that you have to worry about; it’s the ones that weren’t and succeeded, or, worse, exploited some other vulnerability. Was the brute force password attempts just a distraction?
This gives rise to the question, “are my security measures enough?” Since I was thinking about them anyway, I went ahead and took the time to upgrade a few things that were lacking, and took a hard look at some of the other things I could do. Continue reading Hacking My Blog