WordPress Security

Latest WordPress Security Techniques For 2020. Learn How To Easily Make Your WordPress Site Hacker-Proof.

Topic Progress:

The All In One WordPress Security and Firewall is the ultimate security plugin that will take your WordPress site’s security to a whole new level. In a fact, we’ve used this plugin on many of our clients’ sites which owners were extremely paranoid concerning the security of their website.

This security plugin offers the latest recommended WordPress security practices and advanced techniques as easy to use features. The beauty is that you don’t have to learn complex htaccess rules to apply good firewall rules to your site anymore.

Start by installing the All In One WP Security & Firewall plugin just like any other plugin. From your WordPress Dashboard go to Plugins -> Add New -> Search for All In One WP Security.

Install and activate the plugin.

aio-security-activate

Figure 1. Install and activate the AIO Security Plugin

 

Now you need to navigate to WP Security -> Dashboard.

All In One WP Security and Firewall uses security strength meter gauge for measuring how well we’ve protected our site based on the security features we have activated. Note that at this point the security measurement is very low.

aio-security-dashboard

Figure 2. AIO Security Dashboard and security strength meter gauge

 

The All In One WP Security and Firewall dashboard gives you a highlight of the most important features which you should apply to your site to achieve a minimal level of security.

Those features are displayed in a Critical Feature Status.

We will active these features later as we will be configuring the other main features. For now, leave them as they are.

In the WP Security Dashboard on the top you can find 4 tabs:

  • The current Dashboard tab.
  • System Info – Where you can find your site info, PHP info and active plugins.
  • Locked IP Addressed (Where the list of all IP addresses which are currently temporarily locked out, is stored).
  • Permanent Block List (where the list of all permanently blocked IP addresses, is stored.)
  • AIOWPS Logs.

Access the settings panel by going to WP Security -> Settings.

On the first tab General Settings, before doing anything else, it is highly recommended to:

  • Backup your database.
  • Backup .htaccess file.
  • Backup wp-config.php file.
aio-security-general-settings-backup

Figure 3. AIO Security -General Settings tab

 

From the tabs here, you need to click on WP Version Info tab and check Remove WP Generator Meta Info. This will remove the meta tag that is revealing your WordPress version. Click on Save Settings.

aio-security-wp-version-remove

Figure 4. Remove WP version

 

Next, open the User Accounts.

From here you can change your WP username, display name and password in case you are using something weak like, username – admin and password – qwerty, for example.

From User Login click to Enable Login Lockdown Feature. The other default settings are okay. Click on Save settings.

aio-security-user-login

Figure 6. Enable login lockdown feature

 

From User Registration click to Enable manual approval of new registrations. You don’t want spammers to register freely on your website. This feature will set the new users’ status to “pending” until you activate it. Save settings.

aio-security-enable-manual-approval-of-new-registrations

Figure 7. Enable manual approval of new registrations.

 

Now we will move to Database Security. Because you’ve already made a backup, now you can freely generate a new prefix to your database (random generated or custom). Make this change only if your database prefix is the standard wp_

aio-security-change-database-prefix

Figure 8. Changing the database prefix

 

By moving to the File System Security you can see the permissions of important WordPress files and directories. If some permission is wrong, you will get recommendation to fix it by clicking on the button Set Recommended Permissions.

aio-security-file-system-security

Figure 9. Checking the file system security

 

From PHP File Editing tab, you can Disable Ability To Edit PHP Files from your WordPress panel. This feature will completely hide the Appearance Editor and Plugins Editor.
Click on Save Changes.

aio-security-php-file-editing

Figure 10. Disable ability to edit PHP files

 

Also from WP File Access choose to Prevent Access to WP Default Install Files.
Click on Save Changes.

Figure 11. Prevent access to WP default install files

Figure 11. Prevent access to WP default install files

 

Now let’s move to WHOIS lookup. From here you can look up a more detailed information about an IP address or domain name that may be attacking you.

aio-security-whois

Figure 12. Perform a WHOIS Lookup for an IP or Domain Name

 

The Blacklist Manager gives you the option of banning certain IP addresses or ranges as well as user agents or bad bots.

aio-security-blacklist-manager

Figure 13. Blacklist Manager – feature for banning certain host IP addresses or ranges and also user agents.

 

The Firewall feature is probably one of the most useful ones in this plugin. From the Basic Firewall Rules tab you need to:

  • Enable Basic Firewall Protection,
  • Disable Pingback Functionality From XMLRPC and
  • Block Access to debug.log File.

