Hey everyone; today we need to tackle a serious topic – security.
Anyone who follows my Twitter account will have seen this tweet:
Well, I did keep an eye on them – they didn’t stop. It’s not clear if this is an individual, group or an unattended bot. Either way, they’re making 2 login attempts, waiting random amounts of time, then trying 2 more times from a new internet address, making them very difficult to track.
Very difficult, but not impossible. Nevertheless, this is a security risk, so I’ve taken steps to “button-up” my website from now onward, including but not limited to:
2. Adjustments to plans
Original plans were to use the WooCommerce platform to sell my own goods, both physical and digital. However, due to the sensitive information involved and the ongoing security risk I’ve decided to sell my physical goods via eBay instead. I’m still considering the future of digital goods.
3. Rate limiting
I’ve reconfigured the rate limiting measures both on my website itself and on my server to be more aggressive. For example, if you fail to log in too many times you’ll now be blacklisted for 12 hours as opposed to one.
4. The RPC API has been blocked
6. Key rotation
Security features like remote command keys, cookie salts & nonces, passwords and more have been rotated as a precautionary measure – meaning any previously logged-in users will be forced to log in again, even if “remember me” was selected.
I apologise for the inconvenience this will cause some users. However I ask that you bear with me as security is my priority here. Please stay tuned for my updated plans as they develop. See you next time!