Everyone who encounters site security for the first time thinks about which plugin to install and configure for this purpose.

The choice is not small. If you type "Security" into the plugin search field, the result will be quite long.

In any case, it's worth sticking with the most popular, actively maintained, and of course the ones that deserve the most ratings.

In this review, I decided to install 4 WordPress security plugins and find out which one is the best for the average user:

The first three also offer premium functionality, but I won't include it in the review.
Perhaps there are no such features in the pro that you can’t live without, or that you can’t replace with a free alternative.

Note that this is not detailed overview all features, code speed or requirements. This is an analysis of the basic functionality of security settings and the level of work with it.

Limit login attempts

• Wordfence Security

The option to enable authentication protection is called Enable login security. Unfortunately, the plugin is not translated into Russian.

At the bottom of the page there is a block of settings: the number of login attempts, the time for accounting attempts, the blocking time and a number of other options.

• iThemes Security

The login protection module is located in the section Local Brute Force Protection. Users of this plugin are a little more lucky with Russian localization.

Just below you can enable the network protection module Network Brute Force Protection. To do this, you need to request an API key, and the ban list will automatically include addresses that have already tried to hack other people's sites.

• shield security

Login protection is on the tab Login Protection. There is a translation into Russian, and in general I want to note a very pleasant and logical interface.

You may also notice that you can use reCAPTCHA here, set up two-factor authentication, rename the login page wp-login.php, and even link to Yubikey.

• All in One WP Security

The settings block for protection against brute force is located on the page user login. There is no ready translation. Options are similar to similar modules of other plugins.

On adjacent tabs, you can view the event logs.

firewall

• Wordfence

Firewall is one of the main functional modules of the WordFence plugin. There are two modes Basic and Extended. The latter allows you to block some attacks even before WordPress starts, but requires a deeper understanding of server settings.

In the free (community) version, blocking rules are updated 30 days after they were added to the pro.

• iThemes Security

There is no firewall in this plugin. A recommends iThemes to use the service Sucuri Website Firewall(for a fee).

• shield security

You will not get confused in the settings of this plugin, the Firewall tab is in a prominent place. In general, it is recommended to enable all options.

• All in One WP Security

The blocking page looks voluminous due to the fact that the functionality is divided into tabs. The place is occupied by help and protection level icons (although why are the latter needed). There are few options, they can be turned on as needed.

Log of changes and actions

• Wordfence

Automatic scanning can be enabled on the page Options in step Enable automatic scheduled scans, and do not forget to indicate just below the email ( Where to email alerts).

Wordfence gives you a lot of control over what to scan, how and when to send the report.

• iThemes Security

The monitor functionality is in the block File Change Detection.
Scanning happens in parts. You can exclude certain files, folders, or file types.

On the tab basic settings you can also enable and configure notifications when hosts or users are blocked.

• shield security

Change scanning and activity log can be configured in two sections: Hack Protection and Audit Trail.

The first module is configured to scan the integrity of files and fix them, as well as a scanner for unrecognized files.

The Audit Trail module tracks and sends a report on a variety of events in WordPress (plugin and theme related activity, actions in user accounts, editing and publishing posts, etc.).

• All in One WP Security

The change tracking module is on the page Scanner. There you can manually scan, or set up a schedule.

Conclusion, we have two winners in monitoring changes and logging actions: Wordfence and shield security. Depending on the task.

It is worth noting that scanning the file system is a rather intensive process, so you need to enable and configure it wisely.

Host Blocking

• Wordfence

Wordfence provides a flexible tool for blocking users.

You can set a number of conditions for the blocking to occur.

You can block IP manually. Or use more advanced methods: block range, user agent, and so on. The country blocking functionality is available in the premium version.

• iThemes Security

The functionality is on the tab Blocked Users. You can enable a ban list from the HackRepair.com site, and deny access to individual hosts or user agents.

• shield security

The list is being compiled automatically, its settings and enabling can be found in the module IP manager. There is no manual addition.

• All in One WP Security

User IPs and user agents can be manually blocked on the page Blacklist Manager.

Blocking winners can be called Wordfence for the flexibility to configure blocking conditions, and shield security if you agree to rely entirely on automatic system locks.

Final Plugin Comparison

Only the general basic functionality is considered. Of course, each protection plugin has a number of its own features. Antispam, database backup, user settings, file and directory permissions, disabling unnecessary functionality, etc. But these are such secondary things, or they can be implemented alternative solutions more flexible and focused.

My overall assessment comes from the functionality and usability of the following modules:

• Entry protection;

Change tracking/audit;

Host blocking;

The Best WordPress Security Plugin Review Definitely Takes The Lead Wordfence. Although its interface may seem confusing at first glance. The official website has good documentation (in English).

Very pleased with the review shield security, Russified and clear interface, obviously aimed at users who are less trained or do not want to delve into all the intricacies of security settings.

Of the two remaining plugins, I would definitely prefer iThemes Security, if only for a more logical and cleaner interface.

All in One WP Security I can not call a bad plugin, it does its job. But he is not the leader in this four either. This is just an indicator that plugins with scalable premium functionality are trying to comply with market requirements to a greater extent, and this, of course, affects the free versions.

The functionality of all these plugins is modular, i.e. if necessary, they can even be configured to work together. Well, or eliminate the excess, leave only the necessary.

If you do it wisely, then security and its settings should be approached individually, depending on the purpose of the site, the technical implementation and the conditions for its operation.

Hi all! Safety and more safety! If you have previously read the article "" on my blog, then you are probably interested in additional security for your site. And in general, any adequate webmaster should love and protect his offspring. In this article, I will talk about all the options of the All In One WP Security plugin and show you how to properly configure them.

Important

On my blog there is a series of lessons "". And if you have configured the security of the site, taking into account the recommendations of these lessons, then please note that the All In One WP Security plugin will duplicate the functions of other protection plugins. For example, functions:

• IP blocking after invalid login attempts
• captcha in comments
• changing the login page in the admin panel, etc.

Therefore, leave everything as it is and do not install the plugin, or as you configure the All In One WP Security plugin, carefully analyze the protection features so that they are not duplicated by functions already installed plugins. And if you see a duplicate, then disable the duplicate plugin so that all All In One WP Security settings work correctly.

You may be asking me why, in the DIY blogging course, I recommended configuring WordPress security through code integration, separate plugins, and so on? It's about the alternative. And by the way, in my measurements of loading speed and the overall performance of the site, I did not notice a difference between all the recommendations involved in the three parts of lesson 13, from the All In One WP Security plugin. There are individuals among you who will not take my word for it and will continue to integrate the code into the engine, bypassing "heavy plugins", do as you know.

Plugin Installation

So let's get started. First, install the All In One WP Security plugin and activate it:

After that, the plugin menu will appear in the administrative panel of the site:

When you hover over it with the mouse cursor, a context menu pops up:

Control Panel

I think it’s better to get acquainted with the control panel first, to go to which you need to click on the plugin menu item in the admin panel, or hover over “WP Security” and click on “Control Panel”. Next, you will see five tabs:

Control Panel Tab

Initially, we are in the "Control Panel" tab. Here you can see the blocks:

• Active sessions
• Maintenance mode
• Last 5 logins
• Blocked IP addresses

Security Level Meter

This block displays the current security level based on all plugin settings:

It is measured in points, which are added after activating a particular setting. The higher the current security score, the better. But I never managed to increase the security level to the maximum value of 505 points (plugin version at the time of this writing Version 4.3.2). This is due to unnecessary features for my blog that I didn't include.

Diagram of the security of your site

This chart displays all current changes in settings:

This is some kind of statistics that allows you to quickly navigate the state of the settings.

