Hack-Proof Your WordPress Site With All In One WordPress Security Plugin
The most unfortunate event that can happen to your website (aside from being penalized) is getting hacked. Most hackers don’t choose which website to hack so if you’re thinking along the lines of “my website isn’t really well-known, so no one will attempt to hack it” then you’re wrong.
Every website is in the cross hairs of hackers, especially WordPress websites.
Earlier this morning I even received an email that a Ukraine IP address tried to access my website six times with the username “admin”. Thanks to my security upgrades, the IP address was blocked.
So what do you do when hackers try to compromise your website? For WordPress sites, hack-proofing is as easy as installing and configuring the All In One Security and Firewall plugin!
What You Will Learn:
- How to change your display name, user name, and password
- How to enable Login Lockdown (limit login attempts)
- How to rename your login page from “wp-login.php” to something else
- Re-discover some common sense security do’s and don’ts
What Is All In One WP Security?
All In One WP Security is a superb security plugin that offers a vast array of features that will secure your site from unwanted access. What I really like about this plugin is that it’s powerful, comprehensive, and lists security issues by priority.
Another plugin called iThemes security provides the same level of security if not better, but iThemes security is just too clunky for my taste.
Let’s take a look at the pros and cons of the All In One WP Security.
It’s not called All In One WP Security for nothing. The plugin is such a complete package that it replaced an entire set security plugins my sites were previously using. It’s an awesome way to de-clutter. Here are some plugin highlights:
Regular Backups for Database Security – This won’t really secure your website from hackers but in the unfortunate event that hackers did infiltrate your site, having a database backup you can rely upon is a huuuuge sigh of relief. AIOWPS can backup your website pretty easily and automatically, and you can even choose where the backup will be stored. Some webhosts like Power Up Hosting performs regular backups as well, but there’s no harm in doing it twice right?
Firewall and Brute Force Protection – AIOWPS has the ability to stop hackers from brute forcing your site through limiting login attempts, IP blacklisting, and other security features.
Easy of Use – I really like how AIOWPS use a security strength meter to grade a site’s strength. This gives users some sort of direction or goal in improving their sites. The entire plugin does not feel clunky unlike other security plugins and most of the options are basically just buttons that you either switch on or off. Instructions are also littered on every page so it’s hard to get lost.
One disadvantage of using this plugin is that it’s not as robust and as feature-packed as iThemes Security Plugin. If you do prefer to get the iThemes plugin, prepare for a steeper learning curve. It also a bit clunky when you use it the first time and might take several tries to find the configuration you prefer. This post takes that pain away though.
Installing WP Security and Firewall
First off, go to Plugins > Add New. The options are on the sidebar menu of your Dashboard. Next, search for the plugin by typing its name on the Add Plugins search bar. Hit Install Now on the search result.
You can also see that at the time of this writing, the plugin is recently updated. That goes to show that its developers are still actively working on improving the plugin. Although the plugin is compatible with the latest version of WordPress, it wouldn’t hurt to double check if the plugin is compatible with your current WordPress version. Finally, hit the Activate Plugin link to, well, activate the plugin.
You’ve now successfully installed the plugin!
Now let’s move on to the next part: configuring the plugin.
There are quite a few steps you have to go through in order to fully secure your site. Worry not, my friend – the plugin (and me, of course) will hold your hand all the way.
Before you proceed with the configuring, check out the dashboard first. On your WordPress dashboard’s side menu go to WP Security > Dashboard. You will see something like this:
You can see the Security Strength Meter I was talking about earlier. Notice the “Total Achievable Points” and the “Current Score of Your Site”. That’s the goal-setting feature I was talking about. Currently, my site only has 20 points. There’s a lot of configuring to do, but do note that you do NOT need to achieve all of 470 points – some of these reward-able settings will not applicable to your website anyway.
Also, remember to follow the instructions in this article. I tried several (mis)configurations before and I went across all sorts of trouble like being unable to access my own admin dashboard.
