WordPress.org

În Română

  • Teme
  • Module
  • Știri
  • Suport
  • Despre
  • Evenimente
  • Localizare
  • Dialog
  • Obține WordPress
Obține WordPress
WordPress.org

Plugin Directory

All-In-One Security (AIOS) – Security and Firewall

  • Trimite un modul
  • Favoritele mele
  • Autentifică-te
  • Trimite un modul
  • Favoritele mele
  • Autentifică-te

All-In-One Security (AIOS) – Security and Firewall

De David Anderson / Team Updraft
Descarcă
  • Detalii
  • Recenzii
  • Instalare
  • Dezvoltare
Suport

Descriere

THE TOP RATED WORDPRESS SECURITY AND FIREWALL PLUGIN

All-in-One Security (AIOS) is a WordPress security plugin from the same, trusted team that brought you UpdraftPlus.

It’s called ‘All-In-One’ because it’s packed full of ways to keep your WordPress website(s) safe and secure.

It includes:

Login security features keep bots at bay. Lock out users based on a configurable number of login attempts, get two-factor authentication and more.

File and database security. Get notified of file changes that occur outside of normal operations. Block access to key files and scan files and folders to spot insecure permissions.

Firewall. Get PHP, .htaccess and 6G firewall rules courtesy of Perishable Press. Spot and block fake Google Bots and more!

Spam prevention. Prevent annoying spam comments and reduce unnecessary load on the server. Automatically and permanently block IP addresses that exceed a set number of spam comments.

Audit log. View events happening on your WordPress website. Find out if a plugin or theme has been added, removed, updated and more.

WHY ALL-IN-ONE SECURITY?

AIOS has a near-perfect 4.7 / 5-star user rating across more than 1 million installs.

Great for beginners and experts alike. AIOS guides you logically and clearly through each of its features which are all clearly explained. Security features are marked as basic, intermediate and advanced. Each step increases your security score. Turn them on and watch your protection grow!

We have a large support team of software developers. That means we have the availability and the skillset to help you with the trickiest of queries.

We comb the WordPress plugin directory for support tickets daily – most queries are responded to within 24 hours.

Excellent plugin with numerous well-thought-out options for making a website more secure. I have been using it for years and am very happy with it. I recently had a small problem setting up a website and – even as a non-premium user – I received support very quickly. Highly recommended!

For even more ways to stay safe and secure, upgrade to AIOS Premium – it packs a punch security-wise, whilst being extremely cost-competitive.

LOGIN SECURITY

Two-factor authentication (TFA) – Require TFA for specific user roles. Supports Google Authenticator, Microsoft Authenticator, Authy, and many more.

Detect and manage ‘admin’ usernames – Identify default ‘admin’ usernames and guide users to change them to protect against brute force attacks.

Identify and correct identical login and display names – Detect cases where the display name matches the username and provide guidance to improve login security.

Prevent user enumeration – Block unauthorised access to URLs that can reveal sensitive information such as usernames or other details.

Control login attempts – Prevent brute force attacks by limiting the number of failed login attempts. Choose how many login attempts are allowed, set lockout durations, and more.

Force user logout – Automatically log out users after a specified period of time. Unattended sessions are closed, reducing the risk of unauthorised access.

Manually approve new registrations – Review and approve new user registrations to prevent spam and fake sign-ups.

Enhance WordPress salt security – Adds 64 extra characters to WordPress salts, rotating them weekly. Makes cracking passwords virtually impossible, even if your database is stolen.

Suport modul

  • If you have a question or problem with the All-In-One Security plugin, post it on the support forum and we will help you. Premium customers can log queries directly with the team via https://teamupdraft.com/all-in-one-security/
    Monitor and manage active sessions – If a user is logged in who shouldn’t be, log them out or add them to a blacklist.

SPAM PREVENTION

Block spam coming from bots – Reduce the load on your server and improve the user experience by automatically blocking spam comments from bots.

Monitor spam IP addresses – Monitor the IP addresses of people or bots leaving spam comments. Choose which ones to block based on a configurable number of comments left.

FILE / DATABASE Security

Scan and fix file permissions – Scan for insecure file permissions. Click once to fix issues and safeguard critical files and folders.

Disable PHP file editing – Disable editing of PHP files (such as plugins and themes) via the dashboard. It’s often the first tool that attackers use as it allows for code execution.

Protect sensitive files – Prevent access to files like readme.html that might reveal information about your WordPress installation.

File change scanner – Get notified of any file changes which occur on your system. Exclude files and folders which change as part of normal operations.

Prevent image hotlinking – Prevent other websites from displaying your images via hotlinking and protect server bandwidth.

Secure database backups – Perform a database backup via UpdraftPlus from AIOS. Change the default ‘wp_’ prefix to hide your WordPress database from hackers.

FIREWALL

Get .htaccess firewall rules – Deny access to the .htaccess and wp-config.php files. Disable the server signature and limit file uploads to a configurable size.**

Block access to the debug.log file and prevent Apache servers from listing the contents of a directory when an index.php file is not present

Get PHP firewall rules – PHP firewall rules prevent malicious users from exploiting well-known vulnerabilities in XML-RPC. Safeguard your content by disabling RSS and Atom feeds and avoid cross-site scripting (XSS) attacks.
Block fake Google bots and POST requests made by bots – Block fake Google bots and stop bots from making POST requests by blocking IP addresses where the user-agent and referrer fields are blank.

Utilise 6G firewall rules – Employ flexible blacklist rules to reduce the number of malicious URL requests that hit your website (courtesy of Perishable Press).

And more – Blacklist (and whitelist) IP ranges and user agents and block unauthorized access to data by disabling REST API access for non-logged-in requests.

TWO-FACTOR AUTHENTICATION ENHANCED [Premium]

Two-factor authentication is included in the free plugin. Upgrade to Premium if you’d like to:
Require TFA after a set time period – Mandate TFA for all admins or other roles after their accounts reach a specified age.

Control how often TFA is required – Set TFA to be required after a certain number of days on trusted devices instead of every login.

