We have already introduced the All in One WP Security plugin. We found that this plugin, while painless and straightforward, provides us with great features so that we can make our WordPress site more secure than ever. This article introduces you to setting up this plugin and making the most of its features. So let’s start learning how to config All in One WP Security Plugin.
Install the All In One WP Security plugin
All In One WP Security plugin is no different from other plugins. You can do this in two ways.
- Upload the zip file of this plugin to the root of your hosts and then activate it through the dashboard and the plugins section.
- Search for this plugin in the WordPress plugins section and then install and activate it.
For more information on installing the plugin, you can read the tutorial. After installing the plugin, a new section called WordPress Comprehensive Security will be added to your WordPress site admin panel.
This plugin can be very effective for your site, and you can safely use it to secure your site. Using this plugin, you can easily prevent hackers from infiltrating your site. With this security plugin, you can do various things such as user account information, securing site files, increasing the security of the login and registration section, and بسیار among the significant and valuable actions that this plugin will provide you.
All In One WP Security plugin tutorial
We will teach you how to work with different parts of the All In One WP Security plugin.
Click on WordPress Comprehensive Security from the plugins section and then select the Dashboard to enter this section.
The dashboard screen displays the amount of security power based on the security features we have enabled. You should note that security measurements are shallow at this stage. The All In One WP Security dashboard highlights the essential features you need to apply to your site for minimum security.
The most important part of this section is your WordPress’s security level, which shows the level of security of your WordPress site. Do not worry at all if the security of your site is low. Because by reading the rest of this article, you can increase it to a great extent. In this section, you can see general information. This information is displayed in the form of a chart for you.
The dashboard section consists of 4 tabs:
- Dashboard: The current section where we are.
- System info: In this section, you can see your site information, PHP information, and active plugins.
- Locked IP Addresses: As the name implies, you can see temporarily blocked IPs here.
- ALOWPS LOGS: You can see the plugin security report files in this tab.
All In One WP Security plugin settings
This section of the best security plugin includes backing up the original files of your WordPress site and backing up your WordPress database. Of course, we recommend that you do a WordPress backup before working with this plugin. In this way, you can save your site information in different situations.
Go to the settings section in the plugin tab to access the settings panel. In the settings section, five tabs will be in front of you. In the General settings tab, you can back up the database, htaccess, and wp-config.php. Doing so is highly recommended, as these files are the backbone of your site.
The second and third tabs are not very important and allow you to make changes to the .htaccess and Wp-Config.php files.
After the backup, click on the WP Version Info tab and check the Remove WP Generator Meta Info option. This will remove the meta tag that shows your WordPress version. If your WordPress version is visible, hackers can easily see your version of WordPress and use the security loophole in your WordPress version to hack into the site, significantly if you have not updated your WordPress. Save the settings after checking.
Remove constructive meta in WordPress
The WordPress meta information section allows you to delete constructive meta. This meta is displayed in your site code and exposes the WordPress version of your site to the public. If you have not updated the site for a few months, Hackers will find out that your version of WordPress is old. For example, this is a critical security issue in WordPress 4.2 that we talked about yesterday. So by removing this line from your site code, you can make WordPress more secure than before.
The Import / Export section is for the output and input of this plugin.
Rename Admin in WordPress
You can directly change the Admin username with this section without deleting or adding users. If there is no security issue in this case and there is no account with an Admin username on your site, the following figure will be displayed for you:
You can change your WordPress username, password, and display name in this section. When you first install WordPress, your username is “Admin.” It is essential to change this username because negligence makes you a suitable prey for hackers.
This section includes securing user accounts on your site. This section tells you what accounts are at risk for you and should not be logged into your site. You can identify suspicious accounts here.
You should not use the same username and display name. The display name is the ID that is displayed to users. If you use the same username and username, hackers will no longer need to search for your username because you have given them your username manually, and the hackers should only look for the password.
This section is used for more security in identifying the administrator’s username and the site’s authors. For example, when the author comments or posts on your site, In the comment or post information section, the username of the administrator and author is displayed.
In this way, hackers can easily find the username of the administrator or author and enter the site with it. That is, hackers only need to guess the site password. But if the author’s name is displayed instead of the username, For example, if “Reza Rad” is displayed instead of Admin. It becomes more difficult for the hacker to guess the username in this case. The hacker now needs both a User and a Password to log in to your site.
It should be noted that this can be changed from each user’s profile.
Show password strength
As you know, choosing a solid and standard password on your site is very important. Once you’ve done that, you can try it out here. In fact, in the password tab, you can enter the password to measure the strength of the password you have chosen for your site.
User login management
The fourth part is the user login; it Provides you with WordPress login form security. This part of the settings includes different sections that we have explained to you here:
Login Lock: Enable user login lock after a certain number of unsuccessful attempts. This feature helps to stop all bots and send email notifications when the user ID is locked.
Failed login history (Failed login record): In this tab, you will see unsuccessful login attempts and IP address and username.
Forced logout: Enable this option to force all users to log out after a certain period.
