Securing WordPress in 2014

I thought I would share some of the WordPress plugins I use to protect my blog. I tend to lean towards smaller, single purpose plugins vs. the large security plugins that claim to support every security “feature” you can think of.

  • Akismet – The best comment spam flighted out there and it benefits in real time from all of the different WordPress sites contributing information on the latest spam attacks.
  • Bad Behavior – This helps protect WordPress from obvious bots and traffic originating from suspicious IPs. Almost like an intelligent firewall.
  • Limit Login Attempts – This blocks those who are trying to login to your WordPress instance by guessing a correct username and password. This plugin hasn’t been updated in two years, but seems to still work quite fine. I set a very low threshold to get blocked and make sure that IP stays blocked for a very long time.
  • Stop User Enumeration – Especially in the past year, I started seeing many login attempts (thanks to Limit Login Attempts) that used the correct username to login to my blog. After some investigation, I found this plugin that blocks a particular way that WordPress leaks the username of a blog.

There are other techniques I use, but I won’t share them for now since I’m still tweaking them.