Customise design layout – Adjust the TFA design to match your website’s existing layout and branding.
Emergency codes – Generate one-time use emergency codes to regain access if you lose your TFA device.

WordPress Multisite Compatible – Ensure compatibility with WordPress multisite networks and their sub-sites for consistent TFA application.

Integration with login forms – Integrate TFA with various login forms, including WooCommerce, Affiliates-WP, Elementor Pro, bbPress, and ‘Theme My Login’ without additional coding.

SMART 404 BLOCKING [Premium]

Block IPs based on 404 errors – Detect hackers probing your URLs via script and bots by the 404 errors they leave behind.

Smart 404 Configuration – Set a figure for the maximum number of 404 events allowed before an IP address is blocked. Choose a time period within which the 404 events must occur (e.g., 10 errors within 10 minutes).

Smart 404 block by URL string – Instantly block an IP address if a 404 event includes a specific URL string.

Smart 404 whitelisting – Prevent particular IP addresses from being permanently blocked due to 404 events.

COUNTRY BLOCKING [Premium]

Block traffic to the entire site or to specific pages or posts – Useful if you’re an e-commerce site and you want to block sales to some countries for shipping or tax reasons.

Whitelist some users from blocked countries – Whitelist IP addresses or IP ranges even if they are part of a blocked country.

MALWARE SCANNING [Premium]

Automatic malware scanning – Detect and protect against the latest malware, trojans, and spyware.
Alerts you to blacklisting by search engines – Monitor your site for blacklisting by search engines due to malicious code.

Response time monitoring – Keep track of your website’s response time to identify and address any performance issues.

Uptime monitoring – Checks your website’s uptime every 5 minutes and alerts you immediately if your site or server goes down.

Advice and malware removal – Need hands-on advice and support for malware removal? Our team of genuine cybersecurity experts is here to help.

Notification if something’s amiss – Receive notifications about any issues with your site so you can address problems before they escalate.

Suport modul

If you have a question or problem with the All-In-One Security plugin, post it on the support forum and we will help you. Premium customers can log queries directly with the team via https://teamupdraft.com/all-in-one-security

Dezvoltatori

  • If you are a developer and you need some extra hooks or filters for this plugin then let us know.

Traduceri

  • All-In-One Security plugin can be translated to any language.

Currently available translations:

  • Engleză
  • Germană
  • Spaniolă
  • Franceză
  • Maghiară
  • Italiană
  • Suedeză
  • Rusă
  • Chineză
  • Portugheză (Brazilia)
  • Persană (Farsi)

Privacy Policy

This plugin may collect IP addresses for security reasons such as mitigating brute force login threats and malicious activity.

The collected information is stored on your server. No information is transmitted to third parties or remote server locations.

Folosire

Go to the settings menu after you activate the plugin and follow the instructions.

Folosire

Go to the settings menu after you activate the plugin and follow the instructions.

Capturi ecran

  • Features list.

Blocuri

Acest modul oferă 1 bloc.

  • Twofactor User Settings

Instalare

To begin making your WordPress site more secure:

  1. Upload the ‘all-in-one-wp-security.zip’ file from the Plugins->Add New page in the WordPress administration panel.
  2. Activează modulul în meniul „Module” din WordPress
  3. Go to Settings menu under ‘AIOS’ and start activating the security features of the plugin.

Întrebări frecvente

How is All-In-One Security (AIOS) supported?

Customers of ‘Free’ AIOS can get support from this very webpage. Select ‘Support’ from the tabs above and post a topic. We aim to respond to all support requests within 24 hours during the working week.

Is All-In-One Security compatible with other plugins?

Yes. AIOS works smoothly with most popular WordPress plugins.

Is All-in-One-Security regularly updated?

Yes. WordPress Security is something that evolves over time. We update AIOS with new security features (and fixes if required) on a regular basis so you can be assured that your site will keep benefitting from new security protection techniques for as long as you need them.

Will All-In-One Security slow down my website?

No.

Should I install All-In-One Security for free or should I purchase AIOS Premium?

The decision is yours to make. ‘Free’ AIOS incorporates a web application firewall, comprehensive login security tools including two-factor authentication and all the latest recommended WordPress security practices and techniques.
But if your WordPress site is a business website, if it showcases what you do, or who you are, we generally recommend AIOS Premium. Prices start from as little as $70 for the year.

What are the additional features of All-In-One Security Premium?

AIOS Premium scans your WordPress website for malware whilst also monitoring your site’s response time and uptime, notifying you of any issues within 24 hours, AIOS Premium customers also benefit from hands-on ticketed support via email (rather than via WP Support forums).
Additional security tools include Country Blocking, Smart 404 Error Blocking and Advanced Two Factor Authentication.
More information is available from our All-In-One Security website
More information is available from our All-In-One Security website

How do I get started with All-In-One Security Premium?

In the web shop, purchase your preferred subscription. After completing the purchase, you will be emailed a link to download the plugin. You can also access the link through your „My Account” page.
After downloading the zip file, install and activate the plugin through WP Admin->Plugins->Add New->Upload Plugin.
The premium extends the free version. Therefore you should keep the free version installed and active. You will also be prompted to enter your AIOS username and password to connect your site to licenses. This will allow the plugin to receive updates.

Do I need to have the free version before downloading Premium?

Yes, you need to have the free version of the plugin installed and activated before installing Premium. Premium plugin is an add-on that requires the free version to be present.

Does All-In-One Security work with multi-site network installations?

Yes, AIOS Premium is compatible with WordPress multisites. For multisite networks, the protection will apply to the network as a whole, and the dashboard and options will be available on the main site of the WordPress multisite.

Can a WordPress security plugin stop all attacks on my site?

There is no 100% guarantee that a security plugin will be able to protect against all attacks, as there is always the possibility of unknown WordPress vulnerabilities or other unexpected factors, and attackers are always seeking to develop new ways around protections. However, All-In-One Security gives good protection against known attack methods, and is under continuous development to monitor and improve protections.

Does All-In-One Security work on all servers and hosts?

