WordPress is very secure in itself, but as you probably all know, there are always improvements you can make to make your sites even more secure.
There is always a need for protection from potential hackers, viruses, and various other threats. One of the ways to eliminate these security threats is to use a WordPress security plugin.
There are already a few out there that do a very good job at this, and today I’m going to be taking a closer look at one of them in particular. A very popular one in fact.
It’s got over half a million downloads, it’s free to download and it has some glowing reviews. Here it is.
All in One WP Security and Firewall is a comprehensive and very user-friendly plugin that handles practically everything you might associate with securing your WordPress site.
With over half a million downloads and a rating of 4.9 out of 5 stars on the WordPress plugin repository, you can say it’s definitely one of the best.
It’s got a long list of features ranging from the most basic to more complex measures, all of which were designed to be easy to setup for any level of user.
So much so that the developers even split these features into three categories. Let’s see what these are.
So the developers seemed to realise from the start that not everyone is a WordPress guru and not everyone knows everything about security. For this reason they used 3 categories in this plugin; Basic, Intermediate and Advanced.
The Basic features are generally non-invasive, meaning they won’t cause your site to break. These are the features you should activate immediately upon installing the plugin in order to provide at least a minimum level of added security.
The Intermediate and the Advanced features on the other hand are a bit more complex. These, unlike the basic features, might cause certain functionality of your site to break. It all depends on the setup of your site and which plugins you have installed.
You can check out a quick overview of this plugin’s features in the video below.
So as you can see there are numerous features available to you from right within your WordPress dashboard. They eliminated the need to go into your .htaccess files and made them all accessible from your WordPress dashboard.
You can have a better look through a detailed list of all these features right here. Now let’s have a quick look at them all in action.
Using the Plugin
As I said, this plugin has a LOT of security and firewall features. I’ll be going through each of the plugin’s sections showing you what they offer and its most useful features.
For your own convenience I’ve sectioned the features into Basic, Intermediate and Advanced. Don’t forget, when it comes to Intermediate and Advanced features be careful as they might cause some breaks in your site’s functionality.
But first, let’s go through all the general settings you can find in All in One WP Security & Firewall.
Dashboard, General Settings & Other Tools
The first page you’re taken to when you activate the plugin is the Dashboard that you see above. From here you can check your security strength meter, points breakdown as well as basic options and information. You also have tabs for your system info and locked IP addresses.
The strength meter works on a points system that you can see in the points breakdown. It calculates how strong your WordPress site’s security is based on the plugins and settings you have set up on your site, then it gives it a score out of the total possible points achievable. A very cool and informative system.
If you now head to the General Settings from the sidebar you’ll find more options to configure. In fact from here you’ve got the options to disable all the security features or all the firewall features of the plugin with just one click. Very useful in case something breaks on your site’s front-end after making changes.
You can also backup and restore your .htaccess and wpconfig.php files as well as import or export a full set of settings for the plugin.
One of the other nifty tools this plugin offers is the Password Strength tool above that is found in the User Accounts section. All you need to do is enter the password in question and it gives you a time-frame in which anyone with an off-the-shelf desktop PC and appropriate password cracking software can crack your password. A very useful addition.
Moving on to the rest of the sections you’ll find other important and useful information such as Failed Login records, Account Activity logs, and a page showing the Logged In Users and Host System logs.
Besides these there is also the WhoIs Lookup option, Comment Spam IP Monitoring and Scanning options for malware as well as your database. You also have the option to set your site in Maintenance mode. This will lockout your visitors and show them any message you want them to see while you work on the site.
The last section, Miscellaneous, is where you can enable a Copy Protection option that won’t allow your users to right click or copy any text or images as well as an iFrame protection option to stop other sites from displaying your content in a frame or iframe.
Now to get started with the settings, Basic first
As you’ll see in the screenshots below, any basic setting has a Basic tag right next to it. These are the settings you should enable as soon as you install the plugin. They’re the sort of minimum threshold of security you should consider. Next to this tag is another box with the points value for that particular setting.
First up, in the Settings section you have a tab with the option to remove the meta info produced by the WP Generator from all your pages. Moving to the User Accounts section you’ll find the username and display name settings. Your username should never be the default ‘admin’ while display names shouldn’t be the same as the login name.
In User Login you’ll find the settings for Login Lockdown and Force Logout. The first protects you against a brute force login attack while the second forces a user to logout after a pre-determined amount of time.
User Registration offers you the options for manual approval of new user registrations and the addition of a captcha to the registration page. Next is a database backup option and after that are the file system security options.
Moving on, the final basic options include basic firewall rules, a hotlink prevention option, a chance to add a captcha to login and the settings to prevent comment spam.
On to the Intermediate Settings
You’ll first come across one of these in the Database Security section with an option called DB prefix. Your database is one of the first places hackers look at and hence you need to protect it well. One of the ways to do this is by changing the default WordPress table prefix, and you can do this from right here.
The Blacklist Manager is also an Intermediate setting from where you can ban any IP addresses and user agents you want. Next is the option to disable directory and file listings and your 404 detection configuration in Firewall.
You can even rename your login page to something other than the default wp-admin to add an extra layer of security. Besides this you can include a whitelist of IP addresses you want to give access to your site to and add a honeypot option to your login page to filter out any bots.
Finally you can enable a File Change Detection feature that notifies you of any file changes which occurs on your system. They can include such things as the addition and deletion of files, and it does this by by performing a regular automated or manual scan of your system’s files.
Last but not least are the Advanced Settings
There aren’t many of these but they’re the most complex of them all. In other words, enabling or modifying one of these might, in some way or another, change the way your site works and would require some support.
The first time you’ll come across an Advanced tag is in the Firewall options. From here you can enable or disable some additional firewall rules, enable 5G firewall protection, block fake Google bots (be careful with this one as the plugin will block all bots which use the “Googlebot” string in their User Agent information but are NOT officially from Google).
In Brute Force you can set the last advanced setting; your brute force prevention firewall settings that you can see in the screenshot above.
Pricing & Support
As I said in the introduction, All in One WP Security & Firewall is a free plugin that’s downloadable from the WordPress plugin repository.
For this reason it’s got the normal .org support. However when it comes to security issues some of the support questions can be a bit more detailed and complicated and some clients asked for more focused individual support.
The developers responded by setting up Premium Support. Here’s what it offers:
- A developer will jump on your site and investigate the issue.
- They will find out the source of the issue and give you details on it.
- Apply any necessary fix for it.
- The cost for this will be $30.
- If an issue can’t be fixed, they won’t charge you anything.
- If the above sounds good to you, get in touch with the developers by filling in a general contact form.
Overall I have to say All in One WP Security & Firewall is a very functional and intuitive plugin that can do a great job at protecting your WordPress site.
It’s got a large variety of settings and options, great tools for you to understand better how secure your site is, and even explanations alongside every single setting just in case there’s something you’re not quite sure about.
Whether you’re new to WordPress or a seasoned developer whose been there and done that, this plugin can serve your needs well. You can play it safe with just the basic settings or go all out “protective mother” mode and secure your site from top to bottom.
Plus, one more thing, it’s free. You’ve got nothing to lose. In fact you have your site to lose if you don’t use it. Think about that.
In addition to all this, for all the latest news on WordPress security news and updates you can check out WP Security Bloggers. It brings together all the posts from popular WordPress security blogs and other security sources that publish news and updates about WordPress security.
If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.