My Favorite Security Plugin
When WordPress administrators are searching for a security plugin, usually Wordfence Security comes out on top. And for good reason. With over 2 million active installations across the community, it is by far the most popular security plugin. Does that mean it is the best? I think that is a matter of opinion. There is certainly no shortage of features. The support is great and regular plugin updates occur frequently. Still, I prefer a less popular but widely used plugin – All In One WP Security & Firewall.
I briefly went over one of my favorite features of the plugin in another post titled Locking Down Your Login Page. The purpose of this feature is to obscure your login page and rename it to something other than the default wp-login.php. There is a conflict of opinion on whether security through obscurity is a valid method of protection. I am firmly in the camp that it is very beneficial. Yes, you can put a captcha code on the login page. Limit login attempts. Even ban IP addresses that fail after too many attempts. But if an attacker knows where the door is, they’ll keep knocking. They are like the Walking Dead of the world. Coming from all corners of the globe and putting an unnecessary strain on your server. Why not keep all the safeguards but also move that door?
It Truly Is All In One
Before I get into other features, let’s take another look at the current statistics for this security plugin.
Active Installations: 600,000+ | Last Updated: 4 Weeks Ago | As of 2/28/18
If you compare these statistics to the ones in my post about the login page, you’ll see that not much as changed. The active installations remain stable and the plugin version has been updated in a reasonable time.
What is neat about this plugin is that they give you a point system for enabling different features. This gives you a goal to achieve and serves as a good reminder of what to do if you run multiple WordPress sites. I particularly like how the grading scale system breaks down into 3 categories – bad, okay, and good. The good range is easily attained and I appreciate that the authors didn’t set it too high. Especially considering the maximum amount of points achieved is a whopping 505. I personally float between 180 and 200 for my sites. But I also have several layers of additional security installed at the server level. You should aim for a goal that suits your needs.
The point system scale in AIOWPS
- User Accounts – How many of you are guilty of making the default user name admin? I’ll admit, I used to. Normally, you can’t change the user name through WordPress. With AIOWPS it is effortless. It also detects if any user names have the same nickname/display name. It is important to keep these different so that attackers don’t have half the puzzle of your login credentials solved already.
- 20 possible total points for this category
- User Login & Registration – Allows you to limit and record login attempts. You can add a captcha or honeypot mechanism to registration and require manual approval before an account is created.
- 75 possible total points for these categories
- Database & Filesystem – Change your database prefix and schedule backups. Set recommended permissions on core WordPress files. Disable PHP editing in WordPress dashboard.
- 70 possible total points for these categories
- Blacklist Manager – Your basic ability to ban ip addresses and user agents.
- 15 possible total points for this category
- Firewall – A wide range of firewall rules. A lot of points to be had here. I’ll list additional information below.
- 135 possible total points for this category
- Brute Force – This is where you can rename your login page and provide extra security features for that page. Another point-heavy section.
- 125 possible total points for this category
- Spam Prevention – As advertised, this feature blocks comment spam.
- 30 possible total points for this category
- Scanner – Detect file changes and send email upon detection. They also offer a premium malware scan service.
- 20 possible total points for this category
There are a few other settings with some point values to get the maximum 505. It is important to read the warnings on certain features as it might break some functionality with your theme or plugins.
The best features detailed
You’ve already read about the rename login feature. It is simple to implement and will deter attackers from brute forcing your login page. I find it astounding how many businesses and entities do not employ some sort of redirect for the login page. Everything from police stations, law firms, and other high-value businesses. Many are probably not even aware of how many failed attempts occur. I always create a unique login URL for all of my customers. If, for whatever reason, you’re locked out due to a redirect issue. Simply rename the plugin folder to something else via FTP. This effectively disables the plugin. It is nice to know that if you deactivate the plugin you have the option of reinserting all of your rules upon reactivation.
Aside from brute force, other favorite features include:
Firewall Settings and Options Tabs
As you can see in the image above, there are many options you can configure for the firewall. Details can be provided by clicking on the More Info boxes next to each option. Make sure you read each detail thoroughly. It would be wise to test some of the options that have warnings. For instance, I usually never enable Deny Bad Query Strings and Advanced Character String Filter. Both indicate that some functionality could be broken if your theme or a plugin is incompatible. Since I also have some security options enabled on my server, I can omit those features. The only way to know for sure is to play around and test various functions on your site.
Another firewall option is to use rules provided and tested by perishablepress.com. Defined as 6G or 5G (legacy), these rules will further enhance your website’s security. I usually just stick with 6G as 5G could be considered overkill now.
Lastly, there are options for blocking fake internet bots. Such as spiders/bots that pose as Google. I don’t think they harm your website but it might throw off your analytics and statistics. You can also prevent hotlinking to your site. That’s where someone uses an image directly from your server and displays that image on their site. This is essentially stealing bandwidth for their benefit. If you reference images on one of your sites on another, you’ll probably want to disable this so that you aren’t breaking your own images.
Filesystem & Database Security
Filesystem and Database Security Options
The options you can configure here probably don’t get the attention they deserve. They aren’t overly complex but can serve as a good reminder of things you should do.
The filesystem security option gives you an overview of the main WordPress core files and their permission states. Anyone familiar with FTP knows you can set permissions for read, write and execute for ownership groups of owner, group and public. In AIOWPS, these main files can have their permissions set to the recommended values with the click of a button. Each file is color-coded so you know if there is a potential risk.
The database security option allows you to create and schedule backups of your MySQL database. You should probably be backing up your website and databases already. But if you aren’t, you definitely want to enable this option. Database prefixes can also be reset to something else. A lot of people install WordPress sites with the default wp_ prefix. Although I now install each site with a unique prefix, I relied heavily on this feature to rename my existing websites’ default prefixes.
You might come across some articles saying it is pointless to change it. And that if an attacker can gain access to the database they can easily get that prefix with a command. It’s more “security through obscurity”, they say. I’m not convinced it is pointless. It certainly isn’t harmful. I don’t think that it is out of the realm of possibility that a type of SQL injection attack/vulnerability could be found. To be honest, there is no reason why you shouldn’t change the prefix.
Which Security Plugin Should You Choose
If you’re already using Wordfence, you’re probably pretty happy with it. While I liked it as well, I wanted the option to rename my login page. Sure, this can be accomplished through the .htaccess file, but it is nice to have an easily accessible option. They key is to choose a plugin that has the most important features to you.
With All In One Security & Firewall, you get an advanced security toolset at no charge. It should be used by a skilled administrator or at least someone willing to take the time to read all the details. You might get locked out of your site or be unaware of broken functionality. I’ve never had an issue correcting a problem from AIOWPS. Disabling the plugin and renaming the .htaccess file to something else has worked every time for me. However, It is impossible to account for every server variable and scenario. At the very least, if you do not have a security plugin or are unhappy with your current plugin, you should try this one out for yourself.