Changing Your Username
Go to WP Security > User Accounts. Here, you can change your username, display name, and password. Each of the three have their own tab so please be guided.
Since my site’s username is not “admin” this feature is already turned on. I get 15 points for this!
I actually have no idea what would happen if my username is “admin”, but I would guess that there will be an option to change it.
If anything, please send me a screenshot!
Changing Your Display Name
By default your login name is also your “nickname”. If you don’t change this, you leave half of your login credentials out in the open whenever you post a comment. Changing this adds another layer of security for your site.
You get 5 points for changing your display name!
Changing Your Password
All In One WP Security has a nifty tool that gauges a password’s strength. If a hacker has a high-end PC with the appropriate hacking software, it will take him or her around 100 billion years to crack my site’s password.
Just for fun, let’s take the top 10 most common passwords of 2014 and see how fast hackers can crack it.
- 123456 – less than one second
- password – 1 minute, 13 seconds
- 12345 – less than one second
- 12345678 – less than one second
- qwerty – less than one second
- 123456789 – less than one second
- 1234 – less than one second
- baseball – 1 minute, 13 seconds
- dragon – less than one second
- football – 1 minute, 13 seconds
Let’s try to make more creative passwords than those mentioned above. Here’s how you do it:
On the side menu, go to Users > Your Profile.
Go to the bottom of the page and you will see Account Management options. You can change your password here.
WordPress can generate a super random for you, but that’s a bit hard to remember. Personally, I make a memorable password by using words and numbers that mean something only to me. Of course, this is not my birthday, age, or anniversary – these are very easy to figure out.
Enable Login Lockdown
One common tactic hackers use is to perform a Brute Force attack on a website where they repeatedly attempt to login to your site until they get the correct credentials. An effective way of blocking this is to try and limit login attempts.
By default, you should be the only one to login to your website so you only need 2 or 3 tries to access your site. This plugin have options that will do just that in addition to IP blacklisting and failed login timeouts.
Don’t forget to check the Enable Login Lockdown Feature to apply all the settings you will do below.
Max Login Attempts: Set it to 3 attempts, so you can give yourself some leeway for typos.
Login Retry Time Period: Set it to 100 minutes or more. If a login failed 3 times, the IP address can retry again after 100 minutes.
Time Length of Lockout: Set it to 100 minutes or more. If a login attempt failed 3 times, an IP address cannot log in for 100 minutes.
Instantly Lockout Invalid Usernames: Check this to immediately ban login attempts that don’t use existing usernames. Just don’t forget your username.
Notify by Email: Your call. I suggest checking this option so you’ll be updated whenever something happened.
You check how this works by logging out and entering a wrong username or password. Careful though, you only have 3 tries!
Rename Your Login Page
By default, WordPress’ login page URL is set to “/wp-login.php”. This commonality makes it easy for hackers to find your login page and do their brute force thing.
So what do you do? You change your login page’s URL like the image below.
It’s recommended to change the login page’s URL to something that only you will know. Nothing along the lines of your birthday or anniversary – those combinations are easy pickings.
Some Security Do’s and Don’ts
DON’T log in using unsecure connections.
DON’T access your cPanel or admin dashboard on internet cafes or any desktop/laptop that’s not yours. In the unavoidable case that you have to access them in unsecure locations, use incognito and remember to log out before leaving.
DON’T store your passwords online. If you store your passwords in your desktop or laptop, make sure the file is password-protected or encrypted in one way or another.
DO keep everything updated – WordPress, Themes, and plugins are not updated just because there are new features to be added, but also to patch up security loop holes in the program. Older wordpress versions are know to have security loopholes that hacker can use to infiltrate a website. The good thing is that the WP peeps are transparent with these issues and let their users in the loop. Some important plugins also have a run-in with security loopholes in the past such as Yoast.
DO invest in a secure web host. Customer support is also important.
With this article, you learned how to configure All In One WP Security and Firewall Plugin to ensure better site security and re-discovered some common sense do’s and don’ts in running your website. Doing those will definitely beef up your site security!
What security measures do you do? Share them on the comments below!