WordPress.org

Ready to get started?Download WordPress

Forums

All In One WP Security & Firewall
[resolved] Really works? (6 posts)

  1. ramonjosegn
    Member
    Posted 7 months ago #

    hello dears

    Today I am very disappointed with the plugin All In One WP Security & Firewall

    After entered my site I can see someboy changed the administrator name, password, my admin user data erased, filled the spam site, went files with eval code ... apparently this plugin was not able to do anything for protect my website ...

    What is wrong?

    http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  2. wpsolutions
    Member
    Plugin Author

    Posted 7 months ago #

    Hi @ramonjosegn,
    Sorry to hear about your situation.
    Without knowing the what and how I would have to be a magician to be able to answer your question.

    There are so many factors and there are many doors to a website which can potentially be hacked, such as cpanel and ftp.....not just the wordpress access.

    Regarding the AIOWPS plugin, it all depends which features you had activated and how you were using this plugin.

    Remember that no security plugin can provide 100% protection against hacking of your site. However, a good security plugin will reduce the chances depending on how it's used.

    Our job as security plugin writers and yours as the site owner is to mitigate the risk of being hacked.

    Did you at least do the basic security steps when you activated the plugin?
    ie,
    1) change the default "admin" username
    2) Choose a strong and secure password
    3) Enable login lockdown
    etc...

    Also, did you have the brute force prevention feature active?
    With the added security of the secret word, the hacker would've had to have guessed not only the username, but also your password AND the secret word. This would be highly unlikely.

    In addition, if you have been careless with your cpanel or FTP credentials then there is nothing that any security plugin can do for you because once someone has access to your files they can do a lot of damage.

    So instead of making a blanket statement such as "this plugin was not able to do anything to protect my website" you should at least provide more info about the situation and also do a self assessment of your own security practices - because if one has careless security practices no plugin can protect you, no matter how good it is.

  3. ramonjosegn
    Member
    Posted 7 months ago #

    Thanks for the answer

    I understand that the plugin cannot be perfect and really I applied many rules, to have the place at a high level of protection (on 400 points)

    Unfortunately the fact that hackers/bots have eliminated my admin user, changed the password and rename the admin name with "admin", without the plugin blocking or send me a email about this problem, then I ask me if really the plugin works fine...

    I think that the problem could have been, as you mention, a bad password in the cpanel and in the ftp and some erroneous permissions in the files Dhcart script

    Nevertheless, I keep on thinking that a safety plugin should have some protection to maintain the user's name, for example, that the user one could not eliminate manager with a simple click, but an assertion e-mail is sent for it - for example - because really I felt very frustrated yesterday when my user (already non existent) was not working and major my frustration when AIOWPS instead of helping me, blocked the IP to me for erroneous accesses (when I am completely secure of my information of access)

    Thanks for your fast answer, but I regret insisting on the topic, but I think that the plugin must improve the protection of the user's names and its passwords because but all other protections have no sense great really

    Thanks and sorry for my long answer and my english

  4. mra13
    Member
    Plugin Author

    Posted 7 months ago #

    Just wanted to clarify... a WordPress plugin can't do anything if your FTP or cPanel password is week and a hacker gets in via that. WordPress runs inside your server so your server's entry point still have to be strong (this is something that is outside of WordPress).

  5. wpsolutions
    Member
    Plugin Author

    Posted 7 months ago #

    Hi @ramonjosegn,
    I recommend that the first thing you should do immediately is to change the "admin" username to something else - preferably set it to something challenging but which only you can remember.
    Or if you still have an administrator account in your WP system which you are not using but which has the username of "admin" then you should delete it or change the username.

    Next I recommend that you try using one (or both) of the login lockdown and brute force prevention features.

    Doing the above should provide you with strong protection.

    There are also other options available with which to protect your WP login page but the above suggestions are a good start.

  6. ramonjosegn
    Member
    Posted 7 months ago #

    Thaks for suggestions

Reply

You must log in to post.

About this Plugin

About this Topic