Basically wordpress comes with security features thats actually not enough to protect from attackers. But, good thing there are huge amount of plugins available to ensure wordpress site secure and firewalled.
Here another wordpress security and firewall plugin called All in one wp security & firewall. It makes easy setup and configure to establish better secure wordpress site. But, I have found many using this plugin, lack of how to configure this plugin sometimes they break their site. Don’t worry if you break your site already with this plugin I can help you how to configure better not to break your site functionality and tell you how to backup .htaccess file with this plugin.
All In One WP Security & Firewall Features
User Accounts Security
User Login Security
User Login Security
File System Security
htaccess and wp-config.php File Backup and Restore
Brute force login attack prevention
Comment SPAM Security
Front-end Text Copy Protection
Temporary Lockdown your site after security attack
Block access license files, read me files. and more.
How To Use and Settings To Optimize Best Security Features
- Download this plugin from WordPress.org
- Go To Plugins< Add New plugin
- Upload downloaded all in one wp security also you can install by searching all in one wp security from add new plugin page in wp dashboard.
- Once you installed this plugin activate it then you will see new sidebar tab WP Security as like below.
Dashboard and Settings
You can view outline all functional you set up with this plugin. And, this plugin display security strength meter here you can view your score on your site security. Each configuration you make this plugin gives you score and increases overall site score. Here I’m not telling you should have full score but making basic settings thats enough for wordpress site, it give score up to 380.
Some features I have found affecting my current functionality so I have disabled all that’s reason my score less here.
Click On Settings Tab below Dashboard you can see three major tabs in settings page, General settings where you can disable all security features by all in one wp security done, .htaccess file tab where you can restore .htaccess and backup .htaccess file by using this tab.
Don’t forget to take backup .htaccess file here also another tab wp config.php take this also one backup.
Next is WP meta info , enable this feature since wordpress produce some meta generator that display wordpress version that’s not good to display wordpress version.
To verify this go to view-source:http://www.yoursite.com/ view this generator present or not. <meta name=”generator” content=”WordPress 3.9.1″ />
By default wordpress using user name as admin while you install wordpress in your hosting provider, In this page tell you need to change user name or not.
There is a sub tab here display name, this also should be differ from login user name. Display name mostly will be author name you can configure it from wordpress profile page.
Then final sub tab is password tab, this is just display how strengthen your password. But, this tool only shows password strength based on long tail word not based on combination of alphanumeric characters, special characters, letters. This tool is disappointment for this plugin. Hope get fixed soon.
This is place where attackers try to login to your wordpress by guessing several passwords, you can configure user login secure protection as configuring below subtabs of this page.
Login Lockdown Configuration
Failed Login Reports
Here you can see history of login attempts that failed and last login ip address details.
Force Logout User
This feature can be disabled since it has conflicts in current version of wordpress, it forcing user logout also due to some conflicts I had to restore my .htaccess via FTP it made. If you want to configure this its your heck but ensure it doesn’t conflict any other functional.
User registration helps to configure disable automatically allowing user registering via wordpress register form, it makes user pending status you need to approve manually which helps to reduce spam registrations
Also you can enable captcha in registration and user login page, it ask simple mathematical question to answer prevents spam or registration prevention technique.
WordPress Database is most important for your site and needs to secured because it has all of your site information. There is method SQL injection can be handled by attackers to your site, changin DB table prefix for your wordpress site its difficult to guess attackers. You can add DB prefix by using this settings also you can take backup your DB.
WordPress file system automatically comes with restricted access mode but sometimes plugin may modify those settings here you can see those status and change recommended action specified file permission page.
Permission you are viewing 0755 bit set can be change into the directory, commonly directory set to 0755.
PHP File editing : Hope you know you can edit your theme PHP files by using Appearance< Editor. This feature disable this functionality. So, you cannot edit those files. For this if you are using Yoast SEO then disable this feature. Since, it stops yoast editing .htaccess, robots.txt and meta information.
Wp Access : You should stop someone access your readme.html and license file. This feature allows you control over readme and license files.
Wp-Host Logs : Enabling error logs help you find what went wrong in your wordpress site.
Make sure apply all settings in firewall protection make a backup of your .htaccess. If you are using native comment system enable spam filters then avoid those if you using other comment system like disqus, commentluv since they have own spam protection.
5G Firewall/blacklist rule: Enable 5G firewall/blacklist rule that comprises following features.
1) Block forbidden characters commonly used in exploitative attacks.
2) Block malicious encoded URL characters such as the “.css(” string.
3) Guard against the common patterns and specific exploits in the root portion of targeted URLs.
4) Stop attackers from manipulating query strings by disallowing illicit characters.
Internet Bots: There are some bad bots present present they crawl your site and achieve their task. Not all bots good like google, bing, yahoo some bots impersonating google bots this features blocks those bots, and it wouldn’t affect major bots like google, bing, yahoo.
Hotlinks : You can prevent others hotlinking your images on your site they use your site images links it cause bandwidth of your server. But, if you are using embedded code with infographics do not user this feature or if you enable you can encourage other simply put credits link of your site.
404 Detection : For sinister reason hacker may try to find your site page and 404 error can be observed continual from same IP. It can lockout and redirect URL to other sites.
Brute Force :
This is the one of the great feature also it can be break your site if you configure without knowing. There is an option to change your login page name, you should change login page name since your default login page is yoursitename.com/wp-admin. If you rename your login page in first tab rename login page then second tab enabling cookie based brute force give you login URL, it gets conflicts login page goes 404 error then chance of trying more than once this 404 error page, your IP will be locked.
To Avoid this cookie based brute force confusion ensure not enable force log out also remember wordpress given URL by cookie based brute force settings, do not renaming your login page to avoid 404 error.
If anything wrong read how to restore .htaccess here. Must Read : Resolve WordPress Login Page locked by All in one WP Security plugin
Comments Spam Prevention : As I described above enable only if you are using wordpress native commenting, basically wp native comment system is capable with fight with spam by configuring with jetpack. Hope no need to enable this feature.
Scanner : There is an additional scanner which scans your site with give time span and report when it finds malicious attacks. There is not worthy to scan with standalone plugin like this, its disappointment/ with this plugin, but its worth concern of other features.
Maintenance: There is an additional feature you can put your site maintenance mode for sometime to good when you doing maintenance work on your site
Miscellaneous : You can disable right click on your site to protect copy rights information in your site with this feature.
There are lot of security plugins here all in one wp security plugin comes with basic security feature to advanced that’s great. Though it has some conflicts it works great for most themes. It helps improve your site security well frankly.