Block "Active sessions"

This block displays information about current sessions in the administrative panel of the site:

As a rule, the block displays a notification: "There are no active users now except you." Of course, if there are no other accounts with permission to work in the site admin panel, and in fact you see an unknown account in this block, then this is a hacker.

Maintenance mode

Very handy feature:

I do not argue that maintenance mode can be enabled by redirecting to a previously created page via .htaccess, but the plugin already has this option, and this makes life much easier during, for example, site maintenance. In addition, you can customize the service page to your liking. To set up and turn on the service mode, click on the "on / off" button. After that, you get to the maintenance mode settings page. To enable the mode, check the box "Enable maintenance mode" and save the settings. Additionally, you can customize the displayed text, insert an image, and more. And this can be changed in the "Enter a message" block.

This block contains information about the date and the last five IP addresses from which you entered the site's administration area:

This information is useful not only for security purposes, but also for tracking sessions of other accounts.

Blocked IP addresses

This block displays IP addresses that have been blocked by the All In One WP Security plugin or by you manually:

There are no entries in the screenshot, but in case of blocking IP addresses, entries will appear.

Current status of the most important features

In this block, you can see the status of critical security measures:

As you can see, all the sliders are initially in the “OFF” position. I specifically created conditions with a banal “admin” login to tell and show how the minimum recommendations are implemented to ensure the protection of your site.

Administrators

The "Administrators" settings item is responsible for controlling the accounts of site administrators. Here you will see the following tabs:

WP custom name

The first tab "WP Custom Name" displays a list of administrators. You can also see a warning about logins that can be compromised here:

As you can see, the plugin considers the “admin” login unsafe, and suggests renaming it. Let's do that. To change the login, in the empty field "New administrator username" enter a new name, for example, another banal thing - "wpadmin". Then click on "Change username". Next, the system will automatically log out of the account for you to log in with the new administrator name. After that, you will be back in the "WP Custom Name" tab.

Now, pay attention to the block "Change the username of the Administrator", namely the points:

Congratulations, you are awarded 15 points out of 15 for completing one basic WordPress security recommendation.

Experienced webmasters are well aware that the standard functionality cannot change the administrator name, but using the All In One WP Security plugin, you can. Anyone who has read the first part of the Configuring WordPress Security tutorial knows the difficulties that can be encountered when creating an administrator account with a new name and linking mail from the old account to it.

Password

Now let's look inside the "Password" tab. In the "Check password strength" block, you can enter your Current Password and get the following information:

As you can see, a password guesser bot launched from a regular computer will pick up such a password for a very, very long time, even if the plugin protection is bypassed.

Display name

You are probably wondering why I skipped the Display Name tab. I left it for a snack. The usefulness of this item is designed for very new WordPress users. Here you can see the number of points, as in each settings menu. And if the nickname matches the administrator's login, you will see a warning:

You can change your nickname by clicking on the admin login, or by hovering over "Users", in the menu of the administrative panel, by clicking on the item "Your profile". If you have not taken my course on creating a blog, then first enter in the "Nickname (required)" field a visible name as the author of the articles, which does not match the admin login. Next, in the "Display as" drop-down list, select the previously entered nickname. After that, save. Now, when you visit the "Administrators" settings menu of the All In One WP Security plugin, the "Display Name" tab will display the following:

Settings

General settings

By default, you are in the " General settings". The following useful features are available to you here:

• creating a database backup
• backing up the .htaccess file
• backing up the wp-config.php file

There are also options to enable or disable the security feature and all firewall features of All In One WP Security. I always advise you to read the explanations of the options before changing the plugin settings, for example:

.htaccess and wp-config.php

Notice the ".htaccess File" and "wp-config.php File" tabs. In the settings of these tabs, you can create and restore backup, you guessed it, .htacces and wp-config.php. This is quite convenient and does not require an FTP client.

WP Version Info

For me, the more interesting tab is the next one - "WP Version Info". For those who don't know, let me explain. WordPress generates a meta tag with a content attribute, which in turn has a value current version site engine. It's dangerous, extremely dangerous! Therefore, in the "Remove WP Generator Meta Data" section, check the box next to "Check this if you want to remove the version and meta info produced by WP from all pages" and click "Save Settings".

Import Export

The Import / Export tab is responsible for creating, so to speak, a settings template. By setting up the All In One WP Security plugin on one of your projects, you can transfer the settings to other sites. This is very convenient even if you have configured the plugin, exported the settings, but it suddenly became necessary to restore the site backup.

advanced settings

The last tab "Advanced Settings" is responsible for the method of obtaining data about the IP address of each of the visitors. If you are not familiar with PHP at a fairly good level, and the $ _SERVER superglobal array makes the pupils of your eyes bigger, then I ask you not to approach this tab.

Authorization

In this item of the All In One WP Security plugin settings, we see the following tabs:

Authorization blocking

In the description for this tab, you probably already read the instructions of the developers about brute force attacks. Next, you need to tick off the options next to the blocks:

• Enable options to block authorization attempts
• Allow requests to unblock (in case you blocked yourself)
• Display authorization error messages (increases the chances of not blocking yourself)
• Notify by Email (always be aware of failed login attempts, which allows you to immediately respond to possible hacking attempts)

We go down to the global block "Range of temporarily blocked IP addresses". Here you can go to the statistics of blocked addresses by clicking on "Locked IP Addresses".
In the "Login Lockdown IP Whitelist Settings" block, you can configure a list of white IP addresses, for example, the address of your computer, to which blocking settings will not be applied. To do this, in the “Enable Login Lockdown IP Whitelist” block, check the checkbox to activate the setting, and in the “Enter IP addresses for the white list” block, enter your IP address. Don't forget to save below. But I do not recommend setting up a whitelist. Attackers can spoof your IP address.

Failed login attempts

We move on. In the "Incorrect authorization attempts" tab, it will list unsuccessful authorization attempts. This information is very useful in terms of analytics of login attempts. Those who care about these statistics can export them to a CSV file:

Automatic logout of users

The "Automatic logout of users" tab is no less important than the rest of the settings. Here you can enable logout of admin panel users after a specified period of inactivity, for example, 60 minutes:

Account activity log

Next, go to the "Account Activity Log". Here you can see the login and logout times for a specific user. Only 50 records are saved for all accounts. Information like this is useful for activity analysis:

You can also export this data to a CSV file.

Active sessions

AT last tab"Active sessions" displays real-time accounts under which you are logged into the administrator's part of the site:

User registration

In 99% of cases, the "User Registration" setting for the blog, in the All In One WP Security plugin, is missed. But I will still talk about the options of the following tabs:

Manual confirmation

If your site provides for registration, and the amount of spam left by users leaves much to be desired, then you should enable manual approval of a new user in the "Manual confirmation" tab. This will allow you to close access to authorization until you manually confirm the user's registration. What does it basically do? As practice shows, on one of my projects, there are individuals who initially register mail by type: [email protected], [email protected], [email protected] etc. Similar mails are used during new registration, after I banned the first account of a certain person. And if I see that a similar spammer's mail has recently caught my eye, then I will ban the registration. As a result, the spammer cannot log in and use the same mail again to register, even though he did not have time to leave spam.

Therefore, if there is a need for additional moderation of users immediately after registration, you need to check the box in the "Activate manual approval of new registrations" block and save the settings.

CAPTCHA on registration

The next tab "CAPTCHA on registration" adds a captcha to the user registration page. Captcha can be activated by checking the box "Activate CAPTCHA on the registration page". I find this feature necessary and useful. Of course, if you have provided for the registration of new users.

