As your blog get’s popular you get a lot of people trying to hack it. Especially if it’s on Amazon Cloud. If you’re running WordPress and not already running Nginx as a reverse proxy, you should. It makes it hella fast and a lot more scalable, especially with Nginx Proxy Cache Integrator. With it, a small Amazon EC2 instance can withstand Techcrunch and Mashable hits—I know because we do it all the time on our corporate blog.

Security-wise, you can move your SSH port, rely on key-based login only, etc. but nothing prevents script kiddies from running a brute-force dictionary attack on your WordPress login page. Even if the attempt is fruitless, it can create unnecessarily load. Rate limit just the login page with Nginx to solve the issue:

http {
   limit_req_zone  $binary_remote_addr  zone=one:10m   rate=5r/m;

   server {
       proxy_cache_valid 200 20m;
       listen       80;
       server_name  site.com www.site.com;

           location ~* wp\-login\.php {
               limit_req   zone=one  burst=1 nodelay;
               proxy_pass http://127.0.0.1:8080;
           }
   }
}

The above limits the user to one login request every 12 seconds and resets every 10 minutes. Note that this does not affect any other website calls. Be sure to use the nodelay flag to send a 503 “Service Temporarily Unavailable” response instead of just slowing down the user’s calls after the limit is reached.