According to current statistics WordPress is the most used CMS system worldwide with a market share of about 63% (June 2020). For this reason, most attacks are concentrated on WordPress pages. Because WordPress is a little bit neglecting the topic “security”, it is very hard to notice some of these attacks. Even with successful attacks, it often takes days until a site administrator discovers them.
But this general security problem can be counteracted with a simple plugin: All In One WP Security & Firewall
Installation
The installation of the plugin is done as usual via the menu “Plugins – Install”.
After installation, the item “WP Security” appears in the menu.
Dashboard
The first element in “WP Security” is the “Dashboard”. Here you get a first overview of the most important security topics and also an estimation of the settings made.
Security Configuration
Because the plugin All In One WP Security & Firewall offers a lot of different configuration options, I present you a small summary of the – in my opinion – most useful settings, divided into the individual menu items.
ATTENTION:
Before you use the tool, I recommend to backup the files “.htaccess” and wp-config.php”. Both can be done under “WP Security – Settings”.
User Accounts
Under “User Accounts” can be checked if the user “admin”, which is created by default during installation, is still used.Also whether the display name (e.g. for posts) is the same as the login name.
If something applies here, renaming the user is recommended.
User Login
Under “User Login” you will find everything that is related to the backend login:
- Maximum number of login attempts until the IP address is blocked.
- Duration of the lockout.
- Mail notification when IP addresses are blocked.
- Log out logged in users automatically after a defined time.
Additionally, it logs which IP addresses have been blocked in the last time, which accounts have successfully logged in and which accounts are currently logged in.
User Registration
If other people are allowed to register on the homepage, it can be defined that all new users first have to be confirmed manually by an administrator. Also a “Captcha” can be activated to prevent bots from performing automatic registrations.
Database Security
Under “Database Security” the used WordPress databases can be renamed, so that they no longer use the WordPress standard.
Under DB Backup it is also possible to define scheduled database backups.
ATTENTION:
Before changing anything in the database, a backup should first be created via “Database Security – DB Backup”.
Blacklist Manager
If the same IP address tries to log into the backend more often, it can be added to the Blacklist Manager. Afterwards the respective IP address has no access to the homepage anymore.
Brute Force
Under “Brute Force” the registration can be secured much better. The most important point here is the activation of a captcha during the registration process, in order to stop bots here as well.
In addition, the login URL can also be changed. By default, the login runs via “https://domain.at/wp-admin”. When the function is activated, the URL can be changed to “https://domain.at/backend”, for example.
SPAM prevention
If you have activated the comment function under Posts, you can activate the “SPAM Prevention”. Bots can also be stopped by using Captcha. Additionally, a maximum number of comments from the same IP address can be defined.
Maintenance & Miscellaneous
Apart from the security topics, the All In One WP Security & Firewall plugin can also activate a maintenance mode to inform the visitor that the homepage is currently under construction.
If you want to protect your posts, you can also activate the copy protection. Afterwards no text can be copied by using “Ctrl+C”.