Registration Honeypot

The "Registration Honeypot" tab is very useful feature to block sophisticated registration bots. I advise you to enable this option in the "Enable Honeypot On Registration Page" block. Save.

Database protection

The Database Protection group of settings consists of two tabs:

Be extremely careful with the settings in the first tab "DB table prefix". It is necessary to immediately make a backup copy of the database in the "DB Backup" tab.

Database backup

Let's take a look at the "DB Backup" tab. To create a database backup, click on the "Backup Database Now" button. After successfully creating a backup, you will see the following information:

The screenshot shows the location of my database. You will have your own address.

And also in this tab, you can configure the regular creation of a copy of the database. To do this, check the box next to "Enable automatic creation backups". Additionally, you can configure how often to create copies, how many copies to store on the server and send copies by mail. Let's not forget to save.

DB table prefix

We return to the "DB table prefix" tab. If you have not changed the database prefix, then it has the value "wp_". This is what you will see a warning about:

To assign a different prefix to all tables in the database, you need to specify it in the field of the "Generate new database table prefix" block. Then click on "Change table prefix". If you don’t know much about what the prefix should be, then I advise you to check the box next to “Check so that the plugin itself generates a prefix with a length of 6 random characters”, and the field “Enter your own version of the prefix using Latin letters, numbers and underscore” leave empty.

File system protection

Now let's explore the "File System Protection" settings of the All In One WP Security plugin. This settings item consists of four tabs:

File access

By default, we are in the "File Access" tab. If you are in doubt which CHMOD (permissions) to install on a particular folder on the server, then the All In One WP Security plugin will solve everything for you. Pay attention to the table in this tab. If the plugin has a comment regarding the current permissions, then you will see the inscription “Set recommended permissions” in the “Recommended action” column:

If there are no comments, then the inscription "Action is not required." To apply the recommended CHMOD settings, click on Set Recommended Permissions.

Editing PHP Files

This tab sets a ban on editing PHP files from the administrative environment. I advise you to check the box "Disable the ability to edit PHP files".

Access to WP files

Usually, right after installing WordPress, I delete files: readme.html, wp-config-sample.php, etc. But there are times when a sample of the same configuration file saves beginners. Therefore, I recommend checking the box "Prohibit access to information files created by default when installing WordPress."

System logs

This tab is designed for experienced webmasters. Otherwise, looking at the site's error log, you will not be able to figure out the essence of the problem.

WHOIS lookup

In my humble opinion, this is a great tool for getting at least some information about, for example, a blocked user. Naturally, you can use the WHOIS site, but why, if there is a WHOIS lookup in the All In One WP Security plugin.

Black list

The All In One WP Security plugin allows you to block not only by IP address, but also by user agents. User-agents can be considered a variety of spiders / bots of search engines, various analytics services, etc., which create excessive load to the server. This setting will be useful even if you do not want, for example, Google bot to crawl your site. All settings specified in the "Black List" item will be added to .htaccess.

firewall

The Firewall setting consists of seven tabs:

So, let's start in order.

Before you start tweaking your .htaccess file using the All In One WP Security plugin, be sure to back up your .htaccess.

Basic firewall rules

If you do not use, for example, auto-posting plugins to social networks, then you can safely check the boxes everywhere and save the settings for this tab. But I advise you to include only the following items:

• Activate Basic Firewall Features
• Disable Pingback Functionality From XMLRPC
• Block Access to debug.log File

I think everything is clear with the first setting, but the next two options are mandatory. "Disable Pingback Functionality From XMLRPC" will disable pingback requests, for example, from statistics services, but leave requests to services allowed. The "Block Access to debug.log File" option will disable access to the debug file, which may contain sensitive service information.

Additional firewall rules

In this tab, I advise you to enable all settings except: "Disable the ability to browse directories." The fact is that the ban on browsing directories is set by the "AllowOverride" directive in configuration file httpd.conf on the server. You can make such settings only if you have a VPS, VDS, rented or your own server. Otherwise, leave this setting unchecked.

You can find out why each setting is needed by clicking on "+ More":

Basically, almost all the firewall settings provided in the All In One WP Security plugin are necessary to keep WordPress secure.

6G Blacklist Firewall Rules

The 6G firewall has nothing to do with mobile communications. This firewall provides protection against a host of malicious URL requests, bad bots, referrer spam, and other attacks. Enabling the sixth generation firewall rules will significantly reduce the load on the server, of course, if similar requests will. I recommend enabling 6G and 5G protection.

Internet bots

The Internet Bots tab blocks malicious bots that masquerade as googlebot. I recommend enabling the "Block fake Googlebots" option. Other crawlers will not be blocked.

Prevent hotlinks

The tab option "Prevent hotlinks" is required to be activated. Enable the option and save. This will reduce the load on the server if your links to your images are placed outside of your site. This does not affect auto-posting to social networks and other places.

Detection 404

The penultimate tab "Detection 404" is also required to be activated. Enable the "Enable 404 IP Detection and Lockout" option. This setting is responsible for blocking IP addresses from which many requests to non-existent pages are made in a short period of time. In most cases, this indicates hacker attack, looking for a vulnerable page. You can also optionally change the time for which the attacker's IP address will be banned. In the "404 error redirect URL" block, as a rule, the address of the site's main mirror is automatically written. I recommend not to change this address. And in the table "Error Logs 404" displays data on visiting non-existent pages. The log can be uploaded to a CSV file.

Custom Rules

The last tab "Custom Rules" has the function of adding your custom rules to the .htaccess file. I advise you not to make anything of your own without understanding how the .htaccess settings work. Otherwise, the site may stop working.

Protection against brute force attacks

Brute force attacks are attacks aimed at brute force password and login until the correct option is found. This group of settings has five tabs, let's start with the first one:

Rename login page

The "Rename login page" tab contains two parameters, of which in the first "Enable the option to rename the login page" you need to check the box, and in the second "Address (URL) of the login page" enter the address to enter the admin panel. The URL of the login page must be different from the default wp-admin, for example, thisismysite. Don't forget to save and remember the admin login address. In my example, it will be mysite.ru/thisismysite, where mysite.ru is the address of your site.

Brute force protection with cookies

Go to the "Protection against brute force attacks using cookies" tab. You can enable the option “My site has posts or pages that are closed by the built-in WordPress content password protection feature” in case you have password protected pages. I have these pages. Regarding the "This site has a theme or plugin that uses AJAX" option, most modern themes and plugins use AJAX technology. Therefore, I advise you to enable this option. I recommend not activating the “Activate protection against brute force attacks” setting in order to avoid blocking your IP address by the All In One WP Security plugin. The fact is that you can forget and clear the plugin cookies with the access key. And in order not to solve problems that could have been avoided, I recommend that you do not check this option, especially since the plugin itself warns and only on the second attempt makes it possible to activate these settings.

CAPTCHA for login

Login CAPTCHA tab contains useful functions for additional protection login and password recovery pages. I recommend setting the checkboxes opposite:

• Enable CAPTCHA on login page
• Activate the CAPTCHA form on the modified login page
• Activate CAPTCHA on the page " lost password»

In the "Woocommerce Forms Captcha Settings" block, checkboxes are set only when using the plugin for the "Woocommerce" online store.

Whitelist for login

We move on and go to the "White list for login" tab. This parameter acts as an additional line of defense, blocking access to the login page for all IP addresses that are not in the white list. If you wish, you can set this option. But, and yet again! If you have a dynamic IP address or there is an urgent need to go to the admin panel, for example, with mobile number, and the provider will allocate you a different IP address, then trouble will happen.

