All In One WP Security And Firewall Rules

All In One WP Security And Firewall Rules helps you setup the following options basic firewall rules, disable index view and much more.

Last Updated: December 18, 2022

Latest News: Updated the documentation.

This post provides information about the different Firewall protection options you can enable to protect your website. These settings are important but at the same time they can cause issues in your site. I recommend that you read each feature carefully before you enable it.

Steps you should take when enabling Firewall features. Start by enabling one by one each feature and at the same time carry out a test. Do this with all the features until you are happy with the features you have enabled. Too many keep running into issues when they enable most or all Firewall rules.

Important Note

This plugin has so many firewall rules which are deliberately split up into separate sections. Not all sites will work 100% with all of the rules enabled due to the fact that every site has a unique setup.

In some cases you will have to disable the feature that is causing issues in your site. As a general rule of thumb: if you had to choose just one firewall rule it would be the 6G rules because it provides the best all-round coverage/protection.

What you need:

• All In One WP Security And Firewall

All In One WP Security And Firewall Rules

Step 1 ) Go to WP Security -> Firewall admin tab as illustrated in the image below.

Step 2 ) The following image Firewall allows you to set up the following security settings. Please carefully read each feature before you activate it.

Firewall Settings

• Basic Firewall Rules
• Additional Firewall Rules
• 6G Blacklist Firewall Rules
• Internet Bots
• Prevent Hotlinks
• 404 Detection
• Custom Rules

Basic Firewall Rules Settings

Basic Firewall Settings

Step 3 ) Click on WP Security -> Firewall -> Basic Firewall Rules -> Basic Firewall Settings to set up the following security settings.

Basic Firewall Settings Options

• Enable Basic Firewall Protection:
• Max File Upload Size (MB):

If you enable this option, it will add another 15 points score towards your security meter. (Basic Security Level)

Troubleshooting Basic Firewall Settings

Q1 I receive the following message “The plugin was unable to write to the .htaccess file” when I click on the save button in “Save Basic Firewall Settings”. How can I fix this issue?

Answer: For a possible solution you need to check your server configuration settings. Please check the following forum post to learn more.

====================================

WordPress XMLRPC & Pingback Vulnerability Protection

Step 4 ) Click on WP Security -> Firewall -> Basic Firewall Rules -> WordPress XMLRPC & Pingback Vulnerability Protection to set up one of the following security settings.

Warning: You cannot enable both options at the same time. This would cause a conflict.

Note: To learn more about this feature check the following URL All In One WP Security Plugin Pingback Protection Settings.

WordPress XMLRPC & Pingback Vulnerability Protection

• Completely Block Access To XMLRPC:
• Disable Pingback Functionality From XMLRPC:

If you enable this option, it will add another 15 points score towards your security meter. (Basic Security Level)

===============================

Disable WordPress RSS and ATOM feeds

Step 5 ) Click on WP Security -> Firewall -> Basic Firewall Rules -> Disable WordPress RSS and ATOM feeds to set up one of the following security setting.

Disable WordPress RSS and ATOM feeds Option

• Disable RSS and ATOM feeds:

===============================

Block Access to Debug Log File

Step 6 ) Click on WP Security -> Firewall -> Basic Firewall Rules -> Block Access to Debug Log File to set up the following security settings.

Block Access to Debug Log Files

• Block Access to debug.log File:
• Click on Save Basic Firewall Settings button when you finish completing your settings.

If you enable this option, it will add another 10 points score towards your security meter. (Basic Security Level)

=============================

Additional Firewall Rules

Step 7 ) Click on WP Security -> Firewall -> Additional Firewall Rules -> Listing of Directory Contents to set up the following security settings.

Additional Firewall Rules Part 1

• Disable Index Views:

If you enable this option, it will add another 5 points score towards your security meter. (Intermediate Security Level)

Step 7-a ) Click on WP Security -> Firewall -> Additional Firewall Rules -> Trace and Track to set up the following security settings.

