Aug 102014
 

All In One WP Security And Firewall Rules helps you setup the following options basic firewall rules, disable index view, deny bad query strings, 5g blacklist and much more.

Last Updated: August 9, 2018

Latest News: I have updated the information below.

This post provides information about the different Firewall protection options you can enable to protect your website. These settings are important but at the same time they can cause issues in your site. I recommend that you read each feature carefully before you enable it.

Steps you should take when enabling Firewall features. Start by enabling one by one each feature and at the same time carry out a test. Do this with all the features until you are happy with the features you have enabled. Too many keep running into issues when they enable most or all Firewall rules.

Important Note

This plugin has so many firewall rules which are deliberately split up into separate sections. Not all sites will work 100% with all of the rules enabled due to the fact every site has a unique setup and different behaviors.

In some cases you will have to disable the feature that is causing issues in your site. As a general rule of thumb: if you had to choose just one firewall rule it would be the 6G rules because it provides the best all-round coverage/protection.

All In One WP Security And Firewall Rules

Step 1 ) Click on WP Security -> Firewall to set up the following security settings.

  • Basic Firewall Rules
  • Additional Firewall Rules
  • 6G Blacklist Firewall Rules
  • Internet Bots
  • Prevent Hotlinks
  • 404 Detection
  • Custom Rules

all-in-one-wp-security-and-firewall-firewall-settings

Basic Firewall Settings

Step 2 ) Click on WP Security -> Firewall -> Basic Firewall Rules -> Basic Firewall Settings to set up the following security settings.

If you enable this options, it will add another 15 points score towards your security meter. (Basic Security Level)

Basic Firewall Settings

  • Enable Basic Firewall Protection:

WordPress XMLRPC & Pingback Vulnerability Protection

Step 3 ) Click on WP Security -> Firewall -> Basic Firewall Rules -> WordPress XMLRPC & Pingback Vulnerability Protection to set up the following security settings.

If you enable this options, it will add another 15 points score towards your security meter. (Basic Security Level)

Note: To learn more about this feature check the following URL All In One WP Security Plugin Pingback Protection Settings.

WordPress XMLRPC & Pingback Vulnerability Protection

  • Completely Block Access To XMLRPC:
  • Disable Pingback Functionality From XMLRPC:

Block Access to Debug Log Files

Step 4 ) Click on WP Security -> Firewall -> Basic Firewall Rules -> Block Access to Debug Log Files to set up the following security settings.

Block Access to Debug Log Files

  • block access to debug.log file

If you enable all three options, it will add another 10 points score towards your security meter. (Basic Security Level)

=============================

Additional Firewall Rules

Step 5 ) Click on WP Security -> Firewall -> Additional Firewall Rules to set up the following security settings.

  • Disable Index Views
  • Disable Trace and Track
  • Forbid Proxy Comment Posting

The following will add another 25 points score towards your security meter if you activate the following three options. (Intermediate And Advanced Security Level)

all-in-one-wp-security-firewall-aditional-rules

Step 5-a ) The following will add another 30 points score towards your security meter if you activate the following two options. (Advanced Security Level)

  • Deny Bad Query Strings = Note: See troubleshooting note below.
  • Enable Advanced Character String Filter

all-in-one-wp-security-bad-query

Deny Bad Query Strings Troubleshooting

In some sites this feature might not work and trigger some error messages. If that is the case you can leave “Bad Query Strings” rules disabled or you can modify them by figuring out which string is causing the trigger. Then all you have to do is copy and paste the modified rules in the custom rules section.

In general if you had to choose only one set of firewall rules to enable, it would be the 6G rules because they are the best all-round .htaccess firewall rules.

=============================

6G Blacklist Firewall Rules

Step 6 ) Click on WP Security -> Firewall -> 6G Blacklist Firewall Rules to activate the following security settings.

The 6G firewall protection feature below protects your site against many exploits, including sql injections and more. The developers have written an extensive documentation describing what it protects. You can read more about it from the following URL 6G Firewall 2017.

