This blog is not hosted by the Skype but on WordPress VIP. This means that, most likely, the blog was not broken into using a software exploit of any sort since the security on VIP blogs is professional. Knowing that this is the Syrian Army, this attack was most likely done using phished credentials.
If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.
Limiting login attempts is not as effective as you might think. How should it work? If you want to ban IP addresses that get X attempts wrong in Y minutes, then you're failing to realize that hackers like this normally have access to hundreds or thousands of IP addresses. If you want to lock the whole account for a while, then you've just introduced a way for anyone to lock the account of someone else they don't like.
Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.
No need to ban an IP address. After x attempts just add y seconds before allowing another login attempt. If you like, lock account with SMS or email to owner after z attempts. Do this per login, regardless of device type/location. The time taken to test out just 5 passwords should make a brute force impractical.
It does appear to be a brute force or phishing attack. These sort of drive-bys can typically be permanently stopped with 2FA or a password-less MFA solution like LaunchKey (Disclaimer: co-founder). LaunchKey has a free WordPress Plugin available, among others: http://wordpress.org/plugins/launchkey/
It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.
WordPress.com offers two-step authentication for all of our users. You can use any application which supports Time-Based One-Time Passwords (TOTP) such as Google Authenticator, Authy, etc. and you can also receive a one time password via SMS.
just did it on another blog.wordpress.com. How come? On Skype's blog I can access /author/7 or /author/ian but I can't do it on another blog, I get "Oops".
>> Hacked by Syrian Electronic Army.. Stop spying!
Seems a strange message to send to a country that spies on it's own citizens (and where apparently the citizens are unable to prevent their own government from doing it to them).
Indeed and they buy german spying technology products. However I think the logical fallacy you've stepped in is that the Syrian Electronic Army (SEA) doesn't want to get spied on themselves by Skype and Microsoft, maybe. haha :)
But I fully support the message here, I think that spying inside of consumer products is a sign of the abuse of power and monopoly.
I'm not sure why the accent on "Stop using MS, it's spying on you!" is on MS. AFAIK every company is using your data and giving/selling it to the government.
If someone drowns 4 kittens and you only drown 1 kitten, you're still pretty evil. I don't see how "everyone else is doing it" is possibly a valid argument. Obviously 'evil' in this case is based on your definition though, it's not exactly a universal concept.
Microsoft has been moving Skype from its original peer-to-peer architecture to a more centralized system for some time. After the Snowden shitstorm, critics have been implying that the move was NSA-related.
I might be wrong, but wasn't skype's p2p system used mostly for udp hole punching? (i.e., the supernodes were used to initiate the connection and then the clients communicated directly with each other.) With the centralized system, do the call contents go through microsoft's servers now? (this should be pretty easy to prove, doesn't it? Just check the addresses where your UDP packets are being sent to and received from.) It just seems to me that if anyone wanted to spy on you, forcing someone else to migrate to an entirely new system would be massive overkill: Applebaum's talk shows there are _plenty_ of better tools available to get to your packets.
EDIT: This really seems like an interesting question: _are_ there any advantages an attacker would have with skype's centralized system that they wouldn't with their previous p2p system? From what we've seen so far, I think the differences (from an attacker's perspective) are trivial.
Saying recent here isn't logical, because after patching the incident, it's not an incident anymore. But I guess you mean how secure you are with a recent version of Wordpress. I think this is though question, because Wordpress relies to a high degree on external components and plugins. There is probably no single pure Wordpress Blog, because the original Wordpress archive already relies heavily on external dependencies. That's where many of the issues were found as correctly pointed out by wyck. However this reliance on external code, without a Wordpress team or at least a software that is evaluating the code-quality or any other metric, you can't be secure. Yeah we can argue with: "But Wordpress is n-times more popular than X." However it still makes WP very vulnerable to attacks. I've cleaned and recovered some hacked commercial wp blogs and shops myself (not installed by me, but the previous dev). So whatever you believe in WP may be, just get over it. There are so many other opensource alternatives that wait for you to be tried out.
Show me an alternative that I can sell to a non-technically minded client with a small business who just wants to blog and put up a youtube feed and do e-commerce and maybe SEO. And oh, they can't ever even know what a terminal is, much less git.
Without exaggerating, I've downloaded almost any CMS on Github and Bitbucket and Sourceforge and I'm almost done with testing all of them. I think about 15 remain. With all honesty, I cannot say that I'm impressed with any CMS so far. There is just one thing that stood out, with it's concept, but it's still only Alpha grade quality, that's: http://parsimony.mobi/
I've you're curious what I ended up with, just ping me and I'll share my results, after I've really compared all CMS with each other. Currently I would say that there are about ~10 good quality CMS, with hundreds of miserably coded ones. That is a good benchmark, for how good developers are in the real world, I mean there is only so much space at the top of the iceberg. Not everybody can excel with every project they start (well, except people like Fabrice Bellard)
I've not compared Typo3, Alfresco and other Enterprise CMS, because even when they come with all features loaded, they suck at code complexity and user friendliness
You can't tell me that Wordpress is the only blogging platform that fits to all of your requirements, because there are thousands of CMS out there and you'll spend weeks testing all of them.
I'm not actually a Wordpress fanboy by any means (though it does pay the bills) - for my own personal use i'm setting my site up in Slim Framework. Professionally, though, i've found that if someone wants to blog or do "e-commerce", talking them out of Wordpress (and into something they're still willing to pay for) is a difficult thing to do.
Why should the client know git or anything else if you are the one who has to setup the blog for him/her? Or are you working with clients only who know html, css, ftp etc so they can do the work themself just being lazy and paying you instead?
I think they don't want to be intimidated by complexity and don't want to have to pay someone more to deal with it for them in the future. Typically they want to be able to administrate the site themselves, and they can do that through web forms easily enough.
I doubt the purported "insecurity" of Wordpress has anything to do with this. Given that they simultaneously defaced a multitude of social media outlets for Skype, it seems fairly likely that they phished or compromised someone who managed social media accounts.
If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.