Part II of how to install and set up the All in One WP Security & Firewall plugin. Part I (beginner/basic instructions) is here – you should review it before moving on to this tutorial.
If you have the expertise, there’s lots more you can do. I’ll go through the next set of security settings I usually add. Total time: About 20 minutes.
First, you want to remove, change, or hide any information that will help a hacker identify the specifics of your WordPress installation. Second, you want to lock up as many access points as you can.Most hacking falls into a couple of categories. The All in One WP Security & Firewall plugin for WordPress helps with both.Click To Tweet
Typically, I start at the top of the security menu and work my way down.
Click Settings in the All in One WP Security menu, then select the WP Version Info tab. Check the box in the WP Generator Info field and save changes. Now, if someone looks at the source code for your website, they won’t see the WordPress version number.
Select the User Login menu, then the Force Logout tab. Check the box and set a time limit, then save your changes.
If you are the only user on the site, and you’re using your own private computer, this won’t make much difference. But if you or other users ever log in from a shared computer, or log in and forget to log out, forcing logout is a sensible precaution.
(Note that when you make this change, you’ll automatically be logged out as soon as you save the settings so you’ll have to log back in!)
By default, the WordPress database creates tables with the prefix wp_ which is a dead giveaway that the site runs on WordPress. You can change the prefix by navigating to Database Security / WP Prefix. Choose a prefix yourself, or let the plugin generate a random one, then save your changes.
Even if a hacker can identify your site as a WordPress site in other ways, if he tries to inject malicious code you’ve made it more difficult.
If you install WordPress manually, you can change this during the install process when you edit the wp-config.php file. I prefer to do so, but if you’re not comfortable editing PHP files, this is a good option.
Click a link to back up the database before you make any changes!
Navigate to Filesystem Security, then select the WP File Access tab. Check the box, and Save.
This prevents anyone from reading certain files that contain information that’s useful to hackers.
In the Additional Firewall Rules tab, check each of the boxes.
- Disable index views prevents a site index from being displayed.
- Disable trace and track disables some tools that are commonly used by hackers.
- Forbid comment proxy posting reduces spam comments on the site if you have commenting enabled elsewhere.
- Deny bad query strings and Enable advanced character string filter prevent some malicious code.
Remember to save your changes.
Use the Prevent Hotlinks tab to keep other sites from linking directly to images on your site and using up your bandwidth.
By default, you can reach the login screen of a wordpress site by typing the site name/login into the browser. The first choice here allows you to actually change the location of the login screen to a name of your choice. So I could change the login screen of this site to https://wpbuildingblocks.com/kangaroo, for example.
By doing that, anyone who tries to log into the dashboard from the standard address will be stymied.
If you want to do this, though, be cautious. Depending on other plugins you have installed, and your host’s setup, you could find yourself locked out. If you’re comfortable using an FTP program and editing the .htaccess file, you’ll be able to recover. If not, don’t make this particular change.
You can still make an impact on brute force login attempts. Select the Login Captcha tab, and enable captcha on the appropriate forms.
Check the box on the Honeypot tab.
A honeypot is a hidden form field that’s visible to robots but not to human users. If there’s an attempt to fill in this hidden field, the plugin will redirect the bot back to its own computer.
While it’s not as bad as hacking, website spam can create a time-consuming nuisance for the site owner. If you’re already using a captcha plugin to help reduce comment spam, don’t enable this one. (Or, alternatively, use this one and delete the separate captcha plugin!)
Check the box in the Block Spambot Comments, though, to prevent the bots from leaving those ugly, awkward, link-filled comments on your posts.
Copy protection will prevent readers from right-clicking to copy text, links, or images from your site. If you check the box in the Frames tab, you’ll limit the abilities of unethical site owners who display your content without permission within frames on their own sites. Last, select the box on Users enumeration. It prevents the gathering of sensitive information through specialized searches.
This has nothing to do with security or spam prevention, but it’s a handy tool. When you enable front-end lockout in the Maintenance menu, you can show the world a custom message. This is handy if you’re making big changes on the site and you want to keep them under wraps until you’re ready for the grand unveiling, or if you’re tracking down a pesky issue.
There are many more settings available within the All in One WP Security & Firewall plugin, so take a few minutes to click each tab of each menu to get an idea of the scope of what the plugin can do for you.
As always, make a backup before making major changes.
Look at that Security Strength Meter now!
To the right of the Security Strength Meter shown above, there’s another diagram. It’s called the Security Points Breakdown.
When you hover your mouse over the words on the right, they’ll expand to show the full description.
This is an easy way to check on the security changes you’ve made already.
Also on your security dashboard screen, you’ll see a summary of the last five logins, and a list of other users currently logged in.
Installing and setting up the All in One WP Security & Firewall is one of the best investments of time you can make for your WordPress site. It sure beats spending hours trying to fix a site after it’s been hacked!
Want more how-to information about WordPress security? Check out these articles.