The configuration of all in one wp-security and firewall plugin:
Install and activate All in One security & firewall plugin from WordPress plugins. Before configuring the plugin, make sure to take proper backups. We can take the backup using the plugin itself.
wp-security ==> Settings ==> General settings ==> Take the backup of Database, .htaccess file and wp-config.php file.
We can enable automated scheduled backup with desired time intervel and also enable sent backups through email if needed.
* User accounts inside wp-security dashboard will list the user accounts.
* If we use “admin” as username there will be a red flag since the username “admin” is not secure. We can change the username from there.
* Display name – If the display name is identical to the username, then it will be indicated. Because it will give information about your username to hackers. We can set a nick name by click on the username and set the nick name as display name.
* Password tab where we can check the strength of a password.
* Login lockdown – We can set various security features like enabling login lockdown feature, maximum login attempts, time length of lockout etc.
* Failed login records – We can check failed login attempts with their IP addresses. It will help you to black list the IP address if necessary.
* Force logout – Set a time limit to a user how long can be inside the dashboard
* Account activity logs – It will show which of the users are logged in, login time, Ip address etc.
Logged in users – Shows logged in users at that time.
If there is a user registration in the website, we can set to approve the registaration manually using this plugin. Just enble the manual registration of users in the user registration tab.
By default WordPress uses the database table prefix “wp_”. We can change the prefix of the database in this tab. Here we can generate the prefix automatically or set the preferred name manually.
File system security – This tab will indicate if any file permission is under security. If the file permisssion is not proper, we can set it simply by clicking the “Set recommented permission” button.
PHP file editing – Here we can disable ability to edit the PHP file for security measures.
WP file access – Prevent access to WordPress default install files.
Host system logs – We can view the latest system error logs.
We can search using the IP address which some tries to get in to the site and the plugin will find information for us. It will provide an abuse contact email address to contact and report and lot of more information about the IP address.
We can add IP addresses or wild cards here, so that they can’t access your website. Also we can add certein conntries altogether. In the User agents section, we can block certain user agents like google bot.
Basic firewall rules :
* Enable basic firewall protection.
* Block access to XML-RPC if needed. Some application may not function properly if we block XML-RPC access.
* Disable pingback ability from XML-RPC. It still still allow you to use applications require XML-RPC.
* Block access to debug.log file – Enabling this may prevent others from accessing the log file which may contsin certain information and save settings.
Additional firewall rules :
* Disable directory contents view.
* Disable Trace and Track
* Disable Proxy comment poosting
* Enable Deny bad query strings
* Logout and login again and check the site is working properly or not and Enable Advanced character string filter and save settings.
6G Firewall Blacklist rules – Enable 6G firewall protection.
Internet Bots – Enable Block fake google bots.
Prevent hotlinks – Enable Prevent image Hostlinking.
404 error occuers when sombody tries to visit a page on you site that does not exist. Sometimes hackers type in pages and exploits and keep getting 404 errors.
* Enable 404 IP detection and lockout.
* Set 404 lockout redirect url.
There are certain ways to prevent Brute force attacks.
Rename ligin page –
Cookie based brute force prevention – Before set this up scroll to bottom and perform the cookie test. That will tell you weather your server could work with this particular technique.
* Enable Brute force attack prevention.
* Secret word – Type a word that part of your login url. Then you have to go througth the login url.
* My site has a theme or plugins which uses AJAX – You can enable it if the site has a theme or plugins which uses AJAX.
* Enable captcha on the login page.
* Enable Captcha on lost password page
Login whitelist – We a white list IP address that will not have any problem with login.
Honeypot – It will put an extra field on forms on the page and human beings canot see it. When a robot or a piece of computer software tries to fill the form on your website it will fill all forms including Honeypot, then the plugin detects it is a robot. Enable Honetpot on login page.
* Enable Captche on comment forms.
*Enable Block spambots from posting comments.
Comment Spam IP monetoring – Enable auto block of spam comment Ips.
It will compare the files in your site with the original files in wordpress.org. If they are different, something may have happened.
File change detection –
* Perform the scan
* Enable Automated file change detection scan and time interval.
* Add files or directories to ignore if needed.
* Add email address to send email when change detected.
To stop people coming to your website in case of server maintainence, we can enable front end lockout and also add a message.
Copy protection – We can Enable Copy protection, then the text in the website can not be copied.
Frames – Enable iFrame protection
User Enumeration – By disabling user enumeration, people can’t get information about you.
We can check the Security strength meter in WP Security Dashboard for how secure our website is.
there is no need to tick and enable every configuration of this plugin.Carefully read every configuration before enabling it. Because it adds rules to the .htaccess file and maybe the site will go down.
Before starting the configuration should take the backup of .htaccess and wp-config.php and refresh the site after enabling every configuration. If anything comes to error. Reupload the .htaccess and wp-config.php