WordPress All in One WP Security and Firewall Plugin Tutorial
Security is one of the important factors for running a WordPress site. Fortunately there are many free and paid services available to protect your site and safeguard from hackers and malicious attacks. In this article we will discuss about protecting your WordPress site with All in One WP Security and Firewall plugin.
Why All in One WP Security & Firewall Plugin?
There are many popular security plugins available, but “All in One WP Security & Firewall” is the only plugin offers most of the needed features for completely free.
- The plugin has more than 400k active installs.
- Updated regularly and compatible with the latest WordPress version.
- Almost 5 star rating from more than 450 users.
- Decent online support on forum.
Installing and Activating Plugin
Navigate to “Plugins > Add New” section on your WordPress admin dashboard and search for “All in one WP Security” to find the plugin.
Once the plugin is installed and activated, it will create a menu item named “WP Security”. It has exhaustive options under different categories to protect your WordPress site.
- User Accounts
- User Login
- User Registration
- Database Security
- Filesystem Security
- WHOIS Lookup
- Blacklist Manager
- Brute Force
- SPAM Prevention
How it Works?
The plugin works on the point scale system and offers points for each security settings. It adds up to 470 total points and more the points more the security of your WordPress site. Most of the options can be enabled just with mouse click by enabling the check boxes. You can click on the “More Info” box to view more detailed information and examples for that option.
Precautions Before Enabling Any Options
Though the security is important and the plugin will tempt to increase the score on the strength meter, each settings may have adverse impact on your site’s readability. There are also possibilities of conflicting with other plugins and lockout your own IP if the option is wrongly enabled. It is highly recommended to prepare the followings before enable any security settings:
- Back up the whole site and the database.
- As the plugin create entries in .htaccess file, backing up .htaccess file will help to restore the original settings.
- Backup wp-config.php file.
- Ensure you have FTP access to your hosting server. This will help to replace the files on emergency situation.
In summary, backup all your site content and enable only the security options you require. It is also recommended to verify the site’s accessibility after enabling firewall, user registration approval and other functions.
The dashboard shows the strength meter indicating the security points of your site. The points are also shown in a breakdown chart indicating the weightage and distribution among options.
There are options you can directly enable from the dashboard like maintenance mode, disable “admin” username, enable basic firewall, etc. We recommend NOT to enable any settings directly on the dashboard. Go to the individual settings page and enable only if it is required.
Below are the other details available on the dashboard tab:
- System Info – shows the complete details of your WordPress installation, PHP versions and active plugins detail.
- Locked IP Addresses – shows the list of locked IP addresses if the option is enabled under “User Login” tab.
- Permanent Block List – shows the list of IP addresses blocked permanently due to comment spam. The option can be enabled under “SPAM Prevention > Comment SPAM IP Monitoring”.
- AIOWPS Logs – you can view the security log files of the plugin here.
The “Settings” tab offers backup and high level options like import/export all settings of the plugin.
- General Settings – here you can disable all security features and firewall settings of the plugin in one click. This will be required when your site is broken due to the plugin’s settings. You can also enable / disable debug option for the plugin.
- .htaccess File – as mentioned in the precautions section above, it is highly recommended to backup the .htaccess file before you enable any security and firewall settings. You can also restore the .htacess file from your backup.
- wp-config.php File – similar to .htaccess file, under this tab you can backup and restore wp-config.php file.
- WP Version Info – WordPress automatically generates the version number and show it on each page using meta tag. Showing version number is not an issue when you use latest WordPress version. But if you are not updating to the latest version and using any of the old version then hackers can easily target your site by finding the version number. You can hide the version under this tab.
- Import / Export – Import or export the entire plugin settings.
You have three options under user accounts section.
- WP Username – here you can change the users with the name as “admin” to the desired name.
- Display Name – check the list of users with the identical login and display names. Generally it is not recommended to have same display and login name to avoid hackers guessing the login name. This is not an important setting, since it is very easy to find the login name just by checking the post author.