Account Activity Report: In this section, you will see a list of the last 50 user IDs entered into your site.
Logged in users: View users already logged in to your site.
Prevent Brute Force Attack
One of the essential things to keep in mind here is that you must check the use of the login feature. Enable this option so that if a user fills in the login form information more than once incorrectly, the person’s IP will be banned, and this IP will be prevented from entering your site for a while.
The section for maximum login attempts then determines the number of times the user is allowed to fill in the login form. This way, no more than a certain number of people can enter the wrong password and username on the login page.
The period determines the amount of time it takes to enter; That the user has to wait after entering the wrong information.
The re-locking period determines the length of time the user is banned.
There is also another security issue in WordPress that this plugin can remove; That is, after entering the wrong username, the wrong username message is displayed to the user. The hacker thus detects that he has entered the wrong username. You must enable public error message display; To display the wrong username or password message if the user also enters the wrong username.
In addition, the email notification section allows you to be notified of unsuccessful email logins.
Automatic user exit from WordPress
Another part that helps you a lot is the automatic exit of the user from WordPress. You can use the forced exit tab to set a period for the user to leave the site automatically after the specified time has elapsed, and the user needs to log in again. Inactivity of the user for a certain period will lead to his forced departure from the site.
View logged in users in WordPress
This tab shows all users who are currently on your site. If you are suspicious of one or more users on your site, you can remove their IP address from the table below and blacklist your site.
User registration section in the plugin
The next part is the registration. This section allows you to use Captcha to subscribe to your site and skip this if you have disabled registration under Settings> Public. This section can prevent spammers or bots from entering your site. Captcha code adds another piece of security to your site.
In this section, you can change the option of automatic confirmation of registration to manual confirmation. This prevents unregistered users from registering. You can also add a captcha code to your registration form from this section. When you have an e-commerce plugin to sell items on your site by registering a user, enabling this feature will stop real customers because they will not be able to register automatically. Therefore, do not enable this section when you need the auto-registration feature for other purposes.
Database security section
Your WordPress database is an essential part of your site. Because the valuable part of your site information is in that part. Databases are also a target for hackers who target specific tables via SQL Injections or automated malicious code.
WordPress uses the wp prefix for all its databases by default. You can change the default randomly from this section to increase site security.
From the other tab of this section, you can enable the ability to back up the database. But activating this section is not recommended. There are some reports of malfunctions in this area. There are many custom backup options for WordPress.
One way to protect the database is to change the WordPress prefix for spreadsheets, “wp_,” to something else that is difficult for hackers to guess. This feature in this system allows you to change the database prefix easily. You can use your prefix or a random prefix in this plugin.
You must click to change the database prefix to automatically change your site database prefix. This way, you can be safe from hackers.
The second tab is for backing up the database, which does the same job as your site’s WP DB Backup plugin.
System files security section.
There are several files on your site, each with different access levels. You need to make sure that the file access level of your site is secure. This part of the plugin helps you identify files with an insecure access level. This part is made up of different tabs, each of which is to do different things in this part.
Some files may have insecure access levels that you are not aware of. From this section, you can strengthen the access levels of files on your hosts. In this section, four headers are in front of you:
First tab: File permissions
This section checks the access level of all your site files and determines your WordPress site’s Chmod files and folders according to the permissions that are standard and suggested by the plugin.
Second tab: edit PHP file
This section disables the ability to change PHP files from the WordPress admin panel. Of course, we do not recommend that you enable this section.
Third tab: Access WordPress files
This feature allows you to block access to files such as Readme.html license.txt and Wp-Config-Sample.php. Keep in mind that these files come with every WordPress version. By preventing access to these files, you are hiding some critical information (such as the WordPress version) from hackers, which is very useful to you.
Fourth tab: Systems report
This section shows you the Error_log file, By which you can find the errors on your site and fix them.
See Whois in the All In One WP Security plugin.
Although WHOIS search is not a security feature, it allows you to check for details of IP addresses or suspicious domain names in the admin dashboard. You can get information about IPs that you suspect using the Whois section.
In this section, you can block IPs that you do not want access to your site. Therefore, enter the IPs that are suspicious in this field. Note that to block any IP address in this section, you must select a name with a slash at the beginning.
In the introduction section of the All In One WP Security plugin, we examined the essential features of this section. One of the most important benefits of this section is blocking malicious code. Ensure your website is against malicious viruses by activating all the options in this section.
First of all, consider backing up your database and .htaccess file before using a firewall or firewall. We suggest you activate all sections of this section. Because they are efficient for you, allowing you to create a powerful firewall for your site. This section prevents malicious scripts from entering.
BruteForth settings in the All In One WP Security plugin
This section deals with Brute Force attacks, in which most hackers attempt to destroy the destination site. Therefore, this part is essential. This section consists of 2 important sections that we will review.
Brute Force is an attack that tries to find your password based on trial and error. This is probably one of the essential parts of the All In One WP Security plugin, as most hackers try to access your website. This section has five tabs, each of which has a vital role in maintaining the security of your website.
