Jun 042014

All In One WP Security And Firewall Troubleshooting post helps you resolve some of the most common errors you run into and provides some troubleshooting tips.

Last Updated: March 20, 2017

Latest News: I have added another solution below.

Important: In some cases you might need extra support. Hiring their services will have a positive impact in your website, blog and business. Click on the following URL Premium Support For All In One WP Security Plugin. (This is optional)

All In One WP Security And Firewall Troubleshooting Steps

This is a list of common questions asked in the wordpress.org support forum. I have created this list to help you troubleshoot your issues. If you can’t find an answer to your problem please log into the All In One WP Security And Firewall Support and ask for support. You will receive assistant as soon as possible.

Troubleshooting Techniques

Q1 ) All In One WP Security & Firewall is producing Error 403 on my website.

Solution One: Please try the following steps: Go to the AIOWPS “Settings” menu and scroll to the bottom.  Click the “Disable All Firewall Rules” button. This will clear all the firewall rules from your .htaccess file. Then let me know if the problem persists. ( Solution quoted by wpsolutions)

Q2 ) Brute force cookie url cant logout?

Solution One: The cookie may have either expired or you may have inadvertently removed it via the browser settings somehow.

Anyway, if you ever see such an issue again all you need to do is just type in your secret word URL to refresh the cookie and you should be good to go. ( Solution quoted by wpsolutions)

Q3 ) Is there a limit of 15 IP addresses to the Blacklist Manager in this plugin?

Solution One: No there is no 15 IP address limit. ( Solution quoted by wpsolutions)

Plugin Deactivation Solutions

Q4 ) If I deactivate the plugin will I loose all my settings?

Answer: No, you will not lose any settings upon deactivating AIOWPS – meaning you won’t need to re-configure the plugin again after you activate it again.

The plugin has built into it the intelligence to remove the security .htaccess rules when you deactivate it but it will still remember these settings when you re-activate the plugin, and as pointed out above, it will give you the choice to re-insert these rules back into the .htaccess file.

( Solution quoted by wpsolutions)

When you re-enable the plugin you will see the following message.

Would you like All In One WP Security & Firewall to re-insert the security rules in your .htaccess file which were cleared when you deactivated the plugin?


Q5 ) How do I completely remove the plugin so that I can install a fresh copy?

( Solution quoted by wpsolutions)

Answer: Follow the instructions below.

– FTP to your host and rename this plugin’s folder or delete it.

– FTP the .htaccess file to your computer and edit and remove all the code between and including the tags:
# BEGIN All In One WP Security
# END All In One WP Security

– Log into phpMyAdmin and locate the database for the website you are having problems with. Look for any table entry with the following name aiowps and delete those tables.

There should be 5 tables associated with this plugin:

Brute Force Features

Q6 ) What are the main differences between Rename Login Page VS Cookie Based Brute Force Prevention?

Answer One: Underneath they are very different. One uses cookie, the other one doesn’t. They can’t both be enabled at the same time because they will conflict. I would recommend that you try the “rename login page” option first. (Answer provided by mra13)

Answer Two: The cookie based feature does its defending at the .htaccess level (eg,apache) and the rename login feature stops people at the php level. (Answer provided by wpsolutions)

Q7 ) The pages keep reloading over and over none stop?

Answer: Turn off the text selection and copy protection option. It seems like that feature is not working well with the current theme you are using.  (Answer provided by mra13)

Translation Solutions

Q8 ) What are the correct file name for your translated files?

Answer: Always name your .mo and .po files correctly. See the following Spanish Language Example:

  • all-in-one-wp-security-and-firewall-es_ES.po
  • all-in-one-wp-security-and-firewall-es_ES.mo

Make sure you add the files in the correct folder “all-in-one-wp-security/languages/” folder.

Note: The plugin languages are now coming from the following URL plugin translation page. So if you wish to translate the plugin into your language please click on the above link.

Q9 ) What if you can’t log back into your website and you want to totally remove the plugin?

Answer: This is a youtube video created by the developers to help you totally remove the plugin and all entries in the database without login into your website.

Q10 ) The login lockout feature is locking users after only one failed attempt, regardless of the how many failed attempts it’s set to require. How can I stop this from happening?

Answer: If you have the following checkbox enabled the plugin will lock that visitor out after the first attempt if username is non-existent: ( Solution quoted by wpsolutions)

Instantly Lockout Invalid Usernames

Q11 ) If you receive the following error when you try to create a backup.

“PHP Fatal error: Allowed memory size of 268435456 bytes exhausted (tried to allocate 72879700 bytes) in /var/www/html/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-backup.php on line 67”

It could be related to the backup directory not being created correctly in your server when you try to create a backup. It could also mean that you need to allocate more memory to your WordPress.

Solution 1: Make sure that the following path exist in your server /yourwebsite/wp-content/aiowps_backups/. With the proper folder permissions 0755.

Solution 2: Adding the following define( 'WP_MAX_MEMORY_LIMIT', '384M' ); to wp-config.php file can also help.

