Your WordPress blog will be secured if you keep your WordPress up to date, and also your plugins and themes, there is a good chance that you’re not going to have a problem but you still need extra layers of security that will curse hackers more and more problems in other to hack your blog. You need a security plugin that will help in protecting your site from hackers.
I have done a little research on WordPress security plugins and I have discovered that there is a powerful security plugin that can help in protecting your site from hackers, which is called the “All In One WP Security and firewall”. To install this plugin to your website, you need to;
- Login to your WordPress dashboard, which is http://www.yourwebsitename.com/wp-admin.
- Scroll down to plugins and click add new.
- At the right-hand side of there is a search box, search for “All in one security”.
- After that, you will see a plugin named “All In One WP Security and firewall”. Install and activate it.
After activating the plugins you can find out that there is a new item in your menu, under your settings in your admin dashboard called WP SECURITY. Click on it and you will see and you will see 15 sub menu under it, I am going to explain them one after the other.
You will see a Security strength meter and if you look at the button of it, it will show you how many points you have achieved for WP SECURITY plugin securing your blog. The total point for WP SECURITY plugin to secure your website is 470 points and the current score your site will get is 50 points, that is there are a lot of things we need to do in other to secure your blog from hackers.
At the side of your Security strength meter, you will see a circle that looks like pie chart which is called the security point break down. It shows you what to fix on your site to secure your website and also increase your default point that is 50. Below is the second sub menu of your WP SECURITY plugin.
There are five different tabs in this menu which are; General settings, .htaccess file, wp-config.php file, wp meta info and import and export.
Wp security plugin allows you to backup your database, htaccess file and your wp-config.php file before you use this plugin. It helps if there is any breakdown of your website while using this plugin, you can just revert it. I recommend that you back up these essential files before you use this plugin.
.htaccess file and wp-config.php file
Here you can back up your htaccess and wp-config.php file by making a copy of it and the save it to your computer.
WP meta info
WordPress automatically add some meta information’s about the current WordPress version you are using and this is located at the head tag of every page of your site. This meta tag looks like <meta name=”generator” content=”WordPress 4.8” /> This help hackers to know if we are using the old WordPress version or not. Scroll down and check the box to remove the meta information from all pages and also click on save settings.
Import / Export
This plugin allows you to import your WP SECURITY settings by uploading the file and also, it allows you to export your WP SECURITY settings to other blogs using wp security and keeping it as a backup for your settings.
By default, WordPress administrator name is “admin” during WordPress installation, changing you WordPress administrator name from “admin” is the best thing you need to do because a lot of hackers take advantage this information by using “ Brute force login attack” whereby, they try to guess the password by using “admin” for username. If you haven’t change your WordPress default login name, I suggest you do that in WP username tab, in the user account sub menu in your WP security plugin.
When you post or answer comment on your blog, WordPress will display your nickname which is the same as your login name, for security purpose, putting your username as your nickname is very bad because you are giving hackers more information about your site. In other to protect your website, you are advised to change your nickname and display name to be different from your username. If you haven’t done that the display name that, I suggest you follow the i
This feature allows you to test password of your choice and also tell you how secured the password is. Remember that the long and complex your password is the harder it is for hackers to crack it because complex password takes a time to crack.
The feature allows you to set and also limit the login attempt for your blog.
Enable login lockdown features: Check it in order to enable login lockdown features for your blog, if you leave it unchecked, you cannot be able to enable another setting below it.
Allow unlock request: If you enable this feature, it will send a link to your email which you can use to unlock your account after being lockdown by the plugin.
Max login attempts: here you will be given a small box to insert the maximum login retries before IP address is locked out. If you insert “3” in the small box, that is any attempt to login to your WordPress dashboard that is more than two times, the IP address is going to be locked out
Login retries time period: It provides a small box to insert the number in minutes, if the maximum number of failed logins attempted by a particular IP address during a particular period of time, this plugin will lock out that IP address according to the number you inserted in the small box. If you insert “60” in the box, any locked out IP address will be locked out for 60 minutes.
Time length of lockout: It allows you to insert the time a particular address will be prevented from logging in
Display generic error message: If you check this feature, it displays a generic error message when a login attempt fails.
Instantly lock out invalid usernames: If you check this feature, it will lock out any login attempt with a username that does not exist on your system. I suggest that you enable this feature for your blog.
Notice by email: Yes you want to be notified by email when someone has been locked out due to maximum login attempt. Insert your email in the box provided. I recommend that you enable this feature for your blog. Click on save setting below.
Failed login record
It displays the list of failed login attempt to you blog
If you enable this feature, it will forcefully logout all logged in users at a specific amount of time.
Account activity logs
This feature shows you the last 50 recent login activity for WordPress admin account registered with your website.
Logged in users
This feature shows you all users that are currently logged in on your website.
This feature disables all newly registered account on your website so that you can manually approve them. I recommend you enable this feature for your website. Then click on save settings.
If you allow registration on your website then you need to enable this feature because it inserts a captcha form on the user registration page
Your WordPress database is the most important item of your website because it contains lots of useful pieces of information for your website. The recommended way to protect your website database is to change the default WordPress table prefix which is “wp_” to something else. Before you can do this you need to backup your database.
Click on the button that says “create DB backup now”
Automated scheduled backups
Enable automated scheduled backups: enable this if you want this plugin to automatically based on your settings below.
Backup time interval: set the time at which you want this plugin to backup your database.
Number of backup files to keep: This feature allows you to set the number of backups files you would like to keep in your database backup directory.
Send backup file via email: if you enable this field, it will email you the backup file after a database has been performed and then click on save settings and after that, we need to come back to our DB prefix tab.