Additional Firewall Rules Part 2

• Disable Trace and Track:

If you enable this option, it will add another 10 points score towards your security meter. (Advanced Security Level)

Step 7-b ) Click on WP Security -> Firewall -> Additional Firewall Rules -> Proxy Comment Posting to set up the following security settings.

Additional Firewall Rules Part 3

• Forbid Proxy Comment Posting: (Note: If you experience any issues and you happen to be using a CDN i.e. Cloudflare, then disable this feature. Check the following forum post to learn more.)

If you enable this option, it will add another 10 points score towards your security meter. (Advanced Security Level)

Step 7-c ) Click on WP Security -> Firewall -> Additional Firewall Rules -> Bad Query Strings to set up the following security settings.

Additional Firewall Rules Part 4

• Deny Bad Query Strings = Note: See troubleshooting note below.

If you enable this option, it will add another 10 points score towards your security meter. (Advanced Security Level)

Step 7-d ) Click on WP Security -> Firewall -> Additional Firewall Rules -> Advanced Character String Filer to set up the following security settings.

Additional Firewall Rules Part 5

• Enable Advanced Character String Filter
• Click on Save Additional Firewall Settings button when you finish completing your settings.

If you enable this option, it will add another 10 points score towards your security meter. (Advanced Security Level)

 Troubleshooting Deny Bad Query Strings

In some sites this feature might not work and trigger some error messages. If that is the case you can leave “Bad Query Strings” rules disabled or you can modify them by figuring out which string is causing the trigger. Then all you have to do is copy and paste the modified rules in the custom rules section.

In general if you had to choose only one set of firewall rules to enable, it would be the 6G rules because they are the best all-round .htaccess firewall rules.

=============================

6G Blacklist Firewall Rules

Step 8 ) Click on WP Security -> Firewall -> 6G Blacklist Firewall Rules to activate one of the following security settings.

Warning: You cannot enable both options at the same time. This would cause a conflict.

The 6G firewall protection feature below protects your site against many exploits, including sql injections and more. The developers have written an extensive documentation describing what it protects. You can read more about it from the following URL 6G Firewall 2017.

6G Blacklist Firewall Rules Settings

• Enable 6G Firewall Protection:
• Enable 5G Firewall Protection: (Note: This option should not be enabled anymore. 6G is much better. The plugin developers will be removing this option soon.)
• Click on Save 5G/6G Firewall Settings button when you finish completing your settings.

If you enable this option, it will add another 20 points score towards your security meter. (Advanced Security Level)

Step 8-a ) The following image 6G Block request methods allows you to configure the following options.

6G Block request methods settings

• Block DEBUG method:
• Block MOVE method:
• Block PUT method:
• Block TRACK method:
• Click on Save request methods settings button when you finish completing your settings.

Step 8-b ) The following image 6G other settings allows you to configure the following options.

6G other settings

• Block query strings:
• Block request strings:
• Block referrers:
• Block user-agents:
• Click on Save other settings button when you finish completing your settings.

Questions and Troubleshooting 6G Blacklist Firewall Rules

Q1 Does the plugin protect against SQL Injections?

Answer: Yes, enabling 6G Blacklist Firewall Rules will protect you against sql injections and more.

Note: As far as secure coding practices, this plugin is coded such that any user input it sends to the DB is securely sanitised and escaped against SQL injection attacks.

Having said that, you should be careful regarding which plugins you install on your site and make sure that you get them from reputable sources because not all plugins will have safe coding practices. (Note provided by wpsolutions in the forum)

=====================

Q2 6G rules is blocking Cloudflare plugin JavaScript, how do I fix this issue?

Answer: Check the following forum post for a solution provided by Chris J. Zähller.

=================================================

Internet Bots

Step 9 ) Click on WP Security -> Firewall -> Internet Bots to activate the following security settings Block Fake Googlebots.

Internet Bots Settings

• Block Fake Googlebots:
• Click on Save Internet Bot Settings button when you finish completing your settings.