Hint: Remember to make sure you have 384M allocated to your WordPress if not adjust this in accordance to what has being allocated to your WordPress. Which could be 96M, 128M, 256M.

Windows IIS Solutions

Q12 ) How do I set up Pingback Protection: under Firewall -> Basic Firewall Rules when hosted on a Windows Server IIS (IIS 7.5 & Plesk 11)?

Solution One: Below is the IIS equivalent to the apache .htaccess rules for denying access to xmlrpc.php. ( Solution quoted by wpsolutions)

      <add sequence="xmlrpc.php" />

Backup Solutions

Q13 ) I have created scheduled backups, but they don’t run consecutively on a daily basis as per my setup.  I don’t understand how backup works using WordPress wp-cron functionality.

Explanation: How the scheduled backup feature works with WordPress wp-cron functionality.

The backup time is set at the time you save the automatic scheduled backup settings. In order for the backup to trigger around the time you expect it to, you will need some kind of site activity (such as someone visiting) just after that time.

For example:

If I’ve just configured my scheduled backup settings to do a once daily backup and saved the config now and it is currently 7:11pm at my location, then the wp-cron will be scheduled to perform a backup at around 7:11pm everyday. Which means that the next backup will be scheduled for tomorrow at approximately 7:11pm – BUT – as mentioned in my last response, if nobody visits my site till 10:30pm tomorrow, then no backup will occur at 7:11pm because there was no activity on the site just after 7:11pm to trigger the wp-cron event. What will happen is that the system will immediately trigger a backup as soon as someone visits my site anytime after the scheduled time. (In other words in this example the backup will occur at 10:30pm)

On the next day the same thing applies…..the aiowps backup is still scheduled for around 7:11pm and if I get my next visitor at 7:12pm then the backup will be performed at 7:12pm.

I hope this example makes it a bit clearer.

( Explanation provided by wpsolutions)

Q14 ) If the emailed attachment always turns up as an SQL file and not a ZIP file like all the others that means that your server is not configured correctly.

(The following was quoted by Chesio in the forum)

Database backup files are zipped only if there is ZIP extension enabled in PHP, so if you are getting plain sql files by email, most likely that website has this extension disabled.

You can find whether this extension is enabled in output of phpinfo or you can create a dummy PHP file with class_exists( 'ZipArchive' ) check – this is what actually AIOWPSF plugin does.

For example:

echo class_exists( 'ZipArchive' ) ? 'ZIP extension seems enabled' : 'ZIP extension seems disabled';

Q15 ) How do I prevent WordPress default link lost your password from displaying when a users types the wrong password to login?

Solution: Enable the “Show generic error message”. This will replace the default WordPress message with the link to the backend to retrieve the password to a text message without a link

Q16 ) After enabling one of the Brute Force features I am still getting lots of attacks, how can I fixed this issue?

Solution One: Check and see if you have the following enabled. Go to WP Security -> Firewall -> Basic Firewall Rules, locate the following Enable Pingback Protection:.

Q17 ) How do I write a Custom .htaccess Rule to override an issue when I enable “Deny Bad Query Strings” feature so I don’t have to edit the .htaccess directly?

Solution One: ( Solution quoted by wpsolutions)

  1. From your .htaccess file copy the rules from the existing “Deny Bad Query Strings” feature.
  2. Disable the “Deny Bad Query Strings” feature
  3. Go to the custom rules tab and paste the rules you copied from step 1 and modify them accordingly, ie, delete “globals”.

Then save the custom rules.

Q18 ) I am receiving too many IP address lock outs, I think my pingback protection is not working correctly. What do I do?

Answer: Click on the following URl Pingback Protection Settings.

Log File Solutions

Q19 ) My log files are getting too big, how do I fix this?

Answer One: Just turn off the debug setting and no more logs will be produced. (Go to WP Security -> Settings -> General Settings tab.)

Q20 ) I am getting repeated lockout notifications yet both logs are empty?

Solution: The lockouts won’t be shown in the log files. They are displayed in the Dashboard -> Locked IP Addresses tab.

Also regarding log files, make sure that you have debug enabled – go to Settings and scroll to bottom of page and check the “Enable Debug” box and save debug settings.

(Solution provided by wpsolutions.)

Q21 ) After installing the plugin I can’t regenerate thumbnails or crop images anymore?

Solution: This is probably due to the 5G firewall rule – You can disable that rule if you wish after you copy and paste the rules locally in notepad running Windows operating system. You can then optionally tweak the 5G rules by making some modifications. Then simply create some custom firewall rules feature.

WordPress Multi-site Solutions

Q22 ) I have a WordPress Multi-site (WPMS) install. I do not see some of the menus of this plugin on my sub-sites. Why is that?

Answer: For multi-site installations there is a single .htaccess file which applies to all your sub-sites. So some of the security features only need to be enabled on your MAIN site. The sub-sites won’t show you the menus for these features. You can configure those settings from the main site of your WPMS install. For example the Firewall rules menu is only accessible from the main site. (Tips and Tricks Solution)


Q23 ) How do I set up Brute Force feature in a WordPress Multi-site (WPMS) set up?