Barrel with honey (Honeypot)

The last tab "Honeypot" from the "Protection against brute force attacks" settings group is responsible for blocking robots that try to fill in the authorization fields. As a rule, robots automatically fill in all the fields, and the "Barrel with honey" option gives the bot a field invisible to the user's eyes, which the bot automatically fills out. If this happens, then the All In One WP Security plugin automatically blocks the bot. I recommend enabling the "Activate honey pot on the login page" option.

SPAM Protection

Let's move on to the next group of settings "Protection from SPAM". Now we will stop to consider four tabs:

Spam in comments

• Activate CAPTCHA in comment forms
• Block spam bots from commenting

Tracking IP addresses for comment spam

Another tab for statistics "Tracking IP addresses for comment spam". Undoubtedly, the options in this tab bring goodness. I recommend checking the box next to the item "Enable automatic block of IP addresses Comment to spam". Save.

Next, in the "Minimum number of comments considered as SPAM" field, set the value to 5. Pay attention to the "List of spammers' IP addresses" block, which is responsible for filtering comments. If you need to find IP addresses that have been spammed at least once, set the value to "1" and click on "Find IP Addresses". And if, for example, 3 times, then the value is "3", etc. I think you got the point. The results will be displayed in the "List of spammers IP addresses" table.

BuddyPress and BBPress

In the "BuddyPress" and "BBPress" tabs, you can enable captcha in the registration form. BuddyPress and BBPress are plugins. BuddyPress Helps Build Powered by WordPress social network, and the BBPress forum plugin. If you do not use these modifications, then the options in the corresponding tabs will be absent.

Scanner

The penultimate group of settings “Scanner” is responsible for regularly scanning the site for malicious code and files. Here you can see only two tabs:

Track changes in files

In the first tab "Tracking changes in files" you can crawl the site immediately by clicking on "Crawl now".

Understand one simple thing - no plugin can protect your site from hacker gurus! Therefore, in case of trouble, the All In One WP Security plugin, after scanning, will inform us about the presence of traces of hacking. I recommend that you enable the option "Activate automatic scanning of file changes", and set the frequency of scanning at least every two days. The frequency of crawling depends on the current load on your site. And if the loading time of the site at the peak of traffic increases, then consider changing tariff plan or moving to a dedicated server so that the All In One WP Security plugin scanner does not put excessive load on the server.

The fields "Ignore files of the following types" and "Ignore certain files and folders" are filled individually, according to your desire. I also advise you to activate the "Send Email when a change is found" option to always be aware of any changes in the files. You can specify multiple email addresses. Save after settings.

Malware Scanning

The second tab "Scanning from malware» is intended for registration on the site of the plugin developers, in order to regularly scan the site for a fee. This will significantly reduce the load on the server during the scan. Who wants to pay money, please, it's your right. But I do not see much point in contracting such a service for a blog.

Miscellaneous

The last group of settings "Miscellaneous" contains three tabs:

Copy protection

In the first tab "Copy protection" you can block the following functions:

• Right button
• Text tagging
• Copy

Restrictions will apply to all pages that are available to users. If you have a useful blog where people can learn a lot of things for themselves in a storehouse of knowledge, then I do not recommend enabling this feature. Personally, I find it inconvenient when I cannot copy a piece of text with information that is important to me.

Frames

The Frames tab is responsible for blocking the display of your site's content between the frame and iframe tags. Which have been recognized as unsafe for several years and are often hacked. For example, 1C Bitrix, by default, blocks these tags.

Users enumeration

last tab and last setting plugin All In One WP Security, which we will consider, "Users Enumeration". I recommend enabling the "Disable user enumeration" option to prevent bots from searching for information about users who can be seen, for example, as commentators. This in some way creates a protective barrier for site users, thereby protecting the administrator account.

This concludes the debriefing with the All In One WP Security plugin. You have just read a huge article that can be compared to ten regular articles. I hope I explained in an accessible way. If you have any questions feel free to ask them in the comments. Thank you for your attention.

Hi guys! When your site becomes a little promoted, regular readers appear, you get great pleasure. Everything seems to be cool. The flow of money is also growing, and you get a response from the audience, recognition increases. But there is also the other side of the coin. These are envious people, this is attention from ill-wishers.

To give you an idea of ​​what I'm talking about, my blog has been hacked 2 times in the past week alone. The regulars thought they noticed. Guys, I strongly recommend that you read this tutorial, take the time to implement the tips I'm talking about in order to secure your site more and save time, money and nerves.

All In One WP Security is the most essential security plugin for WordPress. It should be installed by everyone who owns a site on WordPress. Everyone without exception.

If my favorite is the SEO harvester for WordPress, then the WP Security plugin is the security equivalent. That is, if thanks to Yoast SEO I stopped needing several SEO plugins, then here, too, thanks to All In One WP Security, you can get rid of other plugins that only partially perform the functions of this one. For example like:

• Login Lockdown;
• WordPress Database Backup
• Anti-XSS attack;
• and others like it.

Huge Pros of All In One WP Security Plugin:

• free;
• very easy to set up;
• almost everything is translated into Russian, so it is clear what is at stake.

Configuring the All In One WP Security Plugin

Be sure to make a backup (backup copy) before starting work (just in case) of the following files:

• database;
• wp-config file
• htaccess file.

By the way, backup copies of these three files can be made right in the same plugin, just go to WP Security - Settings in the admin panel:

Control Panel

There is a very cool informer that shows the level of security of your site:

This indicator will help you keep your finger on the pulse and understand what else needs to be done to improve security. I do not recommend doing everything in order to achieve maximum scores. There may be bad consequences, your site may fall, misbehave.

The current status of the most important features. In this block, you can activate the most necessary functionality for the security of your site (you can leave them alone for now, during the settings for the lesson, these parameters are activated like this):

The remaining parameters in the Control Panel are of little interest, you can familiarize yourself with them for the sake of curiosity (System Information, Blocked IP Addresses, AIOWPS.

Settings

General settings. Here you can create backup copies of the files that I mentioned above. Also disable the security and firewall features if something stops working.

WP meta information. Click on the checkbox next to "Remove WP Generator Metadata" to hide the WordPress version:

"Import/Export" tab. Here you can export your settings so that later on another site you don’t waste time on settings and import all the necessary “checkmarks” in 2 clicks.

Administrators

WP custom name. Be sure to (!) change the administrator name if you have it "admin". You have no idea how many and often passwords with the admin login are selected. If, in addition, the password is very light, your site can easily be hacked.

Display name. If there are accounts on your site that have the same username and display name, it is recommended to change the display name (nickname).

Password. Very interesting tab. Here you can find out for what period of time you can pick up in automatic mode your password. Enter your password and you will be surprised how quickly it can be cracked. Prerequisites for enhanced security:

• Your password must contain both uppercase and lowercase letters.
• the presence of at least the 1st digit is mandatory, but the password should not consist of numbers only;
• it is desirable to have some special character;
• password length must be more than 10 characters.

As a result, you should have the maximum degree of security of your password, something like this (the password below would have been cracked by a home computer in 57,337 years (!):

Authorization

Be sure to enable this feature. If the password is entered incorrectly 3 times within 5 minutes (by default), then the IP will be blocked for 60 minutes (also by default). I do not recommend setting a block for more time, otherwise you may encounter the fact that the administrators themselves enter the login 3 times incorrectly, block for 10 years and do not know what to do. We leave the default 60 minutes and do not bathe.

I also recommend checking the "Immediately block invalid usernames" checkbox. For example, you changed the login from admin to krutysh, then when you enter the login admin in the authorization field, the IP address will immediately be blocked. "Notify by email" - here as needed. I don't like extra spam, so I don't check the box here.

