All-In-One Security WordPress Plugin Features

AIOS really is the All-In-One-Security’ Plugin for WordPress. It does everything you need it to, straight out of the box.

What does All-In-One Security for WordPress do?

Included in both Free and Premium:


Protect against brute-force attacks and keep bots at bay. AIOS takes WordPress’ default login security features to a whole new level.

Supports best practice

AIOS detects if an account has the default ‘admin’ username or if a user has identical login and display names, prompting the user to change this in support of better security practices.

Block Bots

Hide login page from bots

Configure a custom URL for the WordPress ‘Admin’ login page, making it harder for bots to find.

Change WP Prefix

Change default WP database prefix to a value of your choice

Hackers use automated code to attack websites like yours. Make life harder for them and protect your site with this simple but effective AIOS security feature.

Login lockout

External users making multiple login attempts can be locked out for a configured period of time. You can also lockout users with invalid usernames. See a list of all locked out users and unlock with one click.


AIOS provides a wealth of information about users of your WordPress website. View activity by username, IP address, login and logout dates and times. See a list of users currently logged in, and a list of all failed login attempts.

Force logouts

Ensure users don