All In One WP Security & Firewall is very popular and best security plugin with 700,000+ Active installations and 5-star rating. The plugin adds extra security and firewall to your WordPress site. In this tutorial, I’m going to share All In One WP Security & Firewall Plugin Settings so that you can secure your site with bad guys.
It comes with tons of security features such as brute force login protection, password strength, built-in captcha, database prefix options, file permissions, .htaccess/wp-config backups and firewall protection. Its scanner alerts you if a file has changed in your WordPress system. Also scans your WordPress database tables.
The plugin is 100% free and takes your website security to a new level.
- Detect default “admin” and allow to easily change.
- With Password strength tool, you can create very strong passwords.
- Protect against Brute Force Login Attack.
- Monitor failed login attempts and show the user’s IP address.
- Add Google reCaptcha or plain maths captcha.
- Ban bad users.
- You can change default WP prefix with a single click.
- Disable file editing from WordPress dashboard.
So, let’s get started how to set up the All In One WordPress Security plugin…
All In One WP Security & Firewall Plugin Settings
Configuring All In One WP Security & Firewall settings is not a hard task. By following this tutorial, you can easily setup it on your site and keep your site secure from security breaches.
First, install and activate All In One WP Security & Firewall Plugin in your WordPress site. Once activated, it will add a new menu item to your WordPress dashboard with WP Security label. Just click on it. This will take you to the plugin’s Dashboard.
Here’s All In One WP Security & Firewall plugin settings That You Need to Follow.
Here backup your database, .htaccess file, wp-config.php file. So that you can restore your file again if needed.
WP Version Info tab removes the version and meta info produced by WP from all pages Which is essential for securities.
By default, the WordPress uses “admin” for an administrator at installation time. It’s not right according to the security perspective.
Hackers take advantage of this and continuously try to guess the password by using “admin” for a username.
So changing the WordPress admin username is the first aspect to secure your site.
But thankfully this plugin allows
This reduces Brute Force Login Attacks to your site substantially.
Under Login Lockdown tab, you can lockdown bad guys from your site.
Scroll down to Login Lockdown IP Whitelist Settings, check the box of Enable Login Lockdown IP Whitelist and add those Whitelisted IP Addresses you never want to block by the login lockdown feature.
Under Force Logout tab, You can specify a time period in minutes. When the administrator session is over, the user will automatically logout from the site.
This is a simple way to avoid unauthorized access when you forget to log out your site.
You set it up at 400 minutes (6 hours). Otherwise, after the timeout, it will also log out you.
From Logged in Users tab, you can see those people, who is currently logged in to your site.
Manually Approve registrations feature avoid SPAM or bogus registrations on your site. Just check the box of Enable manual approval of new registrations. This will automatically disable all newly registered accounts.
Now when users register your site, they will be pending. You need to manually approve them. You can also perform bulk activation/deactivation/deletion tasks on each account.
Under Registration Captcha tab, you can add a captcha form on the user registration page. When users try to register, they will need to answer a simple mathematical question. This is another effective and simple way to prevent SPAM registration.
Registration Honeypot adds special hidden “honeypot” field on the WordPress registration page. This will only be visible to robots and not humans. This is also a great option to stop SPAM registration.
Backup your site’s database before making any changes.
From here you can change the prefix from “wp_” to something else. So that hackers can not guess it.
The plugin can automatically generate new DB Table Prefix or you can generate according to your choice.
Database Backup tab allows you to schedule time to generate database backups. Just check the Enable Automated Scheduled Backups box and keep other settings default.
WordPress comes with secure file permission settings. But sometimes users or plugins change permissions settings, which weakens the security of your site. The plugin scans the WP core folders & files and highlights permission settings which are insecure and fix with a single click.
By using PHP File Editing tab you can disable the ability for people to edit PHP files via the WP dashboard.
WP Files Access tab prevents access to files such as readme.html, license.txt and wp-config, sample.php and hides some information (such as WordPress version info) from potential hackers.
If you want to turn on blacklisting feature for selected IP addresses, the plugin can do. Just check the box of Enable IP or User Agent Blacklisting. Enter the IP Addresses and User Agents that you want to blacklist.
This features add some basic firewall security protection rules for your site by adding some code in your .htaccess file. Therefore, back up your .htaccess file before performing this process.
When you disable Completely Block Access To XMLRPC, it will show an Attention in the Yellow box.
If you are not using XML-RPC functionality on your site, keep it disabled. Apart from this, if you do not know whether your site is using XML-RPC functionality, keep it unchecked. Here is a screenshot.
Additional Firewall Protection feature allows you to add more advanced firewall settings to your site by adding special code to your currently active .htaccess file.
6G Blacklist Firewall Rules tab activate the 6G (or legacy 5G) firewall security protection rules designed and produced by Perishable Press. If you use the 5G blacklist on your site, then you should use the 6G blacklist instead. The 6G Blacklist is a simple, flexible blacklist that helps reduce the number of malicious URL requests that hit your website. For more details click on More info.
You can disable Image Hotlinking by going to Prevent Hotlinking tab. When a user copies your site’s image URL and pastes to another site, it’s called Image Hotlinking. It badly affects the performance of your site and bandwidth. When a user sees the hotlink image, it loads from the original server.
To avoid this, check the box
Rename Login Page tab allows you to change WordPress admin login URL page. Just check the Enable Rename Login Page Feature box and enter your custom login URL
You can add captcha to your site’s login page, registrations form etc via the login captcha tab.
If you want to enable captcha in your site’s comment form, then the plugin allows
This will help you get rid of spam comments on your site. After that leave the rest settings default.
Scanner notifies you of any file change which occurs on your site, including the addition and deletion of files. You can also exclude certain files or folders from the scan. For Automated File Change Detection Scan settings follow screenshots.
Copy Protection tab allows you to disable the “Right Click”, “Text Selection” and “Copy” option on the front end of your site. This feature helps to protect your content from copier bloggers.
It depends on you whether you want to enable it or not.
Also, if you want to put your site into maintenance mode, then the plugin can also do this.
That’s all! Here I showed you step by step All In One WP Security & Firewall Plugin Settings. Hopefully, when you install and setup it on your site, there will be no problem.
Find this article helpful? Don’t forget to share!