My final settings for this tab look like this:

If you are curious, you can look at the list of blocked IPs, a link to the section is provided in the same tab below.

Invalid login attempts. Here, those logins that are selected are just visible. Most often, my logins are admin, root, font. The time of "attempts" is also visible. Pay attention to how often they try to log into the admin panel:

Automatic logout of users. I also recommend enabling this checkbox. Allows you to end the session after a certain number of minutes and log out the user. I put 600 minutes:

The "Account activity log" and "Active sessions" tabs are for informational purposes only.

User Registration

Check the box next to "Activate manual approval of new registrations":

Yes, and you can tick the CAPTCHA when registering:

Of course, if it is impossible for other people to register on your site, the top 2 points are simply useless, they will not get any better or worse. But, if in doubt, it is better to check these boxes.

Database protection

Here, be careful in the "DB table prefix" tab. Before checking the box, be sure to back up your database (there you will also see a link to create a backup of your database). If you are afraid, in doubt, it is better to leave it unchecked:

Database backup. Here we already put a tick, select the frequency of creating backups and their number. I have. for example, these numbers:

File system protection

File access. Here on the right side you will have buttons, you will need to change file permissions by clicking on these buttons. As a result, all lines should turn green:

Editing PHP files. If you don't correct your PHP files through the admin panel, check the box. I do not recommend editing files through the admin panel, if only because you do not have the opportunity to press CTRL + Z in which case and you will not be able to return the file to its original position:

Access to WP files. Put a tick:

System logs. We leave by default.

WHOIS lookup

You can enter an IP address or domain to get the WHOIS of a domain. And so in fact there is nothing to touch.

Black list

If you do not have ill-wishers, you can not include this item. If some IP address is constantly flashing in the comments, for example, you can enable the checkbox and blacklist this IP.

firewall

Basic firewall rules. If you haven't made a htaccess backup up to this point, then we definitely do it. And check the boxes next to all the items:

Additional firewall rules. Here we also turn on all the checkboxes:

UPDATE: below in the "Additional character filtering" tab, I unchecked, because some comments did not go through, gave a 403 error. Probably, after all, you too I would advise you to uncheck this box. so that users do not have problems with commenting.

5G firewall settings. We also include:

Internet bots. There may be problems with indexing, so I recommend not including this item.

Prevent hotlinks. We turn it on too.

custom rules. You can set additional rules in the htaccess file. We don't touch anything.

Protection against brute force attacks

Rename the login page. Turn on. Change the login address to your own:

Protection against brute force attacks using cookies. I do not enable this feature so that there are no problems with logging in from different devices.

CAPTCHA for login. You can enable CAPTCHA during authorization, but I do not include:

Whitelist for login. Since I often visit the site with different places, I have a different IP, so I do not enable this option:

Barrel with honey. An additional field is created that only robots can see. Therefore, when filling in this field, the robot will be redirected to its address. Include:

SPAM Protection

CAPTCHA in the form of comments. I don’t enable it, because I don’t like to complicate commenting, but I recommend enabling the “Block spam bot from commenting” function:

IP address tracking for comment spam. Here you can look at the "frequently sparkling" IPs for spam in the comments and blacklist them.

BuddyPress. Adds a CAPTCHA on the BuddyPress registration form. I don't use it.

Track changes in files. I recommend enabling it, because it is often not entirely clear when sites are hacked, which file was changed, where to look for malicious code. And with the help of this function, you can track changes in the files of your site and quickly find the file that has changed recently.

Scanning for malware. The function is paid, it costs from $ 7 per month.

Maintenance mode

Allows you to "close" the site for a while to make some changes. That is, visitors to the site will be offered a "stub" that work is underway on the site. Useful when changing the design, checking the performance of plugins.

Miscellaneous

Text copy protection and more. Here I do not tick anywhere in the three tabs. I also recommend not to.

Results

After completing all these settings, you can go to the "Control Panel" and look at the security level indicator, you should get something like this:

Again, you do not need to thoughtlessly do everything to achieve the highest possible score. Do not engage in unnecessary harm to your site, its performance and convenience.

If you have any questions - write. Thank you separately for retweets and reposts, for helping people to convey this important information.

WordPress is perhaps the most popular and at the same time one of the most frequently hacked platforms. For some reason, there is an opinion that if your site is not particularly interesting to anyone, then it will not be hacked - why? In fact, literally every site (and not only on WordPress) has a hacking threat, so it is important to take care of protecting your page. What can be done - or rather, what plugins to install - I will talk about this in this article.

These tips will be useful not only in working with WordPress, but also with any other CMS. They are basic, but, as practice shows, there are still people who do not know about them. Why do all this? To make life difficult for an attacker. Using the data that is set by default, a hacker can hack into your site, as well as your database, with relative ease. Therefore, you need to do the following.

1. Change the username from admin to something else.

To do this, you need to first create a new user as an administrator. You can do it here:

After creating a user, log in under his account and delete the “admin” account in the “All users” list. Wherein new login try to make it something relatively complex, well, at least consisting of a few words: vasyapupkin99. You can use your nickname, for example.

I won’t write about the password - it’s better to use the one that Wordpress will generate for you at the stage of creating an account, and not come up with some kind of your own (which, most likely, will be easier).

2. Change database prefix from wp to another.

There are two ways to do this: either by editing the tables yourself in phpMyAdmin (or even just in the file manager), or through a plugin. I will briefly discuss both options.

Change via phpMyAdmin

I must say right away that this action requires attention to detail and some experience in phpMyAdmin.

First of all, create a database backup - it will help you restore information if something went wrong (or you edited something wrong somewhere).

Now go to file manager and find the wp-config.php file, in it the line $ table_prefix = "wp_";

“wp” should be changed to something less WordPress and database related. You can even change to an arbitrary set of letters and numbers (but you need to remember or write it down).

Attention. It is best to make this change on a freshly installed WordPress. There is more information on already launched sites - more data will have to be changed.

After that, go to phpMyAdmin (on Timeweb hosting, this can be done directly through the control panel) and find the database for the desired site. All tables of this database need to be renamed, replacing “wp_” with what you have already written above.

How to rename: select the table in the left column, click the "Operations" tab, then see the "Table Options" block and the "Rename table to" line. Don't forget to click "Next" after making changes.

After that, look for the “…_options” table in the list. With it selected, click Browse - in the content for about second page in the “meta_key” column you will see wp_user_roles - change the “wp” prefix to the one you are going to use now. Save the change.

The next table to change is “…_usermeta” - look at its contents in the same way and change all old prefixes to new ones.

If, after editing, something began to work wrong for you or stopped working altogether, check if you made all the changes. As a last resort, use a backup.

Change via plugin

This plugin needs no introduction, so I'll jump right into what needs to be done.

After you have installed and activated the plugin, go to the "Database Protection" section. There you will see the line "Generate a new database table prefix" - write the prefix you want to set (or check the box next to "Check to have the plugin generate a prefix of 6 random characters long"), and click "Change table prefix". After that, below you will see a report on the progress of changing the prefix. To make sure that the expected result is achieved, go to phpMyAdmin.

Let me remind you once again that you need to do this on a new site without articles, because if the site already has a lot of information, the plugin may not work correctly.

All In One WP Security & Firewall

Since we have already moved on to using this plugin, I will tell you about other things that can increase the protection of your site.

In the "Settings" section of the plugin, go to the "WP version info" tab and check the box next to "Remove WP Generator Meta Data". Since hackers often rely on the information contained in the meta data, it would be useful to remove this information from the page code.

