This past week there was a spate of security stories claiming a high-profile attack had occurred because of a weak password. Take the headline of an Ars Technica story by Dan Goodin, ‘A “ridiculously weak” password causes disaster for Spain’s No. 2 mobile carrier.’ When it comes to WordPress websites, as well as other systems, weak passwords are a real threat, as attackers are trying to login using common passwords, also known as dictionary attacks. But password strength only matters if someone is trying to guess a password. Which isn’t what happened in that attack.

If you read through to the fourth paragraph of the story, you find out that it is claimed that the password wasn’t guessed, instead, it was compromised through malware:

In a post, the security firm said the username and “ridiculously weak” password were harvested by information-stealing malware that had been installed on an Orange computer since September.

The attacker had already claimed that was indeed the source of the information the day before Ars Technica’s story ran.

Having a stronger password wouldn’t matter, since it would have been compromised as well. And yet, these stories were claiming the weak password caused this.

What this highlights is a fundamental problem with trying to improve security, whether of WordPress websites, or more generally, which is the lack of concern for even basic accuracy with most security journalism. This isn’t because untrained bloggers are doing the reporting, here is part of the bio for the author of Ars Technica’s story:

A journalist with more than 25 years experience, he has been chronicling the exploits of white-hat, grey-hat and black-hat hackers since 2005 as a reporter for the Associated Press and later, The Register. He has a Bachelors Degree in English from the University of Massachusetts and a Masters of Journalism from UC Berkeley.

Without understanding what is actually going wrong with security, fixes for the problems are unlikely to happen. In fact, things can actually get worse. Take the false claim repeated over and over that there are many brute force attacks against WordPress admin passwords. That has led to many websites using security plugins to protect against the threat. Plenty of which have had serious security vulnerabilities of their own. It is obviously a bad trade to implement unneeded security and introduce a new vulnerability.

The problem with journalism could be significantly mitigated for the WordPress community by WordPress, if steps were taken to provide accurate information, but that is often lacking. WordPress could, for example, provide a notice that brute force attacks are not happening on the listing for security plugins claiming to offer protection against that. They haven’t. That seems less likely to happen when companies sponsoring members of the Plugin Directory team are among those falsely claiming this type of attack is happening.

Best Practices for WordPress Websites

Using a strong password for WordPress admin accounts is important. It is also important to not use that password on other websites, in case of a compromise of them that allows an attacker to determine the password.

While two-factor authentication (or multi-factor authentication) could provide some value, an attacker has to have your username and password for it to come in to play. Which they normally wouldn’t have. As this situation shows, an attacker could have your username and password due to malware on your computer. If there is malware on your computer, then you have a larger problem and two-factor authentication can’t resolve that. The solution is to protect against malware.