17 Comments

  1. Eric J

    Site owners who want to make this a requirement can use a plugin like Force Strong Passwords for extra security.

    Thanks for the tip on the plugin!

    Report

  2. Travis

    it’s virtually impossible to eliminate the human factor in poor password selection or the practice of using the same password for multiple online services.

    https://wordpress.org/plugins/wp-google-authenticator/

    Report

  3. Bjørn Johansen

    If they had used two factor authentication, the weak password would have been a non-issue.

    Report

  4. Frank Chisom

    Wow… This is quite interesting. It is a good thing that this particular hackers had not malicious intent. It could have turned out very badly. I like iThemes Security they are quite good. The problem is most members in memberships site do not care much to create strong password and that causes issues for the site admins. I guess that’s where plugins such as Force Strong Passwords come in handy.

    Report

  5. Amgine

    is there a fail2ban implementation?

    Report

  6. John

    SMS-based two-factor authentication will soon be banned:
    http://www.cnet.com/news/nist-set-to-ban-sms-based-two-factor-authentication/

    Report

  7. Tyrone

    Damn, I’m glad TechCrunch is still doing fine though. This is another great warning for us regular site owners to beef up our security features.

    Report

  8. Christie

    I usually check my passwords with http://www.passwordmeter.com/ or something similar.

    Report

  9. Adam

    I’m surprised a site such as TechCrunch didn’t have more parameters in place, they must get thousands of brute force attempts every day so surely a simple noCaptcha reCAPTCHA at least should have been implemented.

    Report

    • Ryan Hellyer

      That would only work if it were a brute force attempt. I don’t think there has been any hint that may have occurred here, just that a weak password was at fault.

      Report

  10. Ed

    Just install the Human Weak Password plugin. If you create a weak password a hand reaches out of your computer monitor and bitch slaps you. ha ha ha.

    Report

  11. Summer

    Something like this happening is why I prefer not to give contributors full accounts but use the Co-Authors plugin instead, especially if they aren’t tech savvy or would be just occasional or only one-time contributors (like guest posts from authors promoting their novels, or guest reviews or something).

    Still need to crack the whip on the folks with regular accounts… probably sooner rather than later :)

    Report

  12. Steven Gliebe

    Should WordPress core limit login attempts itself? Every account system should have this in place.

    Report

Comments are closed.

%d bloggers like this: