The All in One Security Plugin is a comprehensive security plugin offered by the Tips and Tricks HQ. It is a free download and has a wide range of features including a built in firewall, Brute Force protection, and a security scoring system.
It is a complete solution for your WordPress Security concerns and is a great way to secure your WordPress installations available through WordPress Hosting.
Installing the Plugin
First click “Plugins” and then “Add New”
Search for the “All in One WP Security” plugin then click “Install Now” and then “Activate”
Click “WP Security” on the Left Menu
Now that the plugin is installed, we’re going to walk through setting up each part of the plugin. Its recommended you allow access to the .htaccess file until the end of the process as some of the firewall rules cannot be set if this is done.
As you implement the security rules in each area, your security score on the dashboard will rise. It may not be possible to do everything as not all web hosts give you complete access to your server environment.
User Account Security
To setup user account security click “User Accounts” on the left. There will be 3 tabs on this screen: “WP Username”, “Display Name”, and “Password”.
On the “WP Username” tab the plugin will check to see if you have a username set to the default of “admin”. Having a user with the username “admin” is insecure.
On the “Display Name” tab the plugin will check to see if any users have the same display name shown when they make posts as their usernames. This is insecure as it allows attackers to guess valid usernames
The “Password” tab evaluates the strength of passwords
The User Login option on the menu gives you access to 5 different tabs. The “Login Lockdown” and the “Force Logout” tabs have security settings that need to be configured. The other 3 tabs contain logs and information about who is logged in.
The “Login Lockdown” tab lets you set limits on logins. The rules you can set here protect your wordpress site against brute force login attempts. The default rules are enough to prevent bots from getting access to your admin panel. Check the “Enable Login Lockdown Feature” checkbox and click “Save Settings”
The “Force Logout” tab allows you to set WordPress to be automatically logged out after a set period of time. This prevents your users from staying logged in for extended periods of time on any PC and is especially helpful if you suspect your WordPress users are logging in on public terminals. Click the “Enable Force WP User Logout” checkbox and then click “Save Settings” to enable this feature.
The “User Registration” option on the left menu has three different tabs on it. “Manual Approval”, “Registration Captcha”, and “Registration Honeypot”. This tab is mainly for sites that allow some form of user registration. If your site doesn’t, then you don’t need to configure the settings in this section.
The “Manual Approval” tab is where you can force all user registrations to be manually approved. This is more secure than automatic registrations as it prevents bots from creating accounts. Click the “Enable manual approval of new registrations” checkbox and then click “Save Settings”
The “Registration Captcha” tab lets you setup a Captcha on your user registration page. This adds to the security of your site simply by adding another layer to prevent bots from registering. Click the “Enable Captcha On Registration Page” checkbox and then click “Save Settings”
The “Registration Honeypot” tab lets you add some hidden input fields that only bots would be able to fill out to your registration page. This allows you to catch relatively sophisticated bots and prevents them from making accounts. Click the “Enable Honeypot On Registration Page” checkbox and then click “Save Settings”
The Database Security menu option on the left provides two tabs “DB Prefix” and “DB Backup”.
Before using the “DB Prefix” tab you should click on the “DB Backup” tab to make a backup of your database before making further changes. Once there click “Create DB Backup Now” to create an immediate backup and then check the “Enable Automated Scheduled Backups” checkbox. You can set a backup schedule as you wish but we suggest as often as possible. Once done click “Save Settings”
Now got the “DB Prefix” tab. Here you can change the database table prefix used by WordPress in your database. Changing this increases security of your wordpress installation because it makes it harder for hackers to target your with SQL injection attacks. To use this feature check the“Generate New DB Table Prefix” checkbox (or enter a prefix) and then click “Change DB Prefix”
The “Blacklist Manager” option on the left hand menu is where you can setup an IP or User Agent blacklists. Click the “Enable IP or User Agent Blacklisting” checkbox and then click “Save Settings”. You will need to come back to this to tab to add IP addresses that you want to block.
