All In One WP Security review: completely free WordPress security

All In One WP Security & Firewall is a completely free WordPress security plugin without premium version or upsells. With over 1 million active installations, the plugin offers comprehensive protection against brute force attacks, malware, and hacking attempts. The unique security meter system visualizes your security level as a score, making it easy to track your progress.

The plugin is developed by Tips and Tricks HQ and has existed since 2012. What distinguishes All In One WP Security is the complete feature set without paywall. Where competitors like Wordfence and iThemes Security keep crucial features behind a paid version, All In One gives everything away for free.

The interface is functional but dated. It lacks the modern polish of newer plugins, but compensates with stability and completeness. For site owners with budget constraints or multiple sites to secure, All In One WP Security is an excellent choice offering enterprise-level protection without costs.

What exactly is All In One WP Security?

All In One WP Security & Firewall is a comprehensive security suite providing protection in five main areas: user account security, login security, database security, filesystem security, and firewall protection. The plugin combines preventive measures with active monitoring to secure your WordPress site.

The security meter concept is the face of the plugin. This dashboard widget shows a score from 0-500 points. Each security feature you activate adds points. The meter uses a color system: red (basic), orange (intermediate), green (advanced). This gamification element motivates users to improve their security.

Features are organized in three difficulty levels: Basic, Intermediate, and Advanced. Beginners start with Basic features that are safe to activate without risk. Intermediate features require more understanding. Advanced features are for advanced users who know what they're doing. This progressive disclosure prevents beginners from breaking their site.

Security meter system

The security meter gives instant feedback about your security level. A new WordPress installation typically starts around 50-100 points (red, basic security). After implementing recommended features, you reach 200-300 points (orange, intermediate). Sites with 350+ points have advanced security (green).

Each feature has a point value. Basic features like blocking username enumeration give 5-10 points. Intermediate features like activating firewall give 10-20 points. Advanced features like changing database prefix give 20-30 points. This weighting helps you prioritize which fixes are most important.

The dashboard also shows a list of recommended actions. Click a recommendation and the plugin takes you to the relevant settings page with explanation. This guided system helps non-technical users implement the right security configuration without needing to read external tutorials.

Installation and initial setup

Installation is done via Plugins > Add New. Search for "All In One WP Security" and click Install and Activate. After activation, "WP Security" appears in your admin menu. The plugin works immediately after installation with safe default settings.

The dashboard shows your current security score with recommendations. The plugin doesn't force a wizard or configuration – you can start immediately or look around first. This hands-off approach gives experienced users control but can overwhelm beginners without a clear starting point.

First steps for beginners

Start with the User Accounts menu. Click "Display All Users" to see all accounts. Change admin usernames still named "admin" to something unique. Hackers target the admin username because it's often unchanged. A unique username makes brute force attacks significantly harder.

Go to User Login > Login Lockdown and enable this feature. Set to maximum 3 login attempts in 5 minutes per IP address. After exceeding, the IP is blocked for 60 minutes. This effectively stops brute force attacks without hindering legitimate users.

Activate Firewall > Basic Firewall Rules. This adds protective rules to your .htaccess file. The plugin automatically makes a backup of your original .htaccess. If something goes wrong, you can restore the backup with one click. This caution prevents beginners from taking their site offline.

User account security

All In One WP Security has extensive features for securing user accounts. It detects and blocks common security risks like weak passwords, default usernames, and accounts with excessive privileges.

Username and password protection

The plugin automatically scans if there are accounts with username "admin". This is the most targeted username by hackers. All In One lets you change this username to something unique directly from the interface. The plugin automatically updates all database references – you don't need to write manual SQL queries.

Password strength enforcement forces minimal password quality. You can set that all users must use strong passwords according to WordPress' built-in strength meter. Weak passwords are rejected at account creation or password change.

The plugin can also ban specific usernames. Think of "admin", "administrator", "test", and other predictable names. When someone tries to register such a username, registration is blocked. This prevents hackers from creating accounts with obvious names.