By the way, if you still have not changed the administrator name (following the advice above), then you can do this through this plugin - in the "Administrators" tab. Just write a new username and log in to the panel again (the password remains the same).

Here you can also see the tab "CAPTCHA upon registration" - also activate this item.

Now go to the "Firewall" section - here we put a tick in the "Basic firewall functions" blocks. You can turn the rest on/leave off as you wish.

"Protection against brute force attacks" section: you need to enable the option to rename the login page and write the desired address in the column below. It is important to understand here - this address will be used to enter the admin panel, it is vital to remember!

We are done with this plugin, let's move on to the next one.

AntiVirus

This plugin scans website files for malicious code. Using it is quite simple - after installation, go to its settings and click “Scan the theme templates now”, after that all your theme files will be scanned.

Here you can also set up a daily check with a report by email.

During the check, the plugin highlights the code that seemed suspicious to it. At the same time, it is better for you to check all the comments carefully - it is not always about the virus. If you do not have programming skills, you can simply compare the found line of code with the line in the code of the same site theme on your computer or from the developer. If the entry is present initially, then you do not need to be afraid of it.

Like other active plugins, AntiVirus loads the server (which means your site is slower), so it's better to use it from time to time than to keep it active all the time.

Wordfence Security

This plugin is similar in functionality to the previous one, they can be used in parallel, it will not be worse. In the same way, install, activate, go to the “Scan” tab and click on the big blue “Start a Wordfence Scan” button. Some features are only available for paid (premium) accounts, but the basic functionality is also good. If everything is fine with your site, then you will see a green inscription “Congratulations! No security problems were detected by Wordfence”.

I will tell you about other plugins that can also be used to protect the site.

Sucuri Security

Generally Sucuri is a company that specializes in website security, so they provide protection for any site (not just WordPress). The plugin from this serious company with an impressive reputation has a wide range of functionality that represents the full cycle of site protection, including the prevention of hacking and attacks on your site. You can use the free version, or you can buy a paid version for $16.66 per month - a rather big amount, but for such a range of protective tools it is quite reasonable.

In order to use the free version, after installation you will need to generate a free key (in the blue block above, you will need to click the “Generate API Key” button, check that the entered data is correct, and send the request.

iThemes Security

If Sucuri Security is the best paid security plugin, then iThemes Security is often called the best free plugin to install to secure your website. Moreover, now it has more than 800 thousand installations!

I won’t write much about the functionality - like all other plugins, iThemes Security is aimed at protecting your site from most things that can threaten it, and at the same time checking the existing state of the site. By the way, the plugin used to be called Better WP Security - perhaps someone remembers it by this name.

In general, talking about its functions, we can distinguish the following aspects of this plugin:

• hiding and deleting potentially vulnerable elements (this was written at the beginning of the article - changing the administrator login, database prefix, and so on);
• protection of the site from attacks (scanning for vulnerabilities, protection against brute force, encryption of the admin panel, and so on);
• site monitoring (for sudden changes, blocking, and so on);
• recovery (backup in case of an unforeseen situation).

Now let's move on to the actual use of this plugin.

Setting up iThemes Security

To begin with, it also has a PRO (that is, more advanced) paid version, so in free version Not all the features of this plugin are available (but there are still a lot of them).

After installation, activate the plugin and go to the "Settings" section. In the blue block above, you can enable brute-force protection (Network Brute Force Protection) - to do this, you need to request an API key, which will be automatically added to the settings (but also sent to your mail).

Click " security check” (upper left block or in the menu under “Settings”) and click “Secure site”. After that, you will see a list of enabled modules.

The next block is " basic settings” (to the right of “Security Check”). Since the plugin is almost completely translated, each item has its own interpretation - I advise you to go over them all and see which of these is most relevant to you (even if you don’t use it, you will at least know where everything is).

In the mode " No seats e" you can set the time when the admin panel will be unavailable. You don't have to use this on a regular basis, but you can use it as a safety net when you're away from your computer. At the same time, you can set it up both on an ongoing basis (for example, every night), and once a certain day and time period.

Block " Blocked Users- everything is clear here, put here everyone who needs to be blocked.

“Local Brute Force Protection” - this block protects against hacking by brute force passwords. You already have it enabled, you can leave the settings as default.

« Database backups» - setting Reserve copy, in the free version it is only about databases.

« File Change Detection» - an extremely useful feature that will monitor all changes in the site files; you can quickly track the activity that suddenly appeared on the site. Be sure to turn it on.

“File Permissions” - block shows file access rights.

“Network Brute Force Protection” - network protection against brute force lies in the fact that if a hacker tried to hack someone else's site, he will also be blocked from accessing your site, even if he has not yet launched an attack on your site.

“SSL” - you can configure the use of SSL in this plugin, then if you have a site hosted by Timeweb, I advise you to use the settings in the site control panel.

“Strong Password Enforcement” - if your site involves the registration of other users (forum, blog ...), then this setting will be useful, users will only have to choose complex passwords for their accounts. In other cases, it may not be used.

« System fine-tuning" and " Customizing WordPress" - these additional settings are needed in order to further enhance the protection of your site. But there is one caveat - the inclusion of some settings may affect the operation of the plugins. Therefore, you should not choose everything at once - turn on one item at a time and check the performance of your site.

Finally, " WordPress Salts» - setting allows you to add to the password The secret key, which will be much more difficult to pick up than the password separately. This is usually a random set of characters that is added during hashing. Use this setting ("Change WordPress Salts") periodically to change the salt.

All about sections. The paid version has more of them, but these are enough to protect the site from many popular types of hacking.

Conclusion

Plugins are an essential element of the security of your site, but I want to remind you that they are not the only one. Don't forget to follow WordPress updates and plugins, change passwords regularly and make backups.

I have already reviewed the WordPress iThemes Security comprehensive blog protection plugin, but I decided to test another All In One WP Security & Firewall. Well, leaving on your sites is the best option. So, let's install.

Go to the main page of the plugin All In One WP Security & Firewall. We see the following picture. And immediately we see the “Security Level Meter”. My site scored 50 points out of 470 possible. Well, not thick. Perhaps after its adjustment the level will grow. But you should not strive to get the highest possible score, as this can cause problems working with the site. On the right side we see the "Diagram of the security of our site."

Settings

Administrators

WP custom name

During installation, WordPress automatically assigns the username "admin" to the administrator (unless you manually change it). Many hackers try to take advantage of this information by using a brute-force attack where they systematically guess a password using the word "admin" as a username. Therefore, it is recommended to change it to any other.

Display name

When you publish a post or reply to a comment, WordPress usually displays your "nickname". By default, the user's display name is identical to the account login. For security, it is recommended to change it so that no one can find out under which login you are authorized.

Password

A bad password is the most common vulnerability on most sites, and usually the first thing a hacker will do to break into a site is try to guess the password. AT this section you can check the strength of the password you use. If a hacker picks up your password, then here you can estimate the time that he will spend.

Authorization

One of the most common methods used by hackers to get into a website is a brute force attack. This is the name of multiple login attempts by guessing passwords. In addition to choosing strong passwords, monitoring and blocking IP addresses involved in repeated failed login attempts within a short period of time, blocking the number of login attempts and limiting the time period for such attempts is a very effective way to counter these types of attacks.