The “Brute Force” menu option on the left is where you can configure login page settings. There are 5 tabs on this page. By default we’d recommend setting up the “Rename Login Page” and “Login Honeypot” tabs. The options on the “Cookie Based Brute Force Prevention”,“Login Captcha” and “Login Whitelist” tabs should be used selectively as some of them are for specific platforms such as WooCommerce or could lock you out of your admin panel if used incorrectly.
On the “Rename Login Page” tab check the “Enable Rename Login Page Feature” checkbox and then enter a new login page URL then click “Save Settings”. Make sure to remember the new login path. Changing the login URL is more secure than using the default one as most bots won’t know where to try to login.
On the “Honeypot” tab simply check the “Enable Honeypot On Login Page” checkbox and the click “Save Settings”. The honeypot will create fake input fields only a bot can fill out, and if the login page receives input on those fields on login, WordPress knows to ignore the user.
Use the “SPAM Prevention” menu option on the left hand side to increase the security of WordPress by filtering comment spam. While there are a few different tabs you’ll primarily need the “Comment Spam” and “Comment SPAM IP Monitoring”. The “BBPress” and “BuddyPress” tabs only need to be accessed if you use those apps.
On the “Comment SPAM” tab check both of the checkboxes. If anyone comments on your site there will be a Captcha before the comment is submitted and known Spambots will be blocked.
Once both options are checked click “Save Settings”.
Now on the “Comment SPAM IP Monitoring” tab check the “Enable Auto Block of SPAM Comment IPs” then click “Save Settings”. You may want to set a minimum number of comments.
If you click the Scanner option on the left hand menu you’ll be taken to All in One’s malware scanner. From here you can run a manual scan and you can set your system to make periodic automatic scans of WordPress’s key files. Check the “Enable Automated File Change Detection Scan” and then click “Save Settings”
You can run a manual scan by clicking “Perform Scan Now”
The “Firewall” option on the left hand menu has a number of features you’ll want to enable by default. Every tab in this section has options you’ll want to configure outside of the “Custom Rules” tab. Note the All in One plugin will not be able to configure firewall rules without write access to the .htaccess file in the WordPress directory.
On the “Basic Firewall Rules” tab theres are three checkboxes you should check. First check “Enable Basic Firewall Protection”. This will turn on the basic firewall and prevent access to a few parts of the WordPress filesystem. Next check “Disable Pingback Functionality From XMLRPC”, we advise checking this option as some plugins need XMLRPC functionality and it may not be advisable to block access to this completely. The check “Block Access to debug.log File” and then click “Save Settings”.
On the “Additional Firewall Rules” tab you should check all of the available options and then click “Save Additional Firewall Settings” at the bottom.
On the “6G Blacklist Firewall Rules” Tab you should check both the “Enable 6G Firewall Protection” and “Enable legacy 5G Firewall Protection” to add blacklists from perishablepress.com to your firewall. Once done click “Save 5G/6G Firewall Settings”
On the “Internet Bots” tab click the “Block Fake Googlebots” checkbox and click “Save Internet Bot Settings” button at the bottom.
On the “Prevent Hotlinking” tab you can prevent other sites from hotlink to your hosted images. This preserves both your content and your bandwidth. Check the “Prevent Image Hotlinking” checkbox and click “Save Settings”
Finally on the “404 Detection” tab you can set the All In One Security Plug In to block IPs repeatedly trying to reach non existent pages on your site. Check “Enable 404 IP Detection and Lockout” and then click “Save Settings”.
File System Security
Finally the last area you need to check is the “File System Security” option on the left hand menu. This area will list all of the critical areas of WordPress and what the suggest file permissions are. If the “Set Recommended Permissions” button next to each one doesn’t work, use an FTP program or chmod to do so.
Then click the “WP File Access” tab and click “Prevent Access to WP Default Install Files” and then “Save Settings”. This prevents access to a few files which may give an attacker information about your WordPress installation.
After performing all these steps you’ve taken a considerable step towards securing your WordPress installation. You will need to keep up with your backups and update all of your plugins regularly as well as pay attention to anything such as malware scans or other alerts the plugin may send you. While we didn’t use all of the features in the plugin, for this article we use settings which should be compatible with most themes and plugins. Now if you go to the dashboard you should see a security score well into the green:
If you're looking for WordPress hosting, here are some reviews of the best WordPress hosting services.