Rename user login
This option allows you to change the Wp-Admin admin folder to any address you like. Finding this folder is not easy for a hacker.
By adding the extension “/ wp-admin /” or “/wp-login.PHP?action=login” to the site address, you can easily access the site’s WordPress login page. Since anyone can access your site with one of these URLs, the first step in preventing brute force attacks is to rename the login page. Check the “Ability to change login page address” box and provide a difficult to guess prefix.
For example, if you want to change the login page URL to “yoursite.com/login/,” enter the word “login” in the text box. Before activating this section, pay attention to the following points:
- Renaming the login page will take you out of the system, and you will have to sign in again with the new URL.
- This function affects all users, so do not enable it if you need to register to comment on your site.
- This section affects the feature of any other plugin that uses the default login screen.
Prevent cookie-based brute force
The next option is to prevent brute force attacks based on the cookies in your browser. Activate the “Prevent Brute Force Attack” checkbox and select a hard word for the “Secret Word” section.
For example, if you want to add the word you want as “test,” the login URL would be “http://yoursite.com/?test=1”. To access the login page, you can add “/? Secret-word = 1 به to your site URL. If you have password-protected pages, select the “My site has password-protected posts or pages” checkbox.
If you have a theme or plugin that uses Ajax, select the “My site has themes or plugins that use AJAX” checkbox. Most themes and plugins generally use Ajax, so you should enable this option to see if your site loads correctly.
- This method is similar to renaming the login page, so all of the above warnings apply to this method.
- Since both the “rename login page” and “cookie-based brute force prevention” methods change the login page URL, you can use one of these methods on your site each time.
Security code tab for login
In this section, to secure, it adds a captcha code in the login form to the WordPress admin panel, which will significantly impact the security of your site.
Since the first two options affect multi-user environments, such as sites with login, sign-in, and e-commerce features, activating Captcha alone is one of the easiest ways you can use to prevent a brute force attack. In this section, you have three options for activating the security code on the forms:
- Add the security code to the default WordPress login page.
- Enable security code in all forms used on a site that uses the “wp_login_form ()” WordPress function.
- Activate the security code on the missing password request form.
Login allowlist header
The All in One WP Security plugin also offers the “Login Whitelist” option. This section only allows listed IP addresses to access your WordPress login page, and all other IP addresses will be blocked.
Honey pot header
The last option is to enable “Enable Honeypot On Login Page.” This section creates a new field in the login form that is invisible to human users and only visible to bots. Because the bots fill in all the fields of the entry form to enter, the plugin stops accessing the hidden plugin if the hidden field is filled. So it helps to stop robots effectively.
Spam prevention section in the All In One WP Security plugin
This part of the plugin prevents spam on your site by adding a captcha code to the WordPress comments submission form. Of course, for the convenience of your site users, I suggest you use WordPress Akismet.
AIOWPS plugin helps prevent spam comments sent by bots and allows you to add a captcha to the comments form.
All In One WP Security Plugin Scanner
This part will have little use in this plugin; However, it scans your WordPress site files once in a while and notifies you if the files have changed.
In this section, you will have two options to use. One of these features is free, but you have to pay to use the other.
File change detection: This section checks your site files from time to time and notifies you if any of the files change.
Malware Scan: This section uses a third-party site to scan your site. Naturally, you have to pay to use this section.
As its name implies, this section activates the repair and under construction mode of your WordPress site and displays your site only for administrators.
You must enable this section when you want to make significant changes to your website. Enabling this option will make the site inaccessible to users, and only administrators can access the website.
It prevents the copying of site content.
This section is the latest features available in the WordPress Comprehensive Security Plugin, which allows you to do the following two:
- In the Copy Protection tab, you can disable the right-click feature. This will prevent other users from copying your site content.
- Your site will no longer be displayed on spammer sites by activating the frames section.
- Enabling the user counting section prevents bots from counting users through the API.
Remove and disable the All In One WP Security plugin.
Sometimes you may configure the All In One WP Security plugin settings and lose access to the website. A backup directory and several MYSQL tables will be added by installing this plugin. Therefore, just uninstalling and uninstalling the plugin will not remove the plugin files from your site altogether. The best way is to follow the steps below step by step:
- Disable all security and firewall settings in “WP Security> Settings> General Settings.”
- Uninstall the plugin from the removed dashboard.
- Delete plugin files from the dashboard.
- Connect to your host via FTP and delete the backup files stored by the plugin.
- 5. Open “phpMyAdmin” from your “cPanel” and delete the plugin tables from your site database.
- If you have trouble accessing your site, try backing up the .htaccess and wp-config.php files before installing the plugin.
All In One WP Security is a powerful plugin for WordPress site security. While this may seem fun, try all the features separately and not use them until you need one. Rename login page, cookie-based option, and IP allowlist can be used on single-user sites without user registration. The remaining options, such as enabling login captcha and honeypot, can be used on all types of sites without any problems.