Block user enumeration

User enumeration is a reconnaissance technique where hackers try to discover valid usernames. By visiting URLs like yoursite.com/?author=1, they can see author usernames. With known usernames, hackers only need to guess passwords.

All In One blocks these enumeration attempts. Requests to ?author= URLs are blocked or redirected. The plugin also blocks REST API endpoints that leak user information. This significantly reduces the attack surface.

This feature has minimal impact on legitimate functionality. Author archives can still work if you want by configuring whitelists. For most sites, complete enumeration blocking is the safest option without downsides.

Login security and brute force protection

Brute force attacks on the login page are the most common WordPress security threat. All In One WP Security offers multiple defense layers: login lockdown, login CAPTCHA, login honeypot, and custom login URL.

Login lockdown mechanism

Login Lockdown counts wrong login attempts per IP address and per username. You can set different thresholds. For example: 3 wrong attempts for an existing username bans the IP for 60 minutes. 10 attempts for non-existent usernames bans for 24 hours.

This tiered approach is more effective than a flat limit. Hackers often first try if a username exists before guessing passwords. By punishing non-existent username attempts more severely, you block reconnaissance.

The lockdown overview shows all banned IPs with timestamp and username they tried. You can manually unblock IPs if a legitimate user is accidentally locked out. You can also whitelist IP ranges (for example your office network) to never get locked out.

CAPTCHA implementation

All In One integrates Google reCAPTCHA v2 and v3. ReCAPTCHA v2 shows a checkbox "I'm not a robot" on your login form. Bots can't solve this and are blocked. ReCAPTCHA v3 runs invisibly in the background and scores users on suspicious behavior.

You can add CAPTCHA to WordPress login, registration, lost password, and comment forms. For custom login pages or third-party login plugins, you may need to manually add CAPTCHA shortcodes.

CAPTCHA significantly increases security but adds friction for users. Some visitors find CAPTCHAs annoying. V3 is less hindering than v2 but sometimes less accurate. You must balance between security and user experience.

Login honeypot

Honeypot is an anti-bot technique that adds a hidden field to your login form. This field is invisible to people but bots automatically fill it. If the honeypot field is filled, All In One refuses the login and marks the request as bot.

This technique has zero impact on legitimate users because they don't see the field. It however effectively blocks simple bots. Advanced bots using JavaScript might detect honeypots, but most automated scanners fall for it.

Honeypot is an excellent addition to CAPTCHA. You can use both simultaneously: honeypot catches simple bots, CAPTCHA catches advanced bots. This layered defense is more effective than one technique alone.

Custom login URL (WordPress rename)

All In One can change your login URL from /wp-admin and /wp-login.php to a custom slug like /mylogin. Hackers targeting default URLs get a 404 error. This is security through obscurity but does reduce automated attack volume.

Note: if you forget your custom login URL, you're locked out. All In One offers an emergency disable mechanism via placing a specific PHP file in your plugins directory via FTP. This file disables the rename feature so you can access /wp-admin again.

Custom login URL can cause compatibility issues with plugins having hardcoded /wp-admin links. Test thoroughly after activation. For sites with third-party login integrations (social login, SSO), this feature is often too risky.

Firewall protection

All In One WP Security contains a 6G firewall ruleset protecting against common web attacks. The firewall runs at Apache level via .htaccess rules. This means malicious traffic is blocked before WordPress loads, which is very efficient.

6G Blacklist firewall

The 6G firewall is developed by Perishable Press and is an industry-standard ruleset. It blocks known attack patterns in URLs, query strings, user agents, and request methods. Think of SQL injection attempts, directory traversal, remote file inclusion, and script injection.

All In One implements these rules via .htaccess modifications. The plugin first makes a backup of your current .htaccess so you can restore if problems arise. The firewall rules add a few kilobytes to your .htaccess file.

