The All In One Security plugin is a comprehensive security and firewall plugin that analyzes and configures your WordPress site’s security status. This article describes how to install and set up the All In One Security plugin.
Installing All In One Security
There are two methods of installing All In One Security:
- Automatic installation
- Manual plugin installation
Automatic installation
Log in to your WordPress dashboard and go to Plugins > Add New.

Type All In One Security in the Search plugins field. In the search results, find All In One Security and click Install Now.

When the installation is complete, click Activate.

When the plugin is active, the WP Security menu item is added to your WordPress dashboard.
Manual installation
Go to https://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin and click Download to download the compressed zip file of the plugin.
Log in to your HostPapa Dashboard and click My cPanel.

In cPanel, click File Manager.

In the File Manager directory tree, select the app/plugins directory. Click Upload.

Click Select File and select the compressed zip file of the plugin. When the upload is complete, return to the File Manager. Select the compressed zip file and click Extract. In the Extract dialog box, click Extract File.
 When the extraction is complete, log in to your WordPress dashboard, go to Plugins and locate All In One Security in the list. Click Activate.
When the extraction is complete, log in to your WordPress dashboard, go to Plugins and locate All In One Security in the list. Click Activate.

When the plugin is active, the WP Security menu item is added to your WordPress dashboard.
Setting up the All In One Security plugin
After you activate the plugin, we recommend that you set up the basic critical features that are most important for your site’s security. In your WordPress dashboard, go to WP Security > Dashboard and locate the Critical Feature Status section. There are four critical feature areas to set up:


Admin Username
This is the username you use to log in to the WordPress dashboard. The default username, admin, should be changed to something else. Click On to open the User Accounts page. Type a New Admin Username and click Change Username.

Login Lockdown
Enabling login lockdown prevents users from repeatedly trying to guess passwords to access your site. This is also known as a brute force attack. Click On to open the User Login page. Enter the following in Login Lockdown Options, then click Save Settings:
- Enable Login Lockdown Feature – Select this option to enable login lockdown.
- Allow Unlock Requests – This option allows users with locked accounts to send an automated request for their accounts to be unlocked.
- Max Login Attempts – The maximum number of failed login attempts from an IP address, within the login retry time period, before the IP address is locked out.
- Login Retry Time Period (min) – The number of minutes in which the max login attempts is counted.
- Time Length of Lockout (min) – The number of minutes that an IP address is locked out after reaching the max login attempts.
- Display Generic Error Message – Select this option to display a generic message to locked out users.
- Instantly Lockout Invalid Usernames – Select this option to automatically lock out users who enter a nonexistent username.
- Instantly Lockout Specific Usernames – Add usernames that if entered, will lock out the user’s IP address.
- Notify By Email – Select this option and enter an email address to receive an email notification when a user has been locked out.

File Permission
Click On to run a WordPress directory and file permission scan and reports the results in Filesystem Security. If the current directory and file permissions don’t match the recommendations, click Set Recommended Permissions.

Basic Firewall
Click On to open the basic firewall rules. Complete the following, then click Save Basic Firewall Settings:
- Enable Basic Firewall Protection – Select this option to apply firewall rules. Click More info for details.
- Completely Block Access To XMLRPC – Select this option to block external XMLRPC access. Click More info for details.
- Disable Pingback Functionality From XMLRPC – Select this option if you use apps that need XMLRPC, such as JetPack or WP iOS. Click More info for details.

More information
There are many more security and firewall settings you can configure in the All In One WordPress Security plugin for WordPress. We recommend that you go through each menu in the plugin dashboard and decide which features are compatible with your site. Remember to test your site’s functionality after changing security and firewall settings.
For more information, see:
You can always contact HostPapa Support with your questions. Details about how to open a support ticket are here.