Click Save Basic Firewall Settings.

Figure 14. Activating some basic firewall security protection rules for your site

Figure 14. Activating some basic firewall security protection rules for your site

 

From Additional Firewall Protection tab, you need to check:

  • Disable Index Views,
  • Disable Trace and Track,
  • Forbid Proxy Comment Posting,
  • Deny Bad Query Strings,
  • Enable Advanced Character String Filter,

Click Save Additional Firewall Settings.

 

aio-security-additional-firewall-rules

Figure 15. Activatiing more advanced firewall settings to your site

 

From 6G Blacklist Firewall Rules tab only Enable 6G Firewall Protection. The 6G Blacklist is a simple, flexible blacklist that helps reduce the number of malicious URL requests that hit your website. These firewall security protection rules are originally designed and produced by Perishable Press team.

Click on Save Changes.

aio-security-6g-blacklist-firewall-rules

Figure 16. Activating the 6G firewall security protection rules

 

We will skip Internet Bots tab at this point because most of the bots out there are relatively harmless (especially Googlebots) and there is no need for blocking them.

In Prevent Hotlinks tab, check Prevent Image Hotlinking feature to restrict displaying your image on some else’s site, which is actually located on your site by using a direct link to the source image URL. This can hurt your bandwidth and resources, that’s why it’s a nice idea to enable this feature.

Click on Save Changes.

aio-security-prevent-hotlinks

Figure 17. This feature will prevent people from directly hotlinking images from your site’s pages

 

In 404 Detection tab make sure to Enable 404 IP Detection and Lockout feature for 60 minutes. The reason is because many repeated 404 errors which occur in a relatively short space of time and from the same IP address may indicate that a hacker might be trying to find a particular page or URL.

If you have specifically designed 404 Lockout page put the URL here.

Click on Save Changes.

aio-security-404-detection

Figure 18. 404 Detection Configuration

 

We will skip Custom Rules tab for now. This feature can be used to apply your own custom .htaccess rules and directives, but we don’t need them now.

From the Brute Force section first you need to Enable Rename Login Page Feature and put your custom log-in that will be different from the default wp-login. Make sure to put something easily rememberable here.

Click Save Changes.

aio-security-rename-login-page

Figure 19. Changing the default WordPress login page URL.

 

From Cookie Based Brute Force Prevention just Enable Brute Force Attack Prevention. This will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page. But be carefull to not lock yourself out from your own membership site.

aio-security-cookie-brute-force-prevention

Figure 21. Enable Brute Force Attack Prevention

 

Skip other tabs from this section and move to Spam Prevention.

Choose Enable Captcha On Comment Forms and Block Spambots From Posting Comments. Click on Save Changes.

aio-security-spam-prevention

Figure 22. Comment SPAM Settings

 

Now let’s move to the Scanner.

From here you can scan your website now or Enable Automated File Change Detection Scan and schedule Scan Time Interval on every week.

Click on Save Changes.

aio-security-file-change-detection-scan

Figure 23. Enable Automated File Change Detection Scan

 

We will skip the Maintenance feature now, and we will move to the Miscellaneous section. From here you can enable copy protection for your site. This will prevent the right click anywhere on your website.

aio-security-enable-copy-protection

Figure 24. Disable the ability to copy text on your website

 

From the Frames tab, you can choose to Enable iFrame Protection.

aio-security-iframe-protect

Figure 25. Prevent your site from being displayed in iframe

 

That’s the full configuration that we use for protecting our sites using the AIO security plugin.

Now move back to the dashboard of the plugin and you can see that we’ve improved the security level of our site in a great measure.

aio-security-dashboard-after-configuration

Figure 26. After configuration

 

Final Words

Good job. You’ve successfully configured the plugin. The All In One WordPress Security and Firewall plugin is your ultimate security solution for protecting your WordPress membership site in a whole new level. The configurations that we’ve done in this lesson are our favorite ones that we are using on our clients’ sites over and over again. But you can enable even more features if you feel a little paranoid concerning the security of your membership site.

Remember: If you misconfigure something with this plugin and you got locked our from your own dashboard, here’s what you need to do:

  1. Login to your cPanel
  2. Locate the root folder of your website
  3. Open the .htaccess file
  4. Delete all settings implemented with the All In One WordPress Security plugin.

That’s all you need to know for this plugin, if you have some questions please use our support ticketing system for reaching out to some of our WP security professionals.


progress-bar-lead-magnet

You're So Close! Fill Out Your Username And Email For Your Free Guide!

Your Free Guide Is On Its Way...