Because the firewall runs at Apache level, it uses no PHP resources. This makes it faster than firewall plugins running within WordPress like Wordfence. The trade-off is that .htaccess firewalls are less flexible – you can't do real-time dynamic blocking.

Additional firewall features

Internet Bot Protection blocks known bad bots. All In One maintains a list of user agents from scrapers, spam bots, and security scanners. These bots are automatically blocked. You can add custom bot patterns to the blacklist.

Prevent Image Hotlinking blocks external sites directly embedding your images. This saves bandwidth and prevents others from stealing your content. You can whitelist specific domains (for example social media platforms you want to allow showing thumbnails).

Block Fake Googlebots detects bots claiming to be Googlebot but aren't. Some scrapers spoofed the Googlebot user agent to gain access. All In One verifies if the IP address actually belongs to Google via reverse DNS lookup.

Database security

The WordPress database contains all your content, user data, and settings. All In One offers database protection via prefix changing, backup scheduling, and security scanning.

Change database prefix

By default, WordPress uses "wp_" as table prefix (for example wp_posts, wp_users). Hackers know this standard and can write targeted SQL injection attacks. By changing your prefix to something unique (for example xyz_), you make these attacks ineffective.

All In One can automatically change your database prefix. The plugin updates all table names and all references in your database. This is a complex process – doing it manually is error-prone. The plugin first makes a backup so you can restore if something goes wrong.

Note: this change is not reversible without backup restore. Test thoroughly after the change that all functionality works. Some plugins hardcode wp_ and can break. For most sites it works without issues but it's an advanced feature.

Database backup scheduling

All In One has built-in scheduled database backups. You can set daily, weekly, or monthly backups. Backups are stored on your server or can be sent via email.

The plugin only backs up your database, not your files. For complete site backups, you need a dedicated backup plugin like UpdraftPlus. Database backups however are your most important data – content and users.

Backup retention is configurable. By default, All In One keeps the last 10 backups. Old backups are automatically deleted. For large databases, 10 backups can use lots of disk space. Monitor your disk usage if you keep many backups.

Filesystem security

Filesystem security prevents hackers from modifying or executing your WordPress files. All In One offers file permission fixes, PHP file editing protection, and upload protection.

File permissions hardening

Wrong file permissions are a common security issue. Directories with 777 permissions give everyone (including hackers) write permissions. All In One scans your file permissions and can automatically fix them to safe values.

Safe permissions are: 644 for files (owner read/write, group/world read only) and 755 for directories (owner read/write/execute, group/world read/execute). For wp-config.php, All In One advises 640 or even more restrictive.

The plugin shows an overview of files with unsafe permissions. You can decide per file if you want to fix the permission. For shared hosting, some permissions are requirements – check with your host before automatically fixing everything.

Disable PHP file editing

WordPress has a built-in code editor letting you edit theme and plugin files from the admin. This is handy but also dangerous. If a hacker gets admin access, they can install backdoors via the editor.

All In One can disable the theme/plugin editor. This adds define('DISALLOW_FILE_EDIT', true) to your wp-config.php. Admins then can't edit code via WordPress. You must edit via FTP/SFTP, which is an extra barrier for hackers.

For developers regularly editing code, this is inconvenient. For production sites where code changes go via deployment, disabling editor is best practice. It also prevents accidental code changes that can break your site.

Prevent PHP execution in uploads

The wp-content/uploads directory contains user-uploaded files like images and PDFs. Sometimes hackers upload PHP backdoors disguised as images. If these files are executable, hackers can run them via URL requests.

All In One adds .htaccess rules to the uploads directory blocking PHP execution. Even if a hacker uploads a PHP file, it can't be executed. Requests to .php files in uploads give a 403 Forbidden error.

This feature has no impact on legitimate uploads. Images, PDFs, and other media types work normally. Only PHP execution is blocked. For sites legitimately needing PHP files in uploads (very rare), you must skip this feature.