Answer: Click on the following URL WordPress Multisite Managing AIOWPS Plugin Single Site.

Q24 ) I am having issues with the Black list feature. I think it is not blocking the IP address I add. What can I do to test this feature?

Solution: To confirm if the blacklist feature works try using your IP address to block yourself temporarily.

1) Make sure you are logged into your server using FTP. This will be handy to unlock yourself if needed.

2) Log into WordPress admin panel and add your IP address to the blacklist settings.

3) Try accessing your site from a browser where you are not logged in.
You should be denied access. If not, then the apache directives are not working on your server.

(If things are working fine and you do get blocked, just FTP your .htaccess file from your server to your computer and edit that file and remove the part of the code which has your IP address and then FTP the file back to the server)

(Solution provided by wpsolutions.)

Q25 ) My IP address has been blocked by the plugin, how do I unblock myself?

Answer: What you can do is the following, rename the plugin folder via FTP to something like all-in-one-wp-security-and-firewall-temp. Then log into your website again. Rename the plugin folder back to its original name. Enable the plugin and go to Dashboard -> Locked IP Addresses and unlock your IP address.

If the above does not work make sure that you try again the steps above but this time do not restore the htaccess file settings.

Q26 ) How to implement the new filter “aiowps_ip_blocked_error_msg”) added in version 4.1.0?

Solution One: Add the following function to your theme functions.php file. It is always best to use a child theme. Remember to replace ‘My custom error message!’ with your own message.

add_filter('aiowps_ip_blocked_error_msg', 'my_custom_message');
function my_custom_message($error_msg) { 
return 'My custom error message!'; 

( Solution quoted by chesio in the forum)

Nginx Solutions

Q27 ) Changing login url breaks lost password url in Nginx. How do I fix this issue?

Answer: Someone in the forum provided a solution to this problem. Please click on the following URL Changing login url breaks lost password url.

Captcha Solutions

Q28 ) How do I change captcha background and letters colours?

Solution One: The following is an example:

	color: black;

Insert the above code using either a custom css plugin or put it in your theme’s css file. (Change the colours to suit your needs) (Solution provided by wpsolutions.)


Q29 ) The database is full of transient data entries when the Captcha feature is enabled in the login page. How do I clear all transient data accumulated in the database?

Solution One: AIOWPS plugin has a code which will automatically clean up the old transient entries created by captcha feature. The code is triggered once daily via a wp cron event. You can try a simple test if you wish to confirm whether cleanup code is working.

Firstly login to your DB via PHPMyAdmin and observe roughly how many transient entries you have in the wp options table with the following “aiowps_captcha” in the option name. Next, from your wp admin panel deactivate and reactivate the AIOWPS plugin (this will trigger the daily cron job which will run the transient cleanup code)

Then check your DB again to see if the old captcha transients were deleted. (If they are then you now that the cron job is working correctly in your site.)

Also I recommend that you hide your login page via one of the brute force features. This should limit the amount of transient entries produced by the captcha feature.

No there is no 15 IP address limit. ( Solution quoted by wpsolutions)


Q30 ) The captcha answer is always incorrect. So when you deactivate the plugin by renaming the folder and then logging into the WP admin panel, you get logged out of the WP admin panel immediately after re-activating the AIOWPS plugin again?

Solution One:

(PLEASE follow the instructions carefully)
1) login to your DB using PHPMyAdmin
2) Go to the wp_options table
3) Look for the entry which has option_name equal to “aio_wp_security_configs”

4) Copy the option_value and paste it in a text document in case you need to restore this if something goes wrong.

5) Then inside the option_value search for the following string:


5) Change the above to look like this:

s:1 was changed to s:0
"1" was changed to ""

6) Save your table row.

The above will deactivate the login captcha.

If you run into issues simply paste the string you saved before you made any changes and save the DB row and then you will at least restore the aiowps settings back to the original state

As far as your issue is concerned, I have thus far been unable to reproduce this on all of my installations.
Does your host provider do automatic page caching on the server side? (Eg, I know WP Engine does this).
If so then this may be the reason for your issue. You will need to ask your host support guys to NOT cache the login page. (Solution provided by wpsolutions in the forum)

Q31 ) When you enable the following feature Enable Login Lockdown Feature, you will see the following error message.

ERROR: Access from your IP address has been blocked for security reasons

Solution: Disable Enable Login Lockdown Feature.  Or check to see if your IP address has been locked.

Q32 ) Every time I try to log into my site I get redirected. I receive the following errror message. You don’t have permission to access /wp-login.php on this server. Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request. This causes a redirect to occur.

Solution: This usually happens if you enabled Login Whitelist feature under Brute Force. The IP address of the computer or laptop trying to access the site is not included in the list. You can either disable Login Whitelist or add the IP address to the list.

Remember: The IP address must be a static IP address.

I will be updating this post from time to time. So keep coming back for the latest troubleshooting answers. If you have a question please send me an e-mail or leave a comment.


Go Back To All In One WP Security & Firewall Plugin Menu

Manuel Ballesta RuizManuel Ballesta Ruiz is a web developer, Blogger and WordPress Enthusiast.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>