The following will add another 20 points score towards your security meter. (Advanced Security Level)

  • Enable 6G Firewall Protection
  • Enable 5G Firewall Protection (Note: This option should not be enabled anymore. 6G is much better. The plugin developers will be removing this option soon.)

Questions and Troubleshooting

Q1 ) Does the plugin protect against SQL Injections?

Answer: Yes, enabling 6G Blacklist Firewall Rules will protect you against sql injections and more.

Note: As far as secure coding practices, this plugin is coded such that any user input it sends to the DB is securely sanitised and escaped against SQL injection attacks.

Having said that, you should be careful regarding which plugins you install on your site and make sure that you get them from reputable sources because not all plugins will have safe coding practices. (Note provided by wpsolutions in the forum)

=============================

Internet Bots

Step 7 ) Click on WP Security -> Firewall -> Internet Bots to activate the following security settings Block Fake Googlebots.

The following will add another 5 points score towards your security meter. (Advanced Security Level)

all-in-one-wp-security-firewall-internet-bot

Internet Bots Troubleshooting And Questions

Issue one: If you run into issues between Google bots, Yoast SEO, sitemap.xml file and or other IP issues then check the following URL Firewall Settings. Use one of the different global variables available in the settings under Advanced Settings tab.

Q1 Is there are list of IP address for fake Google bots?

Answer one: There is no list.
The plugin has code in which it checks the useragent and the IP address and then it will get the internet hostname using the IP address. After that it will do a reverse IP lookup using the internet hostname calculated in the previous step. If the IPs match then the bot is considered legitimate. (Answer provided by wpsolutions)

=============================

Prevent Hotlinks

Step 8 ) Click on WP Security -> Firewall -> Prevent Hotlinks to activate the following security settings Prevent Hotlinking.

The following will add another 10 points score towards your security meter. (Basic Security Level)

all-in-one-wp-security-firewall-prevent-hotlinking

=============================

404 Detection

Step 9 ) Click on WP Security -> Firewall -> 404 Detection to activate the following security settings.

  • Enable IP Lockout For 404 Events
  • Time Length of 404 Lockout (min)
  • 404 Lockout Redirect URL
  • Click on Save Settings button

The following will add another 5 points score towards your security meter. (Intermediate Security Level)

all-in-one-wp-security-firewall-404-detection-options

404 Event Logs

Step 9-a ) Once an IP address has been blocked you are provided with a few options under the 404 Event Logs. These options can be carried out individually or in bulk per IP address blocked.

Options List

  • Temp Block
  • Blacklist IP
  • Delete
  • You can export the log files into a CSV file.

all-in-one-wp-security-firewall-404-options-selections

Step 9-b ) The following image 404 Event Logs allows you to sort your logs via the following options.

  • IP
  • Event Type
  • IP Address
  • Attempted URL
  • Referer
  • Date
  • Lock Status

Step 9-c ) You can also export the logs to a CSV file or delete all 404 event logs.

=============================

Custom Rules

Step 10 ) Click on WP Security -> Firewall -> Custom Rules to enable and configure the following security settings.

You might like to check the following URL Custom Rules to learn more about this feature.

  • Enable Custom .htaccess Rules
  • Place custom rules at the top:
  • Enter Custom .htaccess Rules

Note: This tool allows you to configure any setting within the plugin that writes to the .htaccess file.

Warning: Only enable this feature if you know what you are doing. Adding the wrong entries in your .htaccess can crash your website.

=============================

Click on the following link Brute Force to continue configuring the plugins settings.

If you have any questions please let me know

Enjoy.

All In One WP Security & Firewall Tutorials List:

Manuel Ballesta RuizManuel Ballesta Ruiz is a web developer, Blogger and WordPress Enthusiast.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

The following GDPR rules must be read and accepted:
This form collects your name, email and content so that we can keep track of the comments placed on the website. For more info check our privacy policy where you will get more info on where, how and why we store your data.