On July 26, TechCrunch, a popular WordPress-based technology business blog, was compromised by OurMine, a team of hackers responsible for a series of attacks targeting high-profile individuals and sites. The attackers accessed a user account and published a blog post announcing that TechCrunch’s security had been breached. In this case, the attackers were relatively benign; their aim was to advertise their security services rather than cause serious mischief, but there are lessons to be learned by publishers.
It appears the attack didn’t leverage a vulnerability in WordPress itself or a brute-force attack against user accounts. Instead, the attackers discovered that one of TechCrunch’s writers had used the same password on a number of different sites.
Presumably, OurMine were able to compromise one of those sites, discover the password, and use it to log into the writer’s account, giving them the access they needed to publish an article. When the article was published, posts were also automatically distributed on TechCrunch’s social media networks.
It’s impossible to maintain a secure password-based authentication system if users refuse to adhere to best practices. Even a long and random password is vulnerable to discovery if it’s used on lots of other sites. All it takes is for the same password to be used on an obscure forum with a known vulnerability.
Two-factor authentication can help protect WordPress sites from this class of attack. By forcing users to demonstrate both their knowledge of a password and their possession of an authenticated device, attackers can be denied access even if they have discovered the password.
There are several TFA authentication plugins available for WordPress, of which Authy, Duo Security, and Google Authenticator are the best known.
Even with TFA, there’s no substitute for user education. Anyone with access to a high-profile publisher’s website should understand the following:
- How to create secure passwords.
- How to use a password locker like LastPass or 1Password.
- Why they shouldn’t use the same password on multiple sites.
Force Secure Passwords
Unfortunately, many users understand the above advice perfectly well, but ignore it anyway. Having a theoretical understanding of password security is not the same as comprehending the risks. Users think it won’t happen to them.
That’s why it’s often necessary to force users to choose secure passwords. Recent versions of WordPress do a good job of guiding users to secure password choices, but they can ignore that guidance.
To ensure that users can’t take the easy path, use a plugin like Force Strong Passwords.
The attack against TechCrunch was a marketing stunt, but it could have been much more serious. Had OurMine wanted, they may have been able to breach an admin account and plant malware on the site, or publish news that impacted the stock price of a technology company.
High-profile publishers have a responsibility to ensure that their sites are protected — the consequences of a successful attack could have repercussions well beyond embarrassment.