- Password – check the strength of your password and the meter will show you how much time it will take for a hacker to guess your password.
User login section allows to control the logging of users to your site with the following settings:
- Login Lockdown – enable locking the user after certain number of unsuccessful attempts. This feature helps to stop all bots and send out the email notification when some user id is locked.
- Failed Login Records – view the failed login attempts along with IP address and username.
- Force Logout – enable this option to force logout all users after certain amount of time.
- Account Activity Logs – view the list of last 50 user ids logged into your site.
- Logged In Users – view the users currently logged into your site.
Under this section you can enable manual approval of users trying to register on your site and add captcha on default WordPress registration form. When you have ecommerce plugin for selling items on your site with user registration then enabling this feature will stop the actual customers as they will not be able to register automatically. Hence, do not enable this when you need to have automatic registration feature for any other purposes.
By default WordPress add the prefix “wp_” for all your database tables. Under this section you can change the default to random prefix which will increase the security of your site. Also you can schedule database backup on periodic interval and the backup on your email.
As far as we have checked, email function does not seem to work with this plugin. Hence, do not reply on this plugin for backup, there are many other dedicated backup solutions available for WordPress.
You have the following four options under filesystem security section.
- File Permissions – check all files and folders of your WordPress installation have necessary permission for read / write access and set the correct permission.
- PHP File Editing – Disable the file editing from the dashboard. This option will remove the “Editor” menu to edit theme and plugin files directly from the dashboard.
- WP File Access – Hackers can get more information about your WordPress installation using readme.html, licence.txt and wp-config-sample.php files. Enabling this option will disable direct access to these files.
- Host System Logs – view error log file of your hosting server.
Though WHOIS lookup is not a security feature, it enables to look out the details of the IP address or domain name within the admin dashboard.
Block IP addresses and user agents from accessing your site. The IP address can be entered using wild card like 195.*.*.* or 195.47.*.*. The user agent section will work only if it has words, in case if the user agent name has words with \ then the plugin does not seem to work.
This is the section you need to enable carefully and check whether it affects your site’s accessibility. Check out our separate detailed article on using firewall options with AIOWPS plugin.
Brute force is a method of trying to access password protected pages by trial and error method. AIOWPS plugin has multiple options to stop brute force attacks on your WordPress site. We have a detailed article explaining how to stop brute force attack using AIOWPS and Jetpack plugins.
AIOWPS plugin helps to stop spam comments submitted by bots and allow to add captcha on comments form. Learn more about preventing comment spam with AIOWPS plugin.
You have two option under this section – one is free to use and other is a paid add-on.
- File Change Detection – enable automatic file change detection scan for your site with the list of file extensions to be checked and the directories to be excluded.
- Malware Scan – this is a paid add-on from third party site for scanning your site for malware detection.
Enable maintenance mode when your site is taken down for maintenance and not accessible for users. Ideally there is no relation between maintenance mode and security unless your site is already affected and you want to keep the users away from accessing the content.
- Copy Protection – disable right clicking on your site so that users will not be able to copy the content.
- Frame – disable other sites from displaying your content within a frame.
- Users Enumeration – disable accessing author detail directly using link like “yoursite.com/?author=name”. When enabled the plugin will throw error like below if someone is trying to get author details in browser address bar:
Uninstalling AIOWPS Plugin
The installation of this plugin will add backup directory and multiple MYSQL tables. Hence just uninstalling and deleting the plugin will NOT completely remove the plugin files from your site. The best way is to follow the below step by step process:
- Disable all security and firewall settings under “WP Security > Settings > General Settings”.
- Uninstall the plugin from dashboard.
- Delete the plugin files from dashboard.
- Connect to your hosting server through FTP and delete the backup files stored by the plugin.
- Open “phpMyAdmin” from your “cPanel” and delete the plugin tables from your site’s database.
If you have any problem in accessing your site, then try restoring “.htaccess” and “wp-config.php” files from the backup before the plugin installation.