The All in One WP Security Plugin is a complete security plugin offered by the Tips and Tricks HQ. It is a free download plugin and has a wide range of features including a built-in firewall, Brute Force Protection, and a security scoring system.
Installing the Plugin
First, click “Plugins” and then “Add New”
Search for the “All in One WP Security” plugin then click “Install Now” and then “Activate”
Click “WP Security” on the Left Menu
Now that the plugin is installed, we’re going to walk through setting up each part of the plugin. Its recommended you allow access to the .htaccess file until the end of the process as some of the firewall rules cannot be set if this is done.
As you activate the security rules in each area, your security score on the dashboard will rise. It may not be possible to do everything as not all web hosts give you complete access to your server environment.
User Account Security
To set up user account security click “User Accounts” on the left. There will be 3 tabs on this screen: “WP Username”, “Display Name”, and “Password”.
On the “WP Username” tab the plugin will check to see if you have a username set to the default of “admin”. Having a user with the username “admin” is insecure.
On the “Display Name” tab the plugin will check to see if any users have the same display name shown when they make posts as their usernames. This is insecure as it allows attackers to guess valid usernames
The “Password” tab evaluates the strength of passwords
The User Login option on the menu gives you access to 5 different tabs. The “Login Lockdown” and the “Force Logout” tabs have security settings that need to be configured. The other 3 tabs contain logs and information about who is logged in.
The “Login Lockdown” tab lets you set limits on logins. The rules you can set here protect your WordPress site against brute force login attempts. The default rules are enough to prevent bots from getting access to your admin panel. Check the “Enable Login Lockdown Feature” checkbox and click “Save Settings”
The “Force Logout” tab allows you to set WordPress to be automatically logged out after a set period of time. This limits your users from staying logged in for long periods of time on any PC and is especially important if you suspect your WordPress users are logging in on public computers. Click the “Enable Force WP User Logout” checkbox and then click “Save Settings” to enable this feature.
The “User Registration” option on the left menu has three different tabs on it. “Manual Approval”, “Registration Captcha”, and “Registration Honeypot”. This tab is essentially for sites that allow some form of user registration. If your site doesn’t, then you don’t need to configure the settings in this section.
The “Manual Approval” tab is where you can force all user registrations to be manually approved. This is more secure than automatic registrations as it prevents bots from creating accounts. Click the “Enable manual approval of new registrations” checkbox and then click “Save Settings”
The “Registration Captcha” tab lets you set up a Captcha on your user registration page. This adds to the security of your site simply by adding another layer to prevent bots from registering. Click the “Enable Captcha On Registration Page” checkbox and then click “Save Settings”
The “Registration Honeypot” tab lets you add some hidden input fields that only bots would be able to fill out to your registration page. This allows you to catch relatively advanced bots and prevents them from creating accounts. Click the “Enable Honeypot On Registration Page” checkbox and then click “Save Settings”
The Database Security menu option on the left provides two tabs “DB Prefix” and “DB Backup”.
Before using the “DB Prefix” tab you should click on the “DB Backup” tab to make a backup of your database before making further changes. Once there click “Create DB Backup Now” to create an immediate backup and then check the “Enable Automated Scheduled Backups” checkbox. You can set a backup schedule as you wish but we suggest as often as possible. Once done click “Save Settings”
Now we got the “DB Prefix” tab. Here you can change the database table prefix used by WordPress in your database. Changing this increases the security of your WordPress website because it makes it more difficult for hackers to target yours with SQL injection attacks. To use this feature check the“Generate New DB Table Prefix” checkbox (or enter a prefix) and then click “Change DB Prefix”
The “Blacklist Manager” option on the left-hand menu is where you can set up an IP or User-Agent blacklists. Click the “Enable IP or User-Agent Blacklisting” checkbox and then click “Save Settings”. You’ll need to come back to this to tab to add IP addresses that you want to block.
The “Brute Force” menu option on the left is where you can configure login page settings. There are 5 tabs on this page. By default, we’d recommend setting up the “Rename Login Page” and “Login Honeypot” tabs. The options on the “Cookie Based Brute Force Prevention”, “Login Captcha” and “Login Whitelist” tabs should be used selectively as some of them are for particular platforms such as WooCommerce or could lock you out of your admin panel if used incorrectly.
