Intermediate WordPress User

0 of 37 lessons complete (0%)


Essential security plugin features and settings

This is a preview lesson

Register or sign in to take this lesson.



In this session, we will explore the importance of using a security plugin and better understand specific settings to help you fortify your site. The Plugin Directory contains many plugins worth exploring, such as WordFence, All-in-One Security and Firewall, Jetback, Sucuri, Solid Security, etc. It is important to note that some plugins offer more options or settings than others. Premium packages also unlock additional functionalities. Depending on the plugin you’ve chosen, here are a few features worth considering.

Audits and scans

Number one, audits and scans. It is advised to conduct regular security audits or scans to help identify potential vulnerabilities on your website. A security plugin makes this process straightforward and manageable, without technical expertise. Most plugins enable auto-scans to scan your WordPress site for security threats regularly and perform automated backups to safeguard your website’s data, providing comprehensive protection with easy one-click restores. Manual audits are also important. There’s always a chance a security tool misses a malicious file dropped by an attacker or doesn’t notice a suspicious user.

Web application firewall

Secondly, some plugins allow you to enable a web application firewall. A web application firewall adds an extra layer of security by monitoring and filtering incoming traffic to your website. It is like having a security guard for your website. It stands between your site and the internet, checking all the data that comes in and goes out. If it sees anything suspicious, it blocks it to keep your site safe.

IP address detection

The next option worth setting up is IP address detection. IP address detection helps the plugin identify your website’s IP addresses or visitors. This is crucial for security features like blocking malicious users or limiting login attempts from specific IP addresses. If the plugin can’t correctly detect IP addresses, it may not properly block harmful traffic or limit access we need. By correctly detecting IP addresses, security tools can enforce access restrictions, block suspicious activity, and safeguard the website’s integrity. You can usually enter a list of IP addresses that should not be locked out. WordFence, for example, provides several options for detecting IP addresses. The first option is the default recommended option.

The second option is to use PHP’s built-in remote ADDR. Remote ADDR is a server variable that tells you the IP address of the computer or device accessing your website. If we look at a different plugin, we’ll see using remote ADDR is the default option for the All-in-One Security and Firewall plugin, which is below Advanced settings and very secure, but it must be set up correctly to work. IP address detection always requires proper server configuration otherwise IP addresses can easily be spoofed or disguised. If you are behind any proxy, for example, a load balancer, the reliability of this method may be compromised as the PHP code cannot ascertain the server’s configuration. An important step when setting up IP address detection is proper server configuration, which needs hosting provider intervention. Ensure you contact your hosting provider to understand how your server is configured so that you can select the correct IP detection method.

WordPress configuration file

Next, some plugins also allow you to secure your WordPress configuration file. The wp-config.php file contains sensitive information such as database credentials, security keys, and other configuration parameters. Securing this file can prevent unauthorized access and potential exploitation. For example, when using the All-in-One Security plugin, you can set the recommended permissions when selecting File Security.

Brute force protection

Additionally, enabling brute force protection on your WordPress site is crucial. Brute force attacks are common methods hackers use to gain unauthorized access to your website by repeatedly trying different username and password combinations until they find the correct one. Brute force protection stops unauthorized users from accessing your site by limiting login attempts, blocking suspicious IP addresses, and verifying that real people are logging in through captcha challenges. The settings for brute force attack protection may, of course, vary between security plugins. Lastly, setting up two-factor authentication to protect your site from brute-force attacks is also advised.

Two-factor authentication

In addition to robust password management, enabling two-factor authentication is crucial for enhancing the security of your WordPress site. Two-factor authentication adds a layer of protection to your login process by requiring your password and a second verification form, such as a unique code sent to your mobile device or generated by an authentication app. This additional step significantly reduces the risk of unauthorized access, even if your password is compromised. Many security plugins, including Wordfence and All-in-One WordPress security and firewall, offer built-in support for two-factor authentication.

Backups and SSL certificate

Finally, it is also worth mentioning that good security should always be backed by a good backup strategy. In the event of an incident, this allows you to recover and restore your data from backups quickly. And get an SSL certificate if you don’t have one. An SSL certificate, which stands for Secure Sockets Layer, secures your website by encrypting data between your site and visitors, protecting sensitive information from hackers. It also makes your site more trustworthy and can improve search engine rankings. You can buy an SSL certificate from a provider or use a free service like Let’s Encrypt. Many web hosts automatically provide and install SSL certificates as part of their packages. So check with your host to enable it with a few clicks in your hosting dashboard if it is not activated.


Implementing all these security measures we discussed can significantly enhance the protection of your site against more sophisticated threats.


Use WordPress Playground to test your knowledge.

  • Install and activate the WordFence or All-in-One Security Firewall Plugin and test the features and settings discussed, as well as other available options. Remember to access their documentation or contact their support forum for more guidance.