Authorization blocking

• Enable options to block authorization attempts. We put a tick.
• Allow unlock requests. I don't quite understand what this feature means. I didn't turn it on.
• Maximum number of login attempts. Set value for maximum number login attempts, after which the IP address will be blocked. I left three attempts by default.
• Time limit for authorization attempts (minutes). The default is five minutes. The three attempts from the previous paragraph will result in the user being banned if the attempts are made within the time period specified here.
• Blocking period (minutes). Specify the period of time for which IP addresses will be blocked
• Display authorization error messages. Check this option if you want an error message to be displayed on unsuccessful login attempts. I didn't put it on. There is no need for an attacker to receive information about errors.
• Immediately block invalid usernames. I did not enable this option due to the fact that I myself can enter the login incorrectly and will be blocked for an hour. Others may also be wrong.
• Instantly Lockout Specific Usernames. Instant blocking of specific users. Most often, they try to hack logins “admin” and “administrator”. Therefore, if you do not use them, you can add them to the list.
• Notify by Email. If you have a poorly visited site, you can check the box. Otherwise, you may be bombarded with these notifications.

It displays records of unsuccessful login attempts to your site. The information below can be useful if you need to investigate authorization attempts - it displays the IP range, username and ID (if available) and the time/date of the failed login attempt.

Options for automatically delogging a user

Setting an administration session expiration time is an easy way to protect against unauthorized access to your site from your computer. This option allows you to set a time period after which the administrator session will expire and the user will have to log in again.

• Enable auto logout. Check this option to automatically terminate a user's login session after certain period time. Check the box if you need it. I think if you only come in from your home computer- That is unnecessary.
• Log out user via. The user will automatically be logged out after this period of time.

This shows the activity of administrators on your site. The information below may come in handy if you're doing user activity research, as it will show the last 50 login events with username, IP address, and login time.

All users who are in this moment authorized on your site. If you suspect that the system has active user, which shouldn't be there, then you can block them by checking their IP address in the list below and adding them to the blacklist.

User registration

Manual confirmation

If your site allows people to create their own accounts via the WordPress registration form, then you can keep SPAM and fake registrations to a minimum by manually confirming each registration. This feature automatically marks new registration accounts as "pending" until an administrator activates them. In this case, unwanted registrants cannot log in without your confirmation. You can see all recently registered accounts in the handy table below, and you can also activate, deactivate or delete multiple accounts at the same time.

• Activate manual approval of new registrations. Check this box if you want all new accounts to be automatically created inactive and you can verify them manually.

Captca at registration

This function allows you to add a CAPTCHA field on the page WordPress registration. In addition, users who attempt to register must answer a simple math question. If the answer is incorrect, the plugin will prevent them from registering. Since I already have a captcha from Google installed, I did not activate this function.

Database protection

Database backup

• Enable automatic backups. Enable this checkbox to have the system automatically create scheduled database backups.
• Backup frequency. Depends on your suspiciousness and the frequency of updating your site. I set the creation of a copy of the database once a week.
• Number of backups to store. Specify in this field the number of backups that should be stored in the plugin's backup directory. I left the default value - two copies.
• Send backup to email. Enable this checkbox if you want to receive a database backup to your Email. I recommend turning it on.

File system protection

File access

Read/write permission settings for WordPress files and folders, allowing you to control access to those files. At initial installation WordPress automatically assigns reasonable access rights to its file system. However, sometimes people or plugins change the permissions on certain directories and files, thus lowering the security level of their site by setting the wrong permissions. This option scans all important WordPress core directories and files and highlights all insecure settings.

Editing PHP Files

By default, the WordPress admin panel allows you to edit PHP files for plugins and themes. This is the first aid to a hacker who gains access to the admin console, giving him the ability to execute any code on your server.
This option disables the ability to edit files from the admin panel.

• Disable the ability to edit PHP files. Check this box to disable editing PHP files from the WordPress admin panel.

In my opinion, this is not a very useful feature. After all, the same hacker can uncheck the box in the same plugin if he gets access to your administrator profile. As a result, you will be inconvenienced, because to insert the code of the same counter, you will have to go to the hosting.

Access to WP files

This option will deny access to files such as readme.html, license.txt and wp-config-sample.php, which are created during WordPress installation and do not carry system load, but restricting access to these files will allow you to hide important information from hackers. information (such as WordPress version).

• Deny access to information files created by default when installing WordPress. Check this checkbox.

System logs

Your server may periodically publish error reports in special files called "error_log". Depending on the nature and cause of the error, your server may create multiple log files in different directories of your WordPress installation. By reviewing these logs from time to time, you will be aware of any major problems with your site and will be able to use this information to solve them.

WHOIS lookup

This feature allows you to get detailed information about an IP address or domain. A handy feature, since you will be curious to find out information about the addresses of intruders. No need to surf the Internet in search of such services.

The Blacklist feature allows you to block certain IP addresses, ranges and user agents, denying access to the site to those users and bots that used these IP addresses for spamming or for other reasons. This feature is implemented by adding certain rules to the .htaccess file.

• Maintain Black List. Check this box if you want to be able to ban specified IP addresses or user agents.
• Enter IP addresses. Each address on a new line.
• Enter user agent names. Write each user agent on a separate line.

To be able to enable this option and get 15 security points, you must enter at least one ip-address or user agent.

firewall

Basic firewall rules

The options on this tab allow you to apply some basic security rules to your site. This firewall functionality is achieved by adding some special directives to your .htaccess file. Enabling these options should not have any effect on the overall functionality of your site, but if you wish, you can create a backup of your .htaccess file before enabling these settings.

• Activate Basic Firewall Features. Check this box to enable basic firewall functions on your site. I recommend to put.

This option will run the following basic protection mechanism on your site:

1. Protect the htaccess file from unauthorized access.
2. Will disable the server signature in responses to requests.
3. Limit the size of uploaded files to 10Mb.
4. Will protect your wp-config.php file from unauthorized access.

The above functionality will be achieved by adding certain directives to the .htaccess file and should not affect the overall performance of your site. However, just to be on the safe side, it's a good idea to back up your .htaccess file first.

WordPress XMLRPC & Pingback Vulnerability Protection

• Completely Block Access To XMLRPC. I recommend to put. One of my sites was reloaded with such requests and the hoster bombarded me with complaints about server overload.

This function is necessary for those who publish and edit entries on their blog through smartphones. If you don't need it, feel free to turn it off. Thus, an attacker will not be able to:

1. Overload the server with requests and thereby disable it (DoS attack).
2. Hack internal routers.
3. Scan ports on the internal network to get information from various hosts on the server.

In addition to making your site more secure, this option can significantly reduce the load on your server, especially if your site receives a lot of unwanted traffic targeting the XML-RPC API.

• Disable Pingback Functionality From XMLRPC. Put a tick. Pingback protection.

Block access to Debug Log File

• Block Access to debug.log File. Blocking access to the debug log file. Check the box.

Additional firewall rules

In this tab, you can activate additional firewall settings to protect your site. These options are implemented by adding specific rules to your .htaccess file. Due to certain features, these rules can break the functionality of some plugins, so it is recommended to make a backup of the .htaccess file before enabling them.

• Viewing the contents of directories. Enable this checkbox to prevent free browsing of directories on your site. In order for this feature to work, the "AllowOverride" directive must be included in your httpd.conf file. If you do not have access to the httpd.conf file, please contact your hosting provider.
• HTTP trace. Check this checkbox to protect against HTTP tracing. HTTP trace-based attacks (cross-site tracing, or XST) are used to extract information from the http headers returned by the server and steal cookies and other information. This hacking technique is usually used in conjunction with cross-site scripting (XSS). This option is designed to protect against this type of attack.
• Disable comments through proxy. Check this box to disable commenting through a proxy. Disable malicious strings in requests. This option is designed to protect against malicious code input during XSS attacks. WARNING: Some of the blocked strings may be used in some plugins or your theme, and therefore this option may break their functionality. Be sure to back up your .htaccess before setting this option.
• Prevent malicious strings in requests. This option is designed to protect against malicious code input during XSS attacks. WARNING: Some of the blocked strings may be used in some plugins or your theme, and therefore this option may break their functionality. BE SURE TO BACK UP YOUR .HTACCESS FILE.
• Activate additional character filtering. This is additional character filtering to block malicious commands used in XSS (cross-site scripting) attacks. This option captures common malware samples and exploits and will return a 403 (Access Denied) error message to the attacker. WARNING: Some directives in these settings may break the functionality of the site (this depends on the hosting provider). BE SURE TO BACK UP YOUR .HTACCESS FILE.

6G Blacklist Firewall Rules

Enable these options if you want to:

1. Blocking of prohibited characters commonly used in hacker attacks.
2. Blocking malicious URL encoded strings like ".css" etc.
3. Protection against common malicious code patterns and specific exploits (command sequences that exploit known vulnerabilities) in URLs.
4. Blocking forbidden characters in query parameters.

Enable 6G Firewall Protection. This option will enable 6G protection on your website.

Enable legacy 5G Firewall Protection. This option will enable 5G protection on your site.

Internet bots

• Block fake Googlebots. Check this box if you want to block all fake Googlebots.

This function checks if the field contains User agent information string "Googlebot". In this case, the function performs several tests in order to make sure that it is really a bot from Google. If so, then it allows the bot to continue working. Treat this function with care so as not to get indexing problems in case of an error.

Prevent hotlinks

Hotlink - when someone on their site shows an image that is actually on your site, using a direct link to the source of the image on your server. Since the image that is shown on the other site is provided from your site, this can result in a loss of speed and resources for you, because your server has to transfer this picture to people who see it on the other site. This feature prevents direct hotlinks to images from your pages by adding a few instructions to your .htaccess file.

• Prevent image hotlinks. Check this box to prevent the use of images from this site on pages of other sites (hotlinks).

Detection 404

A 404 or "Page Not Found" error occurs when someone requests a page that is not on your site. Most 404 errors happen when the visitor wrote the URL of the page with the error or used an old link to a page that no longer exists. However, it is sometimes possible to notice a large number of 404 errors in a row in a relatively short time from the same IP address, with page URL requests that do not exist. This behavior may mean that the hacker is trying to find some special page or URL with malicious intent.

• Enable 404 IP Detection and Lockout. Check this box if you want to be able to ban the specified IP addresses.
• Blocking period due to 404 errors (minutes). Specify the period of time for which IP addresses will be blocked.
• Redirect URL on 404 error. The blocked visitor will automatically be redirected to the URL you specified.

You can block any IP addresses that are recorded in the "404 Error Logs" table below. To block an IP address, hover your mouse over the ID column and click on the Block Temporarily link for the corresponding IP address.

custom rules

You can set additional rules in the htaccess file. We don't touch anything.

Protection against brute force attacks

Rename login page

An effective measure to protect against password brute force is to change the address of the login page. Usually, in order to log in to WordPress, you type the site's base address, followed by wp-login.php (or wp-admin).

• Enable option to rename login page. Check the box if you want to enable the login page rename feature.
• Address (URL) of the login page. Specify new way to the admin.

Brute force protection with cookies

• Activate protection against brute force attacks. This feature will deny access to your login page to any user who does not have a special cookie in their browser.
• Secret word. Enter a secret word consisting of alphanumeric characters (Latin letters) that will be difficult to guess. This word will be used to create a special URL for you to access the login page (see next paragraph).
• Redirect URL. Enter the URL that a hacker will be redirected to when trying to access your login form. You can show your imagination and redirect hackers, for example, to the CIA or FSB website.
• There are posts or pages on my site that are protected by the built-in WordPress content password protection feature. In case you are password protecting your posts and pages using the appropriate WordPress built-in feature, some additional directives need to be added to the .htaccess file. Enabling this option will add the necessary rules to the .htaccess file so that people trying to access these pages are not automatically blocked.
• This site has a theme or plugin that uses AJAX. Check the box if your site uses AJAX functionality.

Captcha for login

This feature allows you to add a CAPTCHA field on the WordPress login page.

• Enable CAPTCHA on login page. Check this checkbox to add a CAPTCHA on your site's login page.
• Activate the CAPTCHA form on the modified login page. Check this box to add a CAPTCHA to the special login form generated by the wp_login_form() function
• Activate CAPTCHA on the "lost password" page. Check this box to add a CAPTCHA on the password recovery page.

Whitelist for login

The All In One WP Security whitelist feature allows you to restrict access to the WordPress login page from specific addresses or IP ranges. Add a list of whitelisted ip addresses or ip ranges. All other addresses will be blocked as soon as they try to open the login page.

Barrel with honey (honey pot)

This feature allows you to add a special, hidden "honeypot" field on the login page. It will only be visible to robots. Because robots usually fill in all the fields in the login form, they will also send some value in a special, hidden honey pot field. Therefore, if the plugin sees that this field has been filled in, the robot that tries to log in to your site will be redirected to its own address, namely http://127.0.0.1.

• Activate honey pot on login page. Check this checkbox to enable the honey pot feature on the login page.

SPAM Protection

Spam in comments

• Activate CAPTCHA in comment forms. Check this box to insert a CAPTCHA field into the comment form.
• Block spam bots from commenting. Check this box to enable firewall rules to block comments from spambots. This function will create a firewall rule that will block attempts to write a comment if the request does not come from your domain page. An honest comment is always submitted by the person who fills out the comment form and clicks the submit button. In this case, the HTTP_REFERRER field always has a value that refers to your domain. A comment from a spam bot is sent immediately by a request to the comments.php file, which usually means that the HTTP_REFERRER field can be empty, or refers to someone else's domain. This feature checks and blocks comments that did not come from your domain. This greatly reduces the total number of SPAM and PHP requests to your server when processing spam requests.

Tracking IP addresses for comment spam

The Akismet plugin must be installed.

• Enable Auto Block of SPAM Comment IPs. Set to automatically block ip-addresses from which vpam comes in comments.
• Minimum number of SPAM comments. Specify the minimum number of spam comments for one IP address after which it will be blocked.
• Minimum number of spam comments per IP. This information can be useful in determining the IP addresses or IP ranges most commonly used by spammers. Analysis of this information will allow you to quickly determine which addresses or ranges should be blocked by adding them to the blacklist.

BuddyPress

This feature will add a simple math CAPTCHA to the BuddyPress signup form. Adding a CAPTCHA field to the registration form is an easy way to significantly reduce the number of spam registrations from robots, without changing the rules in the .htaccess file.

Scanner

• Activate automatic scanning for file changes. Enable this checkbox to have the system automatically check for changes in files based on the settings below.
• Scanning frequency. Specify the scan frequency.
• Ignore files of the following types. First of all, enter image files that can change frequently without compromising site security: jpg, jpeg, png, bmp.
• Ignore certain files and folders. First of all, specify the folder with the cache.

Maintenance mode

This option allows you to put your site into maintenance mode, making it impossible for visitors other than administrators to view the site. This can be very useful if you are tweaking something, changing the design, checking plugins, etc. etc.

Miscellaneous

• Activate copy protection. Enable this option if you want to disable the Right Click, Mark Text, and Copy functions on public pages your site.
• Activate iframe protection. Check if you want to prevent other sites from displaying your content inside a frame or iframe.
• Disable Users Enumeration. This feature allows you to prevent users/bots from retrieving user information like "/?Author=1". When enabled, this feature will throw an error instead of providing user information.

Rate article

All In One WP Security & Firewall Plugin for WordPress

4.3 (86.67%) 3 votes