Current DB table prefix: it will show you your current DB prefix if it is “wp_” you will need to change it below.
Generate new DB table prefix: check the box if you want this plugin to generate a random characters string for your database prefix or your can insert your custom database prefix in the below box provided and then click on “change DB prefix”
After changing your database prefix, you need to open a new tab on your browser and visit your website in other to check if your database tables are connected properly.
File system security
This is a table that shows the file permissions setting that is secure and insecure, if any file is not secured this plugin will provide a recommend button in the recommend action section. To clarify that there is no problem with your file permissions, all row need to be green in color.
Who is lookup
The field allows you to get more information on an IP address or domain name trying to hack your website. you can insert the IP address or domain name in the box provided below and the click on “perform IP or domain look up.
The field allows you to ban IP address or user agent from accessing your website.
This feature enables a basic firewall to protect your website
Enable basic firewall protection: check the box provider if you want to enable firewall for your website. If you check the box,
- it will protect your htaccess file by denying access from it
- Disabling the server signature
- Limit file upload size to (10 MB)
- Protect your wp-config.php file by denying access to it.
You are strongly advised to take a backup .htaccess file before enabling this feature, in case there is any problem after enabling it.
WordPress Pingback Vulnerability protection: This field allows you to enable protection against WordPress pingback vulnerabilities, if you are not using WP XML-RPC then you can enable it.
Block access to debug log file: If you want to block the debug.log file that WordPress creates when debug logging is enabled, then check the box and then click on “save basic firewall settings”
Additional firewall rules
Disable index views: check it, if you want to disable directory and file listing
Disable trace and tracks: check this, if you want to disable trace and tracks
Forbid proxy comment posting: check this, if you want to disable proxy comment posting
Deny bad query strings: check this, if you want to protect your site against malicious queries via XSS
Enable advanced character string filter: check this, if you want to block bad character matches from XSS but before you enable this feature, you need to take a backup of your htaccess file and then click on “save additional firewall settings”
After that open a new tab on your browser and visit your website to check if your website is working fine.
5G Blacklist firewall rules
Enable 5G firewall protection: check this, if you want to enable 5G firewall protection from http://www.perishablepress.com to your site and the click on “save 5G firewall settings”
Block fake Google bots: check this, if you want to block fake Google bots and then click on “save internet bots setting”
Hotlinks is where someone displays images on their site which is actually located on your site by using a direct link to the source image on your server when this process occurs it causes leaking of bandwidth because your server has to present the image for the people viewing it on someone else website. I recommend you enable this features because it prevent hotlinking to images on your website and then click on “save setting”
This feature allows you to monitor all 404 events that occur on your website and it also gives you an option to block IP address for a configured length of time. If you like to use this feature, then check the box below and insert the length of 404 lockouts and then click on “save setting”
This field allows you to insert your own custom .htaccess rule and directive, I recommend that you should touch anything here if you don’t know what it is all about.
Rename login page: this feature allows you to re – edit your default WordPress login URL which is www.yourwebsitename.com/wp-admin to www.yourwebsitename.com/anything
Enable rename login page feature: check the box to enable rename login page feature.
Login page URL: insert your desired login name in the box provided apart from “wp-admin” and then click on “save settings”
Cookie based brute force prevention
This feature allows you to set up a secret URL to login to your blog admin control panel, before you can activate this on your website, you need to check if your website has accepted this feature. You can test is by scrolling down and click on “perform cookie test”
Enable brute force attack prevention: check this, if you want to protect your website login page from brute force attack.
Secret word: enter a secret word of your choice
My site has posts or pages which are password protected: if you have password protected post or pages, you can check this box.
My site has a theme or plugin which uses ajax: if your site has a theme or plugin which uses ajax you can check this box and then click on “save feature setting” and it will automatically generate a URL for you to login to your WordPress admin area, it is important you save this URL somewhere in case you forget. For now, go ahead and test the URL in a new tab of your browser. If a hacker just visits your website like ven though he entered the correct username and password he cannot access your WordPress dashboard because he does not have the cookie present on his computer.
You can check all of them if you want to enable captcha in your login forms and also lost password forms and then click on “save settings”
This feature allows you block other IP addresses from your login page expect you IP address, you can enable this feature if you have a static IP address.
This is a special hidden feature for robot, that is attempting to log in to your website dashboard, you can enable this feature if you want honeypot feature for the login page and the click on “save settings”
If you want to enable captcha on your comment form and also block spam bot from commenting on your blog, check all the boxes provided and click on “save settings”
Comment spam IP monitoring
The field shows you lists of IP addresses of spammers that are leaving comments on your website.
The field allows you to add captcha to your buddy press plugin forms.
This feature allows you to scan for file changes on your website and also you can set up the interval this plugin will automatically scan for file changes.
You can enable this feature if will want to re – edit your website theme, this plugin will help you in restricting all your website user from viewing your content that is, any visitor that visit your website at that time will only see “This site is currently not available. Please try again later” you can also re – edit and customize the default text with the WordPress toolbar and then click on save setting
This feature allows you to disable right selection on your blog, in other words, it stops user from copying your articles, if want it to disable right click selection then check the box and click on save copy protection settings.
This field allows you to stop sites that display your content in a frame or iframe, if you like that feature, click the box and also click on save settings.
Go back to your dashboard a check your security strength meter, from 50 to 380, what a nice score.
Now that you have learnt the full tutorial on how to protect your WordPress blog from hackers using all in one WordPress security and firewall plugin, if you like this tutorial, kindly share it with the share buttons below and also if you have any question about how to set up this plugin, feel free, share it in the comment section below.