Securing WordPress in 2014

I thought I would share some of the WordPress plugins I use to protect my blog. I tend to lean towards smaller, single purpose plugins vs. the large security plugins that claim to support every security “feature” you can think of.

  • Akismet – The best comment spam flighted out there and it benefits in real time from all of the different WordPress sites contributing information on the latest spam attacks.
  • Bad Behavior – This helps protect WordPress from obvious bots and traffic originating from suspicious IPs. Almost like an intelligent firewall.
  • Limit Login Attempts – This blocks those who are trying to login to your WordPress instance by guessing a correct username and password. This plugin hasn’t been updated in two years, but seems to still work quite fine. I set a very low threshold to get blocked and make sure that IP stays blocked for a very long time.
  • Stop User Enumeration – Especially in the past year, I started seeing many login attempts (thanks to Limit Login Attempts) that used the correct username to login to my blog. After some investigation, I found this plugin that blocks a particular way that WordPress leaks the username of a blog.

There are other techniques I use, but I won’t share them for now since I’m still tweaking them.

Virtual machines

A big benefit of having 250GB of hard drive space? Being able to install and enjoy using virtual machines.

I just installed a trial of VMWare Fusion and plan on installing both Windows XP and Ubuntu virtual machines on my Macbook. That should help me test or use just about any software out there.

I also would like to get a Windows Server 2003 (or maybe 2008?) virtual machine going, so I can practice my Microsoft skills. But getting a legal license for that is probably going to be too pricey.

Akismet – The Solution to Blog Spam?

Matt, the famous creator of WordPress, has announced a new way to prevent blog spam called Akismet.

It sounds like every comment on a blog is sent to a central server, checked to make sure it isn’t spam, and then either rejected or approved. The idea sounds really interesting and worth trying out, so I just installed it here. Combined with Bad Behavior (which is still needed according to its author), this should be very interesting to watch.