The All In One WordPress Security and Firewall is the ultimate security plugin that will take your WordPress site’s security to a whole new level. In a fact, we’ve used this plugin on many of our clients’ sites which owners were extremely paranoid concerning the security of their website.
This security plugin offers the latest recommended WordPress security practices and advanced techniques as easy to use features. The beauty is that you don’t have to learn complex htaccess rules to apply good firewall rules to your site anymore.
Start by installing the All In One WP Security & Firewall plugin just like any other plugin. From your WordPress Dashboard go to Plugins -> Add New -> Search for All In One WP Security.
Install and activate the plugin.
Now you need to navigate to WP Security -> Dashboard.
All In One WP Security and Firewall uses security strength meter gauge for measuring how well we’ve protected our site based on the security features we have activated. Note that at this point the security measurement is very low.
The All In One WP Security and Firewall dashboard gives you a highlight of the most important features which you should apply to your site to achieve a minimal level of security.
Those features are displayed in a Critical Feature Status.
We will active these features later as we will be configuring the other main features. For now, leave them as they are.
In the WP Security Dashboard on the top you can find 4 tabs:
- The current Dashboard tab.
- System Info – Where you can find your site info, PHP info and active plugins.
- Locked IP Addressed (Where the list of all IP addresses which are currently temporarily locked out, is stored).
- Permanent Block List (where the list of all permanently blocked IP addresses, is stored.)
- AIOWPS Logs.
Access the settings panel by going to WP Security -> Settings.
On the first tab General Settings, before doing anything else, it is highly recommended to:
- Backup your database.
- Backup .htaccess file.
- Backup wp-config.php file.
From the tabs here, you need to click on WP Version Info tab and check Remove WP Generator Meta Info. This will remove the meta tag that is revealing your WordPress version. Click on Save Settings.
Next, open the User Accounts.
From here you can change your WP username, display name and password in case you are using something weak like, username – admin and password – qwerty, for example.
From User Login click to Enable Login Lockdown Feature. The other default settings are okay. Click on Save settings.
From User Registration click to Enable manual approval of new registrations. You don’t want spammers to register freely on your website. This feature will set the new users’ status to “pending” until you activate it. Save settings.
Now we will move to Database Security. Because you’ve already made a backup, now you can freely generate a new prefix to your database (random generated or custom). Make this change only if your database prefix is the standard wp_
By moving to the File System Security you can see the permissions of important WordPress files and directories. If some permission is wrong, you will get recommendation to fix it by clicking on the button Set Recommended Permissions.
From PHP File Editing tab, you can Disable Ability To Edit PHP Files from your WordPress panel. This feature will completely hide the Appearance Editor and Plugins Editor.
Click on Save Changes.
Also from WP File Access choose to Prevent Access to WP Default Install Files.
Click on Save Changes.
Now let’s move to WHOIS lookup. From here you can look up a more detailed information about an IP address or domain name that may be attacking you.
The Blacklist Manager gives you the option of banning certain IP addresses or ranges as well as user agents or bad bots.
The Firewall feature is probably one of the most useful ones in this plugin. From the Basic Firewall Rules tab you need to:
- Enable Basic Firewall Protection,
- Disable Pingback Functionality From XMLRPC and
- Block Access to debug.log File.
Click Save Basic Firewall Settings.
From Additional Firewall Protection tab, you need to check:
- Disable Index Views,
- Disable Trace and Track,
- Forbid Proxy Comment Posting,
- Deny Bad Query Strings,
- Enable Advanced Character String Filter,
Click Save Additional Firewall Settings.
From 6G Blacklist Firewall Rules tab only Enable 6G Firewall Protection. The 6G Blacklist is a simple, flexible blacklist that helps reduce the number of malicious URL requests that hit your website. These firewall security protection rules are originally designed and produced by Perishable Press team.
Click on Save Changes.
We will skip Internet Bots tab at this point because most of the bots out there are relatively harmless (especially Googlebots) and there is no need for blocking them.
In Prevent Hotlinks tab, check Prevent Image Hotlinking feature to restrict displaying your image on some else’s site, which is actually located on your site by using a direct link to the source image URL. This can hurt your bandwidth and resources, that’s why it’s a nice idea to enable this feature.
Click on Save Changes.
In 404 Detection tab make sure to Enable 404 IP Detection and Lockout feature for 60 minutes. The reason is because many repeated 404 errors which occur in a relatively short space of time and from the same IP address may indicate that a hacker might be trying to find a particular page or URL.
If you have specifically designed 404 Lockout page put the URL here.
Click on Save Changes.
We will skip Custom Rules tab for now. This feature can be used to apply your own custom .htaccess rules and directives, but we don’t need them now.
From the Brute Force section first you need to Enable Rename Login Page Feature and put your custom log-in that will be different from the default wp-login. Make sure to put something easily rememberable here.
Click Save Changes.
From Cookie Based Brute Force Prevention just Enable Brute Force Attack Prevention. This will stop the majority of Brute Force Login Attacks at the .htaccess level thus providing even better protection for your WP login page. But be carefull to not lock yourself out from your own membership site.
Skip other tabs from this section and move to Spam Prevention.
Choose Enable Captcha On Comment Forms and Block Spambots From Posting Comments. Click on Save Changes.
Now let’s move to the Scanner.
From here you can scan your website now or Enable Automated File Change Detection Scan and schedule Scan Time Interval on every week.
Click on Save Changes.
We will skip the Maintenance feature now, and we will move to the Miscellaneous section. From here you can enable copy protection for your site. This will prevent the right click anywhere on your website.
From the Frames tab, you can choose to Enable iFrame Protection.
That’s the full configuration that we use for protecting our sites using the AIO security plugin.
Now move back to the dashboard of the plugin and you can see that we’ve improved the security level of our site in a great measure.
Final Words
Good job. You’ve successfully configured the plugin. The All In One WordPress Security and Firewall plugin is your ultimate security solution for protecting your WordPress membership site in a whole new level. The configurations that we’ve done in this lesson are our favorite ones that we are using on our clients’ sites over and over again. But you can enable even more features if you feel a little paranoid concerning the security of your membership site.
Remember: If you misconfigure something with this plugin and you got locked our from your own dashboard, here’s what you need to do:
- Login to your cPanel
- Locate the root folder of your website
- Open the .htaccess file
- Delete all settings implemented with the All In One WordPress Security plugin.
That’s all you need to know for this plugin, if you have some questions please use our support ticketing system for reaching out to some of our WP security professionals.