AIOS should be compatible with most hosts, unless the host has specifically restricted the use of security plugins. Similarly, certain features may not work on some servers, especially Windows/IIS platforms. Features that use the ‘.htaccess’ file will not apply on a Windows IIS server or NGINX server (but development is ongoing to port those protections to all servers).

Can I cover my subdomains and test sites with a licence for AIOS Premium?

Development and test sites require their own licence if updates to the plugin are needed.
However, these sites can be disconnected from the licence when they have served their purpose. You can disconnect the licence via the site’s WP Admin->Plugins page, and it will be available to be reassigned to a different site.

Is the All In One Security & Firewall Plugin GDPR and other privacy law compliant?

Please read more about GDPR compliance here: https://teamupdraft.com/privacy/ .
Please read more about GDPR compliance here: https://www.teamupdraft.com/privacy?utm_source=aios-wp-dir&utm_medium=referral&utm_campaign=plugin-dir&utm_content=gdpr&utm_creative_format=faq.

Recenzii

good

Bahram Zandi 16 iulie 2025
it’s a good plugin

I Really Wanted This To Work…And It Does!

spectraemail 15 iulie 2025 3 răspunsuri
I had originally been a bit critical of this plugin because I need to use another security plugin alongside this. and multiple security plugins don’t always play nice with each other. However, after hearing from one of the development team who provided some good suggestions, and my decision to utilize AI to determine which features were possible areas of conflict, I was able to get the plugins to work together quite well. I’m impressed with the number of security issues this plugin provides.

excellent support

clueless4ever 21 iunie 2025
excellent support and taking a lot of time to help me. In the End it was not a problem with the plugin as it seams. There was an interference with another one but this was solved.Thank you so much !

Solid Security and Great Support

worldmaker 2 iunie 2025
If you want the reassurance of solid security for your web site, this is where you begin. With so many security options, switches for this and that and all the other elements of your site, this should be the first go-to product to add to your site’s protection. However, beware, you can be too enthusiastic in securing everything and, like me, find yourself locking yourself out. This is where the patience of Support comes in to help you back through any errors and mistakes you might have made when over-securing your site. Take it calmly, carefully and note all the advice written throughout, and keep a log of everything you’ve set and this will remain a strong anchor for you site’s security.

Works but sends Errors

rodge 21 mai 2025
I keep getting this WP-Error emails from my customers sites where I use this great plugin. This is the error message: E_ERROR at line 739 in: /var/www/vhosts/xxxxxxx.xx/httpdocs/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php. Error: Uncaught Error: Call to undefined function wp_strip_tags() in /var/www/vhosts/xxxxxxx.xx/httpdocs/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/wp-security-user-login.php:739Stack trace:#0 /var/www/vhosts/xxxxxxx.xx/httpdocs/wp-includes/class-wp-hook.php(324): AIOWPSecurity_User_Login->aiowps_login_message()#1 /var/www/vhosts/xxxxxxx.xx/httpdocs/wp-includes/plugin.php(205): WP_Hook->apply_filters()#2 /var/www/vhosts/xxxxxxx.xx/httpdocs/wp-login.php(231): apply_filters()#3 /var/www/vhosts/xxxxxxx.xx/httpdocs/wp-login.php(1490): login_header()#4 {main}thrown I hope this gets fixed in the next version… Thanks! // Rodge

It works fine and much assist me

alexey6660 18 mai 2025
It works fine and much assist me with security of the site
Citește toate cele 1.661 de recenzii

Contributori și dezvoltatori

„All-In-One Security (AIOS) – Security and Firewall” este un software open-source. La acest modul au contribuit următoarele persoane.

Contributori
  • David Anderson / Team Updraft
  • Prashant Baldha
  • Tips and Tricks HQ
  • wpsolutions
  • Peter Petreski
  • Ruhul Amin
  • mbrsolution

„All-In-One Security (AIOS) – Security and Firewall” a fost tradus în 16 locale. Mulțumim traducătorilor pentru contribuția lor.

Tradu „All-In-One Security (AIOS) – Security and Firewall” în limba ta.

Te interesează dezvoltarea?

Răsfoiește codul, vezi depozitarul SVN, sau abonează-te la jurnalul de dezvoltare prin RSS.

Istoric modificări

5.4.2 – 15/Jul/2025

  • FEATURE: Ability to enforce checking passwords against the HIBP API when updating user profiles and resetting passwords.
  • FEATURE: Add ability to upgrade all unsafe http calls on the site.
  • FIX: Disabled application password link doesn’t go back to the correct place.
  • FIX: Fatal in the firewall’s message store.
  • FIX: Malformed URLs in User accounts tab.
  • FIX: Users are logged out on Contact Form 7 submit if salt postfix enabled
  • FIX: The ‘Set Password’ page does not load for the user when cookie-based brute-force protection is enabled.
  • FIX: Disallow unauthorized REST request is enabled, but the /wp-json/ shows the rest routes and rest api details
  • TWEAK: Add AJAX message store helper
  • TWEAK: Disable user enumeration error; aios_user_lists_forbidden should return a 403 response code instead of a 500.
  • TWEAK: Rename the WP Admin menu item from ‘WP Security’ to ‘AIOS’ and update the icon to current version.
  • TWEAK: Show AJAX table action response in popup modal
  • TWEAK: Make the plugin more PCP compliant
  • TWEAK: Add a notice for PHP 5.6 end of support.
  • TWEAK: Change url from twitter.com to x.com
  • TWEAK: Made changes to the advert links in the thank you dashboard notice.