If you enable this option, it will add another 5 points score towards your security meter. (Advanced Security Level)

Internet Bots Troubleshooting Steps And Questions

Issue one: If you run into issues between Google bots, Yoast SEO, sitemap.xml file and or other IP issues then check the following URL Firewall Settings. Use one of the different global variables available in the settings under Advanced Settings tab.

Q1 Is there a list of IP address for fake Google bots?

Answer one: No, there is no list. The plugin has code in which it checks the useragent and the IP address and then it will get the internet hostname using the IP address. After that it will do a reverse IP lookup using the internet hostname calculated in the previous step. If the IPs match then the bot is considered legitimate. (Answer provided by wpsolutions)

=============================

Prevent Hotlinks

A Hotlink is where someone displays an image on their site which is actually located on your site by using a direct link to the source of the image on your server. Due to the fact that the image being displayed on the other person’s site is coming from your server, this can cause leaking of bandwidth and resources for you because your server has to present this image for the people viewing it on someone elses’s site.

This feature will prevent people from directly hotlinking images from your site’s pages by writing some directives in your .htaccess file.

Step 10 ) Click on WP Security -> Firewall -> Prevent Hotlinks to activate the following security settings Prevent Hotlinking.

Prevent Hotlinks Settings

• Prevent Image Hotlinking:
• Click on Save Settings button when you finish completing your settings.

If you enable this option, it will add another 10 points score towards your security meter. (Basic Security Level)

The following is the rule added by this feature to the .htaccess file. Make sure this rule is added to your .htaccess file, or else this feature will not work.

.Htaccess rule added

# BEGIN All In One WP Security
#AIOWPS_PREVENT_IMAGE_HOTLINKS_START
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://localhost/tipstricks [NC]
RewriteRule \.(gif|jpe?g?|png)$ – [F,NC,L]
</IfModule>
#AIOWPS_PREVENT_IMAGE_HOTLINKS_END
# END All In One WP Security

Troubleshooting Image Hotlinking

Q1 Image Hotlinking is not working in my site. How do I fix this issue?

Answer: In this case the problem was with the server Siteground. “For custom .htaccess rules to take effect the NGINX static cache for the website needs to be turned off”. Click the following link support thread to learn more.

=============================

404 Detection Options

Step 11 ) Click on WP Security -> Firewall -> 404 Detection Options to activate the following security settings.

404 Detection Options Settings

• Enable IP Lockout For 404 Events
• Time Length of 404 Lockout (min)
• 404 Lockout Redirect URL
• Click on Save Settings button when you finish completing your settings.

If you enable this option, it will add another 5 points score towards your security meter. (Intermediate Security Level)

404 Event Logs

Step 11-a ) Once an IP address has been blocked you are provided with a few options under the 404 Event Logs. These options can be carried out individually or in bulk per IP address blocked.

Export to CSV and Export to CSV

Step 11-b ) The following image allows you to configure the following options.

Export to CSV

• Click on Export to CSV button when you want to download the log in CSV format.

Delete All 404 Event Logs

• Click on Export to CSV button when you want to purge all 404 event logs from the DB.

=============================

Custom .htaccess Rules

Step 12 ) Click on WP Security -> Firewall -> Custom Rules to enable and configure the following security settings.

You might like to check the following URL Custom Rules to learn more about this feature.

Custom .htaccess Rules Settings

• Enable Custom .htaccess Rules:
• Place custom rules at the top:
• Enter Custom .htaccess Rules:
• Click on Save Custom Rules button when you finish completing your settings.

Note: This tool allows you to configure any plugin settings that writes to the .htaccess file.

Warning: Only enable this feature if you know what you are doing. Adding the wrong entries in your .htaccess file can crash your website.

=============================

Click on the following link Brute Force to continue configuring the plugins settings.

If you have any questions please let me know

Enjoy.

All In One WP Security & Firewall Plugin Tutorial List

• All In One WP Security And Firewall Plugin.