Default Plugins
The CreateFSU template has pre-loaded plugins that help to make your site more secure. Some plugins are required to be installed and active at all times, where others are optional, but recommended. The optional plugins are installed, but not activated or configured on installation. Read on to learn more about the plugins that are preconfigured with the WordPress Template.
Limit Login Attempts Reloaded
Status: Required
This plugin will block an IP address after a certain number of failed login attempts. This will protect your site from brute force attacks, in which unauthorized users attempt to access your site through repeated login attempts.
You may change notification settings on this plugin and change the number of logins before a lockout, but the plugin must remain active for security purposes.
WPS Hide Login
Status: Required
FSU ITS policy dictates that FSU WordPress cannot have public-facing login pages at /wp-admin/. WPS Hide Login moves the location of your login page. This plugin is automatically configured, but you may move the login page to any location you choose.
Disable XML-RPC
Status: Optional
Limit Login Attempts and WPS Hide Login work together to prevent brute force attacks. Even with WPS Hide Login enabled, there are other ways for unauthorized users to attempt a brute force attack. XML-RPC is another method for logging in without using a typical login page. Disabling this will prevent brute force attackers from using this method to access your site.
We do not enable XML-RPC by default because certain commonly-used plugins, such as JetPack, make use of XML-RPC. The WordPress mobile app also uses it for authentication. If you find you are still receiving multiple login attempts even with WPS Hide Login enabled, you may want to consider enabling this plugin as well.
Akismet Anti-Spam: Spam Protection
Status: Optional
If you intend to have open comments and discussion on your WordPress site, you may want to consider configuring Akismet, which helps you manage and easily delete spam comments. We go into more on how to enable and configure Akismet in our article on managing spam.