On the “Rename Login Page” tab check the “Enable Rename Login Page Feature” checkbox and then enter a new login page URL then click “Save Settings”. Make sure to memorize the new login path. Changing the login URL is more secure than using the default one as most bots won’t know where to try to login.
On the “Honeypot” tab simply check the “Enable Honeypot On Login Page” checkbox and click “Save Settings”. The honeypot will create fake input fields only a bot can fill out, and if the login page receives input on those fields on login, WordPress knows to ignore the user.
Use the “SPAM Prevention” menu option on the left-hand side to increase the security of WordPress by filtering comment spam. While there are a few various tabs you’ll essentially need the “Comment Spam” and “Comment SPAM IP Monitoring”. The “BBPress” and “BuddyPress” tabs only need to be reached if you use those apps.
On the “Comment SPAM” tab tick both of the checkboxes. If anyone comments on your site there will be a Captcha before the comment is submitted and known Spambots will be blocked.
Once both options are checked click “Save Settings”.
Now on the “Comment SPAM IP Monitoring” tab check the “Enable Auto Block of SPAM Comment IPs” then click “Save Settings”. You may want to set a minimum number of comments.
If you click the Scanner option on the left-hand menu you’ll be taken to All in One’s malware scanner. From here you can run a manual scan and you can set your system to make periodic automatic scans of WordPress’s key files. Check the “Enable Automated File Change Detection Scan” and then click “Save Settings”
You can run a manual scan by clicking “Perform Scan Now”
The “Firewall” option on the left-hand menu has a number of features you’ll want to enable by default. Every tab in this section has options you’ll want to configure outside of the “Custom Rules” tab. Note the All in One plugin will not be able to configure firewall rules without write access to the .htaccess file in the WordPress directory.
On the “Basic Firewall Rules” tab there are 3 checkboxes you should check. First, check “Enable Basic Firewall Protection”. This will turn on the basic firewall and block access to a few parts of the WordPress filesystem. Next check “Disable Pingback Functionality From XMLRPC”, we encourage checking this option as some plugins need XMLRPC functionality and it may not be advisable to block access to this completely. The check “Block Access to debug.log File” and then click “Save Settings”.
On the “Additional Firewall Rules” tab you should check all of the available options and then click “Save Additional Firewall Settings” at the bottom.
On the “6G Blacklist Firewall Rules” Tab you should check both the “Enable 6G Firewall Protection” and “Enable legacy 5G Firewall Protection” to add blacklists from perishablepress.com to your firewall. Once done click “Save 5G/6G Firewall Settings”
On the “Internet Bots” tab click the “Block Fake Googlebots” checkbox and click the “Save Internet Bot Settings” button at the bottom.
On the “Prevent Hotlinking” tab you can restrict other sites from hotlink to your hosted images. This preserves both your content and your bandwidth. Check the “Prevent Image Hotlinking” checkbox and click “Save Settings”
Lastly, on the “404 Detection” tab you can set the All In One Security Plug In to block IPs regularly trying to reach non-existent pages on your site. Check “Enable 404 IP Detection and Lockout” and then click “Save Settings”.
File System Security
Finally, the last area you need to check is the “File System Security” option on the left-hand menu. This area will list all of the critical areas of WordPress and what the suggest file permissions are. If the “Set Recommended Permissions” button next to each one doesn’t work, use an FTP program or chmod to do so.
Then click the “WP File Access” tab and click “Prevent Access to WP Default Install Files” and then “Save Settings”. This limits access to a few files which may give an intruder information about your WordPress installation.
After completing all these steps you’ve got a significant step towards securing your WordPress website. You will need to keep up with your backups and update all of your plugins automatically as well as pay attention to anything such as malware scans or other alerts the plugin may send you. While we didn’t use all of the features in the plugin, for this article we use settings that should be compatible with most themes and plugins. Now if you go to the dashboard you should see a security score well into the green: