The All In One WP Security & Firewall plugin by Tips and Tricks HQ is much more than just a protection tool for the all important htaccess and wp-config files.
Among other things, there are also some basic, intermediate and advanced firewall protection strategies that can be applied to the WordPress site. These features, when turned on, will add lines to the .htaccess file which is the first file that gets executed, ultimately stopping hackers before reaching the WordPress site files.
User Login Safety Features of the Plugin
The plugin includes features that help prevent logins from hackers and malicious scripts. A Brute Force Login Attack is one such way in which a hacker tries to gain entry. This is when the attacker will keep on trying to guess the password for a WordPress account, all the while assuming that he/she/it knows the username. This can be done manually or with a script.
To prevent such attacks, not using the default “admin” user name for the Administrator account is key. Also, making sure the setting which displays the author’s name for posts (or pages) does not reveal the username is another important prevention method.
Of course, strong passwords will go a long way as well. Never use dictionary words as those are the first to be checked a lot of times. Many people suggest using a full sentence with all the punctuation and spaces as a password. Others suggest to make certain there is a good mix of lower case and upper case letters, special characters (such as #$%@&!) and numbers, in the password.
Another effective way to stop the attacks is to monitor and block IP Addresses that are involved in the repeated login attempts, which are in most cases, attacks.
There are settings in the plugin for stopping login attempts after certain criteria is met. You can set the maxium login attempts within a specific time frame, that when reached, will lock out an IP Address for the specified amount of time. You can also have it display a generic (i.e. a non-revealing) error message for failed login attempts. Lock outs can be sent to the site admin by email as well.
The above settings are considered “Basic” and add 20 points to the Security Strength Meter (the gauge used by the plugin to determine how secure a site is based on the chosen settings). You can add another 5 points by enabling another basic feature that auto-logs out a WordPress user after being logged in for a specific amount of time, say 1 hour. This makes it so that if a person leaves a machine and doesn’t come back during the specified time frame, the session will expire.
Introducing the Cookie-Based Brute Force Login Prevention Feature
Another Firewall feature that involves user accounts, that is considered “Intermediate” and adds another 20 points to the Security Strength Meter, is the ‘Cookie-Based Brute Force Login Prevention’ feature.
While repeated failed attempts at guessing a WordPress username and password combination could get an IP Address locked out, it also takes up valuable server resources. Especially when there are repeated attempts concurrently (from malicious automated robots), this has a negative impact on the server’s memory and performance.
There are new additions to the .htaccess file when implementing this feature. Basically what it does is hides the default WordPress login page from the public. If they cannot access the login page, they cannot login.
The way it works essentially is: you specify a “secret word” to the plugin, which creates a special URL. The special (secret) URL, when visited, deposits a cookie on the computer which, when present, allows that individual to visit the WordPress login page as usual. Without knowledge of the special URL (i.e. having the cookie), the user will be redirected to a different IP Address or URL that you configure. This could be to any site on the web but the default is http://127.0.0.1 which represents the local machine of the web site visitor.
Don’t worry, if there are password protected posts or pages on the site, there is a provision in place that prevents visitors needig access to that content from needing to know the special URL. Turning this on however, could provide a new backdoor to the login page for those that know the location of these pages (most often it won’t be hackers though). Only turn on this feature when necessary, none the less.
Steps for Setting up the Cookie Based Brute Force Login Attack Feature
Below are the quick steps for implementing the cookie based brute force login attack prevention feature for WordPress.
- Of course, get the plugin installed in whatever way you normally do so. Truly, the easiest way, to prevent unnecessary downloading and uploading when you already know the name of the plugin is to use the “search” feature under Plugins >> Add New. In this case, search for: All In One WP Security & Firewall.
- Go to WP Security >> Firewall >> Brute Force Prevention once the plugin in installed and activated.
- Scroll to the bottom of the page to do a quick cookie test to make certain that this feature will in fact work for you on the machine that you are using. Click the Perform Cookie Test button.
- Next, put a checkmark in the box to Enable Brute Force Attack Prevention.
- Create a Secret Word which will be used for the secret URL, which in turn creates the cookie that authorizes access to WordPress login URL when visited.
- You are probably done at this point and you can save your changes. Optionally modify the Re-direct URL if you want to be clever. And if your site does in fact have password protected posts or pages, check the option for My Site Has Posts Or Pages Which Are Password Protected.
After saving your settings, make note of the secret URL (in your mind preferred) and you are in business.
What if Something Goes Wrong When I Use this Feature?
Simply restore your htaccess file.