WordPress Security is the most important thing. If you don’t pay enough attention, you will have a painful experience, as I have. I want to share the most important free plugins for WordPress security. If you install these plugins and use secure hosting (for example rocket.net), you will not be hacked; if you are, you will not lose your website. Here are my best-picked plugins
Best-picked plugins
This is my video about All In One WP Security.
I will create posts for every plugin, and if you spend a few hours on all of these you will not be hacked and you will know every action in your websites. This post is about All In One WP Security plugin.
Table of Contents
- All In One WP Security plugin installation
- 1. Dashboard
- 2. Settings
- 3. User Security
- 4. Database Security
- 5. File Security
- 6. Firewall
- 6.2 .htaccess rules > Basic firewall settings
- 7. Brute Force
- 8. Spam Prevention
- 9. Scanner
- 10. Tools
- 11. Two Factor Auth
- Summary:
- F.A.Q.
All In One WP Security plugin installation
login to your WordPress dashboard and click on Plugins > Add New Plugin > Search Plugins and search for “All In One WP Security”, click “Install Now” and “Active”, here is the logo.
1. Dashboard
In the dashboard we do not need to change anything, here is a short description of any section
- Locked IP addresses: Temporarily block specific IPs for security.
- Permanent block list: Indefinitely restrict access from listed IPs.
- Audit logs: Track user activity and system changes.
- Debug logs: Record technical details for troubleshooting.
- Premium upgrade: Unlock advanced features and tools, which are not so important.
2. Settings
In this section, we do not need to change anything in “General settings”, “.htaccess file”, “wp-config.php file”, “Delete plugin settings”, and “Advanced settings” It can destroy our website. We are configuring this most safely.
We will make changes only in the “WP version info”, “Two factor authentication” and a bit of info about “Import/Export”
2.1 WP version info
Enable WP generator meta info to remove the meta info tag from the website, otherwise, it can help hackers break your website
2.2 Import/Export
1This section allows you to export or import your All In One WP Security & Firewall settings. This can be handy if you want to save time by applying the settings from one site to another site. I will leave my site settings and you can save time and just Importing it.
2.3 Two factor authentication
To turn on Two-factor authentication you need to check “Do require 2FA over XMLRPC” and click Save Changes
Then navigate to “Two Factor Auth” and scan the QR code from your Google Authenticator app.
3. User Security
In this section, we do not need to change anything in “Logged in users”, “Salt”, and “Additional settings”, we will make changes in other sections.
3.1 Prevent user enumeration
This feature allows you to prevent external users/bots from fetching the user info with URLs.
3.2 Login lockout
Here you can select the same option as I did
3.3 Force logout
Setting an expiry period for your administration session is a simple way to protect against unauthorized access to your site from your computer, this is
3.4 Manual approval
Enable manual approval of new registrations:
3.5 HTTP authentication
Be careful with “Enable for frontend:” and “Enable for WordPress dashboard:” before enabling these save your Username and Password otherwise you need to remove the plugin. (if you have issues just drop a comment or contact me).
4. Database Security
I did not make any changes in the database security section, I think it is fine I do not need to change anything.
5. File Security
In this section, we do not need to change anything in “File protection”, and “Host system logs”.
5.1 File permissions
This feature will scan the critical WP core folders and files and will highlight any permission settings which are insecure. Just set recommended permissions if it suggests.
5.2 Copy protection
This feature allows you to disable the ability to select and copy text from your front end.
5.3 Frames
This feature allows you to prevent other sites from displaying any of your content via a frame or iframe.
6. Firewall
In this section, I will not change anything in “Internet bots”, “Block & allow lists”, “WP REST API”, and “Advanced settings”, we will make changes in other sections.
6.1 PHP rules > Comment protection
Enable to forbid proxy comment posting.
6.2 .htaccess rules > Basic firewall settings
Accept basic firewall protection.
6.3 6G firewall rules > Enable 6G firewall protection
This is all that I did in the firewall section.
7. Brute Force
In this section, we do not need to change anything in “Cookie based brute force prevention”, “CAPTCHA settings”, “Login whitelist”, “404 detection”, and “Honeypot”.
7.1 Rename login page
Normally if you wanted to login to WordPress you would type your site’s home URL followed by wp-login.php. This feature allows you to change the login URL.
8. Spam Prevention
Just follow the photos and do the same.
8.1 Comment spam
A large portion of WordPress blog comment spam is produced by automated bots and rather than by humans. This feature will reduce the useless and unnecessary traffic and load on your server resulting from spam comments.
8.2 Comment spam IP monitoring
This feature allows you to automatically and permanently block IP addresses which have exceeded a certain number of spam comments.
9. Scanner
If given an opportunity hackers can insert their code or files into your system which they can then use to carry out malicious acts on your site. Being informed of any changes in your files can be a good way to quickly prevent a hacker from causing damage to your website.
10. Tools
in general, I did not make any changes here, my advice is do not make changes here if you are not sure what you want.
11. Two Factor Auth
These are your personal settings. Nothing you change here will have any effect on other users, here you can turn off two-factor authentication for your account.
Here are my settings you can save time and import it, but I recommend checking all functionalities and enabling or disabling them depending on your requirements.
Summary:
This is all that I did to protect my website, and I will suggest the same thing to you. Of course, you can enable or disable some functions depending on your site, but in general, this is enough to protect your site. Also, check my other post about the Security plugin WP Activity Log and UpdraftPlus.
If you have any questions, feel free to drop a comment I’m here to help! Or, if you’d like more support, you can check out my services.
F.A.Q.
Yes, renaming the login URL wp-login.php to a custom URL adds an extra layer of protection against automated attacks.
Two-factor authentication adds an extra step to the login process by requiring a one-time code from an app like Google Authenticator. This ensures that only authorized users can access the site.
Regularly monitor your site’s security settings, logs, and plugin updates. Perform a thorough review at least once a month.
Yes, using secure hosting, such as Rocket.net, provides an additional layer of protection by offering server-level security features and regular backups. Otherwise, they can break your server and remove all security plugins.