Pros and cons

Pros:

Completely free without limitations: All In One has no premium version or upsells. All features are free and will always remain free. For budget-conscious users or agencies with many sites, this is invaluable. You get enterprise-level security without recurring costs.

Security meter gamification: The point system makes improving security engaging. The visual feedback motivates users to implement recommendations. It feels like a game where you try to get a high score. This works especially well for non-technical users.

Lightweight and no external dependencies: The plugin runs entirely locally without cloud services. No API key needed, no account registration, no external requests. This is privacy-friendly and makes the plugin less complex than cloud-dependent alternatives.

Comprehensive feature set: For a free plugin, the feature coverage is impressive. User security, login security, database security, filesystem security, and firewall in one package. You don't need to install five separate plugins.

6G firewall very effective: The 6G ruleset blocks a large percentage of automated attacks. Because it runs at .htaccess level, performance impact is minimal. This is more efficient than PHP-based firewalls loading with every request.

Active community support: The plugin has an active support forum on WordPress.org. Questions are answered fairly quickly by both developers and community members. Documentation is extensive with screenshots and tutorials.

Stable and mature codebase: Exists since 2012 and is regularly updated. The plugin is thoroughly tested by millions of installations. Breaking changes are rare – updates are typically safe to install.

Cons:

Dated interface: The admin design feels old compared to modern plugins like Wordfence or iThemes Security. The UI is functional but not pretty. Layout is busy with many menu items. For visual-minded users, this is a turn-off.

No real-time threat intelligence: All In One has no crowd-sourced threat feed. It doesn't automatically block known malicious IPs. You're completely dependent on local lockout mechanisms. Cloud-connected plugins like Wordfence share threat data between all users.

No malware scanning: The plugin has no built-in malware scanner. It can detect file changes but doesn't analyze if these changes are malicious. For malware scanning, you need a separate plugin or service.

No two-factor authentication: 2FA is completely missing. For critical extra login security, you must install a separate 2FA plugin like WP 2FA or Google Authenticator. Competitors like iThemes Security Pro have built-in 2FA.

Limited analytics and logging: All In One shows basic lockout logs but no detailed traffic analysis or user behavior tracking. You see blocked login attempts but not all site requests like Wordfence's live traffic feature.

.htaccess firewall limitations: Apache .htaccess firewalls can't block all attack types. They have no access to POST data or database queries. For advanced attacks like SQL injection in form submissions, a PHP-level firewall is more effective.

Feature overload for beginners: There are so many options that beginners can get overwhelmed. Which features should you activate? The plugin gives recommendations but no guided setup wizard. You must figure out yourself what's safe to activate.

No post-hack cleanup: All In One is prevention, not remediation. If your site gets hacked, the plugin may detect this but doesn't help with cleanup. Services like Sucuri offer hands-on cleanup assistance.

Who is All In One WP Security suitable for?

All In One WP Security is perfect for site owners with budget constraints needing comprehensive security. The plugin offers 80% of what paid plugins do without costs. For hobby sites, personal blogs, and non-profit organizations, this is ideal.

Agencies managing many client sites benefit excellently from All In One. You can install it on all sites without per-site licensing costs. For an agency with 50 clients, this saves thousands of euros per year compared to paid alternatives.

Developers and technical users appreciate the granular control. Each feature can be fine-tuned without forced defaults. You have access to raw .htaccess rules and database settings for custom configurations. This is more flexible than opinionated plugins.

Sites on good hosting with modern PHP and regular backups can manage fine with All In One. The plugin is solid prevention. If you keep WordPress and plugins up-to-date and use strong passwords, All In One is sufficient protection.

Less suitable for

Non-technical beginners can get overwhelmed by the amount of options. There's no guided setup holding your hand. If you don't understand concepts like file permissions, .htaccess, and database prefixes, beginner-friendly alternatives like iThemes Security are more accessible.

