I’ve been fine-tuning things on the site for the last couple weeks, particularly security-related stuff as WordPress remains under constant threat of l33t h4x0rs. Here’s a screenshot from a recent report of attempted activity on the site:
I found this to be kind of amusing – Turkey’s at the top of the list, and when this site was hacked back in late 2009-early 2010, the person who defaced it put up some text that was in Turkish. Not saying it’s the same person now, because it probably isn’t; just a funny coincidence.
Another thing the security software is reporting is all the failed login attempts:
The interesting thing about these logs is that they show what people are trying, and I’m going to hazard a guess that people try these because they’ve worked in the past. So that should be a clear warning not to use usernames like Admin, demo, test, or whatever name your posts publicly show as having been written by. (The attempts using my name are interesting in that they only just started today, even though all the posts on this site since the revival nearly two months ago have been under the same name.)
Of course, having 2FA is more important than obscuring your username; even if the username gets out, without the security token, you aren’t getting in via the front door anyway.
This place isn’t exactly Fort Knox either though; I’m sure WordPress has a vulnerability in some spot or another that someone can take advantage of. In that event, I’ll just have to make sure the database is backed up. It won’t do to have to put this site back together again.