5.4.1 – 21/May/2025

  • FIX: Call to undefined function AIOWPS\Firewall\sanitize_text_field() fatal error solved.
  • FIX: Resolved an issue where some information in the debugging report email was inconsistent with the information shown at Dashboard > Debugging
  • FIX: Fixed a “call to undefined function wp_strip_tags” error in wp-security-user-login.php
  • FIX: Resolved an issue where raw HTML was displaying in the info box under User Security > User Accounts > User Display Name
  • FIX: Renamed the login page when it was exposed via auth_redirect by other plugins (e.g., Gravity Forms preview)
  • FIX: Fixed an issue where the password reset functionality did not work with the renamed login page feature
  • FIX: Resolved missing translations on the login page after enabling the “Rename login page” feature
  • FIX: Updated the custom login page layout to match the new default WordPress login page design
  • FIX: Fixed the redirection issue occurring after plugin reactivation when the cookie brute force options are saved in the database
  • FIX: Fixed the undefined variable $error in wp-security-user-security-commands.php
  • FIX: Fixed the login lockout request issue
  • FIX: Bulk „Delete selected” action in the Audit Log list was not working
  • FIX: Corrected AIOWSPEC prefixes to AIOWPSEC
  • FIX: The 5G Firewall switch is behaving inversely, enabling it removes .htaccess rules, while disabling adds them.
  • FIX: Fixed the HTML code shown incorrectly on the .htaccess tab
  • TWEAK: Updated links to point to our new website

5.4.0 – 27/Mar/2025

  • FIX: Replaced firewall URI parsers with non-WordPress methods
  • FIX: Resolved PHP 5.6 compatibility issue caused by the ?? operator in 5.3.10

5.3.10 – 26/Mar/2025

  • FEATURE: Added commenting capability to IP whitelists
  • FEATURE: Added diagnostics reporting
  • FEATURE: Added a whitelist and user role-based access limit to the REST API firewall
  • FIX: „Undefined index: path” error when front-end HTTP Authentication is enabled.
  • FIX: Resolved dashboard translation issue where text lacked whitespace and was not properly translated
  • TWEAK: Remove uses of unserialize without restriction of allowed_classes
  • TWEAK: Refactored IP commands class to use response helper
  • TWEAK: Removed WP REST API tab
  • TWEAK: Switched „Critical Feature Status” toggle buttons on the dashboard to a status light system
  • TWEAK: Updated the security strength meter on the dashboard
  • TWEAK: Improved the dashboard widget to display a chart showing the number of logins over the last 7 days
  • TWEAK: Enhanced the maintenance mode switch on the dashboard for consistency with the rest of the plugin
  • TWEAK: Converted Brute Force menu actions to use AJAX
  • TWEAK: Updated seasonal notices

5.3.8 – 16/Dec/2024

  • FIX: Updated the plugin notices to fix translation related fatal errors.

5.3.7 – 5/Dec/2024

  • TWEAK: Change response code for blocked unauthorized REST requests to 403.
  • TWEAK: Temporarily removed firewall logging

5.3.6 – 3/Dec/2024

  • FIX: Resolved an issue with the AIOS_Firewall_Resource class

5.3.5 – 24/Nov/2024

  • FIX: Custom .htaccess rules are now properly escaped, with backslashes removed.
  • FIX: Import settings failed when visitor lockout messages had text alignment or other formatting applied
  • FIX: The audit log filter for event type now works correctly, even when the event type is translated into languages other than English
  • FIX: Resolved text overflow in the blue box on the Settings > WP Version Info page
  • FIX: Some user meta keys were not being removed after uninstalling the plugin
  • FIX: Subsites no longer incorrectly detect the Database Prefix feature as active
  • FIX: Prevented fatal errors from missing firewall resources, replacing them with debug log entries
  • FIX: WordPress database error: BLOB, TEXT, GEOMETRY, or JSON columns cannot have a default value set
  • FIX: The load_plugin_textdomain function is called during the init action, and translations are applied afterward
  • FIX: Renamed login page is now using the WordPress translations
  • TWEAK: Added a filter for PHP firewall rules templates
  • TWEAK: Updated the country code field for audit logs to be based on the IP address (Premium)
  • TWEAK: Improved the text in the 404 detection tab
  • TWEAK: Moved the allowlist into the blacklist tab, and renamed it to „Block & Allow Lists”
  • TWEAK: Moved the WP REST API feature to the PHP rules tab
  • TWEAK: Refactored multiple command classes to use the new AJAX response helper method: Tools, File scan, Files, Settings, and Log commands classes
  • TWEAK: Updated the UI for the .htaccess rules, Captcha settings and file protection tabs
  • TWEAK: Added a note in Settings > Delete plugin settings tab
  • TWEAK: Early calls to get_plugin_data() no longer require translations
  • TWEAK: Refactored the firewall command class to use the response helper method
  • TWEAK: Added a constant AIOS_DISABLE_HTTP_AUTHENTICATION. Define this in your wp-config.php to disable HTTP authentication

5.3.4 – 21/Oct/2024

  • FEATURE: Added a HTTP authentication feature that allows protecting the site with a username/password login.
  • FIX: Added a new method to reset the firewall rules under general settings
  • FIX: Resolved the issue with post cache which caused an issue with comment spam prevention
  • TWEAK: Added a helper class for API requests
  • TWEAK: Removed whitespaces at end of sentences

5.3.3 – 16/Sep/2024

  • FEATURE: Added captcha option for WooCommerce classic guest checkout page.
  • FIX: Fixed responsive layout issues with dashboard notice logo on mobile devices.
  • FIX: Turnstile captcha widget showing multiple times
  • FIX: Solved memory issue for reading larger host system log file
  • FIX: Removed .htaccess options from the Settings menu on Nginx, IIS and unsupported web servers
  • FIX: Resolved UX popup issue and firewall allowlist sanitization
  • FIX: Resolved an issue where bulk table actions were still executed even if the confirmation dialog was canceled.
  • FIX: Added a null check to prevent PHP warnings in firewall rules
  • TWEAK: Ajaxified the actions in the settings, filesystem security, spam prevention and user security menu
  • TWEAK: Added Ajax support to list tables and the audit log
  • TWEAK: Added CAPTCHA field to MemberPress forgot password and registration forms
  • TWEAK: Excluded .htaccess tabs from settings if the server is not supported
  • TWEAK: Updated the firewall rules UI and malware scanner description
  • TWEAK: Tweaked the htaccess backup method to generate the random filename
  • TWEAK: Removed ‘prevent access to default WP files’ from .htaccess and added ‘license.txt’ to deletion list.

5.3.2 – 06/Aug/2024

  • FIX: Bug that allowed subsite admins to delete audit logs of other subsites
  • FIX: Disabled blacklisting on subsites because the PHP-based firewall currently applies to the entire multisite
  • FIX: An issue with getting the google bot ip ranges
  • TWEAK: Added extra protections in place before modifying the .htaccess file
  • TWEAK: Actions in the tools, firewall and scanner menu are now processed via AJAX
  • TWEAK: Trimmed leading and trailing whitespace from inputs in the WHOIS lookup tab
  • TWEAK: Added a confirmation pop-up when users clear records in the Debug Logs table
  • TWEAK: Added captcha support for the MemberPress plugin
  • TWEAK: Improved the UX of the WP REST API options
  • TWEAK: Internal code improvements to improve maintainability
  • TWEAK: Updated the feature manager to improve performance
  • TWEAK: Fixed the issue of blank tables on mobile view

5.3.1 – 26/Jun/2024

  • FEATURE: Added CAPTCHA to password protected pages/posts
  • FIX: Captcha not showing on the BuddyPress registration page
  • FIX: WooCommerce logout issue when the renamed login page and login whitelist features are both enabled
  • FIX: Missing CAPTCHAs when multiple WooCommerce login and register forms are on the same page
  • FIX: Fixed an issue with the 404 detection actions
  • FIX: A UI issue with the 2FA QR code image
  • TWEAK: Added the attribute data-cfasync=”false” to the default captcha url to allow loading on Cloudflare Rocket Loader
  • TWEAK: Purge login lockdown table records after 90 days to restrict size. The AIOS_PURGE_LOGIN_LOCKOUT_RECORDS_AFTER_DAYS constant has been added to change the default.
  • TWEAK: Updated the malware scanner frequency text from daily to weekly
  • TWEAK: Updated the password strength meter UI for the password tool
  • TWEAK: Add a ‘Lock IP’ and ‘Blacklist IP’ link to the IP column of the audit log.
  • TWEAK: Enhance fake Googlebot detection. In the case where gethostbyaddr fails, the firewall will fallback to checking against known Googlebot IP ranges
  • TWEAK: Updated the column header for the „Permanent Blocked IP Addresses” table to be consistent with other tables
  • TWEAK: Prevent warning when DISALLOW_FILE_EDIT has already been defined
  • TWEAK: Fix instances of one translation function being used for multiple sentences
  • TWEAK: Improved the UX during AJAX calls
  • TWEAK: Removed Trash spam comments duplicated description

5.3.0 – 01/May/2024

  • FEATURE: Added bulk force logout features for logged in users
  • FIX: An issue with the WooCommerce my account page logout function when the cookie based brute force feature is turned on
  • FIX: Warning undefined array key SCRIPT_FILENAME
  • FIX: Custom redirection after login not working if url contains the redirect_to parameter
  • FIX: List of administrator accounts not showing on the user security page
  • FIX: Issue with cookie based bruteforce prevention solved if salt postfix feature is on.
  • FIX: Fixed country field not showing in the 404 event logs (Premium)
  • FIX: Fixed country field not showing in the smart 404 blocked IP log (Premium)
  • TWEAK: Fixed translation issue not showing as per admin user set language instead of site settings
  • TWEAK: Firewall upgrade changes are applied without access to the admin interface
  • TWEAK: Change the labels for the switches to a more appropriate wording
  • TWEAK: In the file scanner results show the file sizes in a human readable format
  • TWEAK: Updated the default message for attempts to access wp-admin
  • TWEAK: Internal refactor of the update code to improve code clarity.
  • TWEAK: Port the ‘Block fake Googlebots’ feature to the PHP-based firewall
  • TWEAK: Remove requirement for at least one IP for ‘Blacklist’, ‘Login whitelist’ and ‘Login lockout IP whitelist’ to be enabled.
  • TWEAK: Added error message when a user tries to block their own IP on registration approval
  • TWEAK: Added method to update badge on AJAX call
  • TWEAK: internal refactor of the AIOWPSecurity_Utility_File class to improve code clarity
  • TWEAK: Seasonal notice content update for 2024

5.2.9 – 06/Mar/2024

  • FIX: Remove call to update_event_table_column_to_timestamp in update routine
  • FIX: Remove call to wp_timezone() which is only available in WP 5.3+

5.2.8 – 05/Mar/2024

  • FIX: The user check that affects the Duo authentication plugin
  • FIX: Database update routine is now run without needing to visit the admin interface or each individual site in a multisite
  • FIX: Some settings in the firewall menu not resetting after deactivating and reactivating the plugin.
  • TWEAK: Audit log and 404 events CSV export file date time column is now in a human readable format not unix timestamp
  • TWEAK: Debug log table existing datetime field converted to timestamp to be timezone independent
  • TWEAK: Global meta table existing datetime field converted to timestamp to be timezone independent
  • TWEAK: Permanent block table existing datetime field converted to timestamp to be timezone independent
  • TWEAK: Refactor list item actions to further improve code clarity
  • TWEAK: Removed blacklist admin menu as previously announced
  • TWEAK: Removed miscellaneous admin menu as previously announced
  • TWEAK: Removed various admin menu tabs as previously announced
  • TWEAK: Store IP lookup result for other types of entries in the login lockdown table
  • TWEAK: Update the footer review prompt
  • TWEAK: Max file upload size limit to 250 MB by aiowps_max_allowed_upload_config filter removed
  • TWEAK: Improve comment spam detection to not interfere with other forms

5.2.7 – 06/Feb/2024

  • SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records.

5.2.6 – 06/Feb/2024

  • SECURITY: Removed unnecessary use of the „tab” query parameter on various admin menu pages to prevent a non-persistent XSS vulnerability. Thanks to Matthew Rollings for disclosing this defect. (This would allow an attacker who deliberately targets you whilst logged in as an administrator and persuades you to visit a link he controls to inject unwanted scripts on a single visit to your AIOS admin page).
  • FEATURE: Added logout event to the audit logs
  • FEATURE: Add ability to delete the default readme.html file and wp-config-sample.php file
  • FIX: Correct some translation calls that were using the wrong text domain
  • FIX: PHP notice caused by the file scanner being unable to read its data file
  • FIX: Unlock request button was not showing and redirects to 127.0.0.1
  • FIX: Database errors for the aiowps_login_lockdown table during plugin installation
  • TWEAK: Refactor the 6G UI
  • TWEAK: Added an option to set the Cloudflare Turnstile CAPTCHA theme
  • TWEAK: Added CSS styling for audit log details column
  • TWEAK: Dashboard critical feature status links fixed and only show features that can be enabled in a multisite subsite
  • TWEAK: Deactivating the plugin now removes stored login info so on the next activation users are not force logged out
  • TWEAK: Display json string instead of null if json_decode does not work for audit log details
  • TWEAK: Event table existing datetime field converted to timestamp to be timezone independent
  • TWEAK: Various tweaks to get codebase up to coding standards
  • TWEAK: Various tweaks to ensure multiple sentences are not passed to a single translation function
  • TWEAK: Fix the broken UI for RSS and Atom firewall settings and added a more info box
  • TWEAK: Fix the issue of unique ID in DOM
  • TWEAK: Merge Username and Display Name tabs in User Security Settings
  • TWEAK: Moved the ‘404 detection’ tab to the ‘Brute force’ admin menu
  • TWEAK: Moved the ‘PHP file editing’ tab into ‘File Protection’ tab
  • TWEAK: Moved the ‘User enumeration’ tab into the ‘User accounts’ tab in the User Security Menu
  • TWEAK: Moved the ‘WP Rest API’ tab into the Firewall Menu
  • TWEAK: Moved the ‘Copy protection’ and ‘Frames’ tab into the Filesystem security menu
  • TWEAK: Moved the ‘Salt’ tab into the User security menu
  • TWEAK: Moved ‘Blacklist Manager’ tab into the Firewall menu.
  • TWEAK: Password resets, removed and deleted users are now recorded in the audit log
  • TWEAK: Stop 404 IP from being locked if there’s a current lock on that IP
  • TWEAK: Unify date and time conversion with users timezone support
  • TWEAK: Changed how empty data in ip lookup result is stored in the database
  • TWEAK: Rework Firewall Menu page to have two tabs for PHP and .htaccess rules
  • TWEAK: Add captcha support for Contact Form 7
  • TWEAK: Added a AJAX save settings and get features details badge function as part of ongoing work to add AJAX support to the plugin settings
  • TWEAK: Enhance reset password email by adding IP info
  • TWEAK: Remove defunct imagetoolbar meta tag
  • TWEAK: Login lockout tables existing datetime field converted to timestamp to be timezone independent
  • TWEAK: Code improvements – utilising WP_Error objects instead of arrays

5.2.5 – 25/Oct/2023

  • SECURITY: On a multisite install, if using the AIOS feature for renaming and hiding the login page, a route existed for an attacker to discover the hidden login page, thus negating the usefulness of the feature. Thanks to Naveen Muthusamy for disclosing this defect.
  • FEATURE: Block POST requests that have a blank user-agent and referer
  • FEATURE: Added reverse IP Lookup data to the login lockdown notification email
  • FIX: Prevent a fatal error when setting up the firewall if the host has disabled the function parse_ini_file
  • FIX: Prevent the firewall message store from filling up with unused entries
  • FIX: Prevent legitimate Googlebot traffic being blocked on sites where the gethostbyaddr function fails or is disabled
  • FIX: An issue that prevented MainWP updates from being performed correctly
  • FIX: Prevent user enumeration via the REST API and oEmbed protocol
  • FIX: User agent blacklist not matching all strings correctly
  • FIX: Logged in user table not showing the correct information
  • TWEAK: Improve comment spam detection by using hidden fields and cookies
  • TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist
  • TWEAK: The menu actions in the dashboard admin menu are now processed via AJAX
  • TWEAK: Converted checkboxes in the admin menu pages to switches
  • TWEAK: Add network_id and site_id column to debug logs table for differentiating logs between sites on multisite
  • TWEAK: Combined various user admin menus into a new ‘User Security’ admin menu
  • TWEAK: Export configuration filename now reflects the local timezone.
  • TWEAK: Improve the UI/UX of the file scanner making way for future improvements
  • TWEAK: Redesign the feature manager badges
  • TWEAK: Removed various admin menu tabs as previously announced
  • TWEAK: Add features that depend on other plugins to the feature manager conditionally
  • TWEAK: Added a null check to function that removes wp meta info from scripts and styles src to prevent a PHP deprecation warning
  • TWEAK: Audit log date and time are now displayed in the sites timezone
  • TWEAK: PHP warning undefined array key REQUEST_METHOD in rule-proxy-comment-posting.php
  • TWEAK: When TranslatePress is active, logging out via WooCommerce should not show a 404 page if the „rename login page” setting is on.

5.2.4 – 16/Aug/2023

  • FIX: Ported firewall settings from disabling on upgrade

5.2.3 – 09/Aug/2023

  • FIX: Fatal error „set_value() on null” when the firewall config is missing
  • FIX: PHP notices when running under cron
  • FIX: Revert change that caused the Brute force login whitelist to show the server IPs and not the users
  • TWEAK: Add communication mechanism so that firewall can send data to WordPress
  • TWEAK: Remove incorrect mentions of the .htaccess file on PHP Firewall rules

5.2.2 – 04/Aug/2023

  • FEATURE: An allow list of IP addresses which bypass the firewall rules
  • FIX: Fix get_class() on null fatal error when updating via ManageWP
  • FIX: No such file or directory notice generated by the firewall’s config file
  • FIX: Only send the upgrade email if one or more of the ported rules had been enabled
  • FIX: Fake Google bots are now blocked if bot server IP address does not resolve to a hostname
  • FIX: Google reCaptcha now appears correctly on the WooCommerce checkout page
  • FIX: Prevent Woocommerce auto login if manual registration approval is turned on
  • FIX: Premium upgrade tab UI overlapping issue.
  • FIX: Allow maintenance mode to be controlled via WP-CLI (Premium)
  • FIX: Use the correct site id for login success events added to audit log table on Multisite
  • FIX: Added missing features to the feature manager list
  • FIX: A warning when using the update all command via WP-CLI
  • TWEAK: AIOS settings based IP address is now used instead of the REMOTE_ADDR server variable for multiple wrong 2FA code notification
  • TWEAK: Added ‘aios_audit_log_record_event’ filter to allow events to not be recorded
  • TWEAK: Improve the feature item manager code structure making way for future improvements
  • TWEAK: Login whitelist suggests both IPv4 and IPv6 addresses to whitelist.
  • TWEAK: Move the ‘Custom rules’ tab from the ‘Firewall’ section to its own tab in the ‘Tools’ section
  • TWEAK: Move the ‘Prevent hotlinking’ tab to the ‘File protection’ tab in the ‘Filesystem Security’ menu
  • TWEAK: Moved all CAPTCHA settings to the ‘CAPTCHA settings’ tab in the ‘Brute Force’ menu
  • TWEAK: Moved the ‘Password tool’ tab to the ‘Tools’ admin menu
  • TWEAK: Moved the ‘Visitor lockout’ tab to the ‘Tools’ admin menu
  • TWEAK: Moved the ‘User registration honeypot’ tab to the ‘Brute force’ admin menu
  • TWEAK: Remove ‘Account activity table’ as these entries are also recorded in the audit log
  • TWEAK: Removed the ‘Failed login records’ tab as previously announced, these are now recorded in the audit log
  • TWEAK: Improve list table code performance
  • TWEAK: Removed use of $_GET, $_POST, $_REQUEST from all template files making way for future improvements

5.2.1 – 12/Jul/2023

  • FIX: Include helper class file from loader
  • TWEAK: Conditionally load TFA block JavaScript

5.2.0 – 10/Jul/2023

  • SECURITY: Remove authentication data from the stacktrace before saving to the database. This defect meant that a site administrator had the potential, between releases 5.1.9 to 5.2.0 (which purges the existing data), to know what site users’ passwords are. This information has limited value (an admin can already reset anyone’s password) except insofar as the passwords may be re-used by users on other sites. In that „hostile admin” scenario, your site has other problems (since the hostile admin has a whole raft of equivalent ways of causing mischief to users, especially if not on multisite where a site admin is potentially not a super admin and may not be able to install or configure plugins). This changelog has been expanded in response to incorrect reports which suggested a wider problem (for example, they did not mention that the attacker needs to already be logged in as an admin to read the log, or that upgrading to 5.2.0 deletes the affected data).
  • SECURITY: Set tighter restrictions on what subsite admins can do in a multisite.
  • FIX: After editing a file reset permissions back to the original permissions
  • FIX: Corrected some broken links in the plugin
  • FIX: Fatal error: cannot declare class
  • FIX: Normalise all arguments in the stacktrace
  • FIX: Wrong login entries added to login activity table on multisite when user logs into subsite they don’t belong to.
  • FIX: Too many redirects error for forced logout users solved
  • TWEAK: For Cronjob, WP CLI and AIOS_DISABLE_EXTERNAL_IP_ADDR defined constant do not use external services for user IP addresses. Silenced api.ipify.org request failed warning.
  • TWEAK: Reset password page missing translation and generate password button added for renamed login page
  • TWEAK: Added ‘aios_audit_log_event_user_ip’ filter to allow filtering of IP addresses in the audit log
  • TWEAK: Added action hook „aios_reset_all_settings” for reset all settings.
  • TWEAK: Renamed login page to have language change dropdown and other tweaks as per the WordPress 6.2

5.1.9 – 09/May/2023

  • FEATURE: IP addresses – Blacklist manager functionality based on PHP instead of .htaccess rules. Added AIOS_DISABLE_BLACKLIST_IP_MANAGER constant, Define it in your wp-config.php to disable IP Blacklist manager.
  • FEATURE: Detect spambots posting comments and discard it completely or mark as spam.
  • FEATURE: Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)
  • FEATURE: Added a „Delete all” and „Delete filtered” bulk action to the audit log table
  • FIX: Prevent Cloudflare Turnstile being added to login forms when no credentials where set
  • FIX: Change where the audit log event handler is loaded to prevent an error on plugin deletion
  • FIX: Fix context class checks to support cli
  • TWEAK: Multisite super admin can access the subsite dashboard without login again if salt postfix enabled
  • TWEAK: Captcha JavaScript file is unnecessarily loaded on some site pages if comment captcha or custom login captcha enabled
  • TWEAK: Change some nonce checks to use our internal function to check user capability and nonces
  • TWEAK: User registrations and successful logins are now recorded in the audit log
  • TWEAK: Added a commands class and refactored AJAX handlers
  • TWEAK: Captcha verification to prevent conflicts with some plugins that recall the WordPress authentication code
  • TWEAK: Improve database table prefix feature UI.
  • TWEAK: WordPress core updates are now recorded in the audit log
  • TWEAK: Translation updates are now recorded in the audit log
  • TWEAK: Add an entity changed event to the audit log when upgrader information is not available
  • TWEAK: Automated emails sent by AIOS that failed to send due to from address

5.1.8 – 11/April/2023

  • FIX: 404 detection – Individual record blacklisting, delete, temp block actions stopped working in 5.1.7
  • FIX: Uncaught fatal error on null ‘set_value’
  • FIX: Remove audit log event handler actions on plugin deletion to prevent an error
  • FIX: Remove some audit log event handler on plugin deletion to prevent an error
  • FIX: Get correct wp-config path when installed in a subdirectory
  • TWEAK: AIOS_Helper::request_remote timed out exception ignored.
  • TWEAK: Requests_IPv6 class name deprecated in WordPress 6.2.
  • TWEAK: Failed login attempts are now recorded in the audit log

5.1.7 – 24/March/2023

  • FIX: Prevent fatal error when calling get_server_detected_user_ip_address() when the firewall is not setup
  • TWEAK: Clarify dashboard notice title and change image.

5.1.6 – 21/March/2023

  • FEATURE: Added an audit log
  • FEATURE: Add salt postfix option to improve your site’s security
  • FEATURE: Shared library that can be used from the firewall.
  • FIX: Rename login slug used like wp-login-RANDOM_SUFFIX showing 404 page issue solved and code clean up for multisite activation.
  • FIX: Divi child theme conflict – Call to undefined function et_builder_get_fonts() in functions.php on line 208 solved.
  • FIX: Captcha settings tab in multisite installation for subsites not showing
  • FIX: Cron reschedule event error for hook aios_15_minutes_cron_event if plugin deactivated or uninstalled
  • TWEAK: Stop user enumeration now shows 403 forbidden error code instead of 500 server error
  • TWEAK: PHP 8.1 warning rawurldecode passing null instead type string is deprecated for block request string 6g rule
  • TWEAK: Code clean up for disable cookie based brute force constant as rule moved to firewall
  • TWEAK: Comment spam IP monitoring page UI
  • TWEAK: Updated seasonal notices
  • TWEAK: Improve internal code structure making way for future improvements
  • TWEAK: Remove mention of the 6g firewall rules being .htaccess based as they are now php based
  • TWEAK: Added new internal function to check user capability and nonces
  • TWEAK: Improve config code with inline saving.
  • TWEAK: Allow audit log to be filtered and exported to CSV

5.1.5 – 13/February/2023

  • FEATURE: Added Cloudflare Turnstile CAPTCHA support
  • FIX: Notices about undefined array key HTTP_USER_AGENT solved.
  • FIX: New v5 features not saved in export file and not properly reset after uninstallation.
  • FIX: File permission change being applied to the last record not selected one. Also, no longer change permissions when they are already tighter than the suggested.
  • FIX: Fatal error ‘Call to a member function contains_contents() on null’
  • TWEAK: Removed wrong information about login whitelist being implemented via htaccess.
  • TWEAK: Refactoring settings tasks for WP CLI AIOS premium commands.
  • TWEAK: Page load performance issue due to incompatible tfa premium plugin active check improved.
  • TWEAK: Make sure translation domain is registered before attempting to use it
  • TWEAK: Replaced click with press in text because users could be on mobile etc and not using a mouse.
  • TWEAK: Registration, comment, Buddypress and bbPress admin pages to show notice enable the captcha settings.
  • TWEAK: Improve the UI/UX for the 404 detection tab
  • TWEAK: Improve internal code structure making way for future improvements
  • TWEAK: PHP 8.2 deprecation warning for dynamic properties
  • TWEAK: Remove the unintended ability for directory traversal and lack of escaping when outputting files with the „view system log” feature. This facility is only available to an administrator (who can of course already do anything on the site, so this has no security implications) and allow them to view (the last 50 lines) from any file or list any directory on the system where the web server has read access.
  • FIX: Fatal error ‘Call to a member function contains_contents() on null’
  • TWEAK: Firewall gets constants from a single source.

5.1.4 – 14/December/2022

  • FEATURE: Add option to disable RSS and ATOM feeds.
  • FIX: The IP address blacklist manager wasn’t working.

5.1.3 – 09/December/2022

  • SECURITY: No longer save settings import files in a publicly accessible folder where they can be potentially indexed by search engines if the administrator does not actually import the settings (which deletes the import file)
  • FEATURE: Implement firewall events system
  • FIX: Protect subsites when firewall is loaded via plugins_hook
  • TWEAK: Improve the UX for uploading import files
  • TWEAK: Add a default …

Meta

  • Versiunea 5.4.2
  • Ultima actualizare Acum 21 de ore
  • Instalări active: Peste 1 milion
  • Versiune WordPress 5.0 sau mai recentă
  • Testat până la 6.8.2
  • Versiune PHP 5.6 sau mai recentă
  • Limbi

    Arabic, Chinese (China), Dutch, Dutch (Belgium), English (Canada), English (US), German, Italian, Japanese, Persian, Polish, Russian, Spanish (Chile), Spanish (Spain), Spanish (Venezuela), Ukrainian și Vietnamese.

    Tradu în limba ta

  • Etichete
    firewalllogin securitysecuritytwo factor authentication
  • Vizualizare avansată

Evaluări

4.7 din 5 stele.
  • 1502 5 – recenzii (stele) 5 stele 1502
  • 52 4 – de recenzii (stele) 4 stele 52
  • 20 3 – de recenzii (stele) 3 stele 20
  • 15 2 – recenzii (stele) 2 stele 15
  • 72 1 – de recenzii (stele) o stea 72

Adaugă-mi recenzia

Vezi toate recenziile

Contributori

  • David Anderson / Team Updraft
  • Prashant Baldha
  • Tips and Tricks HQ
  • wpsolutions
  • Peter Petreski
  • Ruhul Amin
  • mbrsolution

Suport

Probleme rezolvate în ultimele două luni:

30 din 36

Vezi forumul pentru suport

Donează

Vrei să sprijini dezvoltarea acestui modul?

Donează pentru acest modul

  • Despre
  • Știri
  • Găzduire
  • Confidențialitate
  • Prezentare
  • Teme
  • Module
  • Modele
  • Învață
  • Suport
  • Dezvoltatori
  • WordPress.tv ↗
  • Implică-te
  • Evenimente
  • Donează ↗
  • Five for the Future
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org

În Română

  • Mergi la contul nostru X (fost Twitter)
  • Vizitează contul nostru Bluesky
  • Vizitează contul nostru Mastodon
  • Vizitează contul nostru Threads
  • Vizitează pagina noastră Facebook
  • Vizitează-ne pe Instagram
  • Vizitează-ne pe LinkedIn
  • Vizitează contul nostru TikTok
  • Vizitează canalul nostru YouTube
  • Vizitează contul nostru Tumblr
Codul este poezie.