Sites with compliance requirements (PCI-DSS, HIPAA) may want features All In One lacks: 2FA, detailed audit logging, centralized management. Paid enterprise solutions offer these compliance features with SLAs and support.

High-value targets like webshops with many transactions benefit from managed security services. All In One offers no DDoS protection, no CDN, no post-hack cleanup. For sites where downtime costs thousands of euros, Sucuri's managed approach is safer.

Sites already hacked benefit little from All In One. The plugin prevents attacks but doesn't clean infected sites. If you're infected, you first need cleanup (via Sucuri, MalCare, or manual cleanup) before preventive plugins are effective.

Alternatives to All In One WP Security

All In One WP Security is unique in its completely free feature set. Alternatives are either paid with more features, or free with limitations. The three biggest competitors are Wordfence, iThemes Security, and Sucuri.

Wordfence

Wordfence has a more powerful firewall with real-time threat intelligence. The plugin automatically blocks known malicious IPs and has built-in malware scanning. Wordfence free is already very complete. Premium (€119/year) adds real-time updates.

The disadvantage: more complex interface and higher server resource usage. Wordfence's endpoint firewall loads with every request. All In One's .htaccess firewall is lighter. For shared hosting with limited resources, Wordfence can slow your site.

Choose Wordfence if: You want real-time threat intelligence, need malware scanning, are technical, or server resources aren't an issue.

iThemes Security

iThemes is more beginner-friendly than All In One with modern interface and guided setup. The free version is basic. iThemes Security Pro (€99/year) adds 2FA, malware scanning, file monitoring, and password management.

iThemes is more user-friendly but paid features are essential. All In One gives more free but is less polished. Trade-off between user experience and costs.

Choose iThemes Security if: You want paid security with modern design, need 2FA, aren't technical, or prefer guided setup over self-service.

Sucuri

Sucuri is a cloud-based security platform with firewall at DNS level. The big difference: post-hack cleanup services. If you get hacked, Sucuri cleans your site. Platform plan (€299/year) has unlimited cleanup.

Sucuri is more expensive but managed. All In One is self-service. For non-technical users wanting peace of mind, Sucuri's hands-on approach is valuable. For DIY users, All In One is sufficient.

Choose Sucuri if: You want post-hack cleanup, need DDoS protection, prefer cloud-based security, or want fully managed security without self-troubleshooting.

Frequently asked questions

Is All In One WP Security really completely free?

Yes, All In One WP Security & Firewall is 100% free without premium version, upsells, or feature limitations. All features are accessible without payment. There are no trial periods or freemium limitations. You can use it on unlimited sites without license costs. The developers maintain it as an open source project.

Does All In One WP Security slow down my website?

Performance impact is minimal because the firewall runs at .htaccess level. The firewall blocks requests before PHP loads, which is very efficient. For most sites, impact is less than 10-20ms. Shared hosting with limited resources might notice minimal slowdown during database backups. Test with GTmetrix before and after installation to measure impact for your site.

Can I use All In One WP Security together with Wordfence?

It's not recommended to run two firewall plugins simultaneously. All In One and Wordfence can conflict because both filter requests and modify .htaccess/wp-config.php. Choose one security suite. You can combine All In One with dedicated backup plugins, CDN services, or monitoring tools without conflicts.

Does All In One WP Security have two-factor authentication?

No, All In One doesn't contain built-in 2FA. For two-factor authentication, you must install a separate plugin like WP 2FA, Google Authenticator, or Duo Two-Factor Authentication. Competitors like iThemes Security Pro have built-in 2FA. This is one of the few important features All In One lacks.

What happens if I forget my custom login URL?

If you forget the custom login URL and you don't have a bookmark, you're locked out. All In One offers an emergency disable mechanism: via FTP/SFTP upload a specific PHP file to your plugins/all-in-one-wp-security-and-firewall directory. This file temporarily disables the rename login feature so you can log in via /wp-admin again. Instructions are in the plugin documentation. Therefore it's wise to document and bookmark your custom URL.