When setting up a WordPress site, pay attention to security. The All in One WP Security & Firewall plugin is an excellent choice.
The last thing you want to see is a message from Google warning visitors that your site might harm them. That’s what happens, though, if your site becomes infected with malware.
Even worse is if your visitors go to your site and find something wholly inappropriate — porn, hate speech, or ugly links to something completely unrelated to your business.
Unfortunately, because WordPress is so popular, it’s also a target for hackers and spammers.
If you’re using a managed hosting service like Rocket.net (where I host this site), they take good care of security. On shared hosting, though, you need to proactively secure your site, and the All in One WP Security & Firewall plugin is an excellent solution.
Beginners can implement the most basic security, which will repel automated, brute force attacks. Once that’s taken care of, the plugin can add more layers of security for intermediate and advanced users.
At the advanced levels, you do need to go carefully as you can lock yourself out of the site if you make a mistake.
Download and Install the All in One WP Security & Firewall Plugin
The plugin is free, and available in the WordPress repository, so the easiest way to install it is to log into your WordPress dashboard, and navigate to Plugins / Add New.
Type All in One WP Security into the search box.
Select the plugin and click Install Now. After it’s installed, notice that the button changes to say Activate. You can activate it here, or from the Installed Plugins screen on your dashboard.
First, let’s walk through the changes everyone should make on every WordPress site.
Basic Security Changes for Every Site
Notice there’s a new menu on your Dashboard now – WP Security.
Click to expand it, then go to the Security Dashboard.
Notice the Security Strength Meter. This indicates where you’re starting out with a brand-new site.
There are four important steps to take initially. While they may seem small, they will have a big impact on your site’s security. All four of these handle some aspect of what’s known as brute force attacks where hackers set up automated systems to try thousands of username and password combinations in hopes of finding one that works.
#1. Eliminate User Name Admin
If you’ve been following the advice here, you’ll already see a green light — you should never, ever, have a user with the username “admin.”
If you do, type in the new username, then click the Change Username button.
(In order to show you this, I quickly created a user with the dreaded “admin” username — then deleted it immediately!)
#2. Login Lockdown Options
After getting rid of “admin” as a username, locking down your site from incorrect login attempts is the next item to take care of.
When you lock down the login, if there’s an attempted login that’s unsuccessful because of the wrong username or password, the person (or robot!) can’t keep trying indefinitely.
Sure, even the best of us mistypes or goofs up once in a while, but if there are multiple attempts from the same computer to get into your site in a short time, it’s likely an automated attack and you want to stop it fast.
Lest you think those automated attacks don’t happen often, take a look at the image below — it’s a screenshot I took of an attack on one of my own sites. Fortunately, I have it set to lock down quickly, but notice the time stamps on the right, and how close together they are!
These emails notified me of the lockdown, and there were over 100 of them in a short space of time. That’s what an automated attack looks like! (Fortunately, they didn’t get in. . .)
Here are the minimum changes everyone should make:
- Check the box next to Enable login lockdown feature.
- Set Max login attempts to 3. That’s plenty if it’s a human being just making a mistake.
- Set Login retry time period to 5. That means if the three attempts happen within five minutes, that user will be locked out.
- Set Time length of lockout for at least 10 minutes — I set it for 60.
- Check the box next to Instantly lockout invalid usernames, and enter admin in the box next to Instantly lockout specific usernames. If someone types their username incorrectly, they’ll have two more tries within five minutes. But if someone attempts to log in with the username “admin,” they’ll be locked out immediately. You want to do this because “admin” is the username hackers start with when they’re trying to break into a site, and you want to stop them in their tracks.
- Save your changes and return to the security dashboard.
#3. File Permissions
Click this link and you’ll see a page showing the current and recommended permissions for file access. If you don’t know what this means, don’t worry. If you’re with a decent host, they’ll be correct and the entire page will be highlighted in green.
However, if you need to make any corrections, the plugin will guide you through them.
#4. Basic Firewall
The firewall exists to protect your site against common attacks. Check the box next to Enable basic firewall protection to activate it.
Once you’ve completed the basic steps in these four settings, all four toggle buttons will be set to ON and will be green. Notice also that your security score is higher.
It’s still not great, but it’s a start — and the dial is now in the green zone, which is very good. Total time to accomplish: less than 10 minutes, including the time to install the plugin.
Installing and setting up the All in One WP Security & Firewall is one of the best investments of time you can make for your WordPress site. It sure beats spending hours trying to fix a site after hackers gain entry!
You’ve just complete Part I of a 2-part article. Next, we’ll go over the Intermediate setup.
Want more how-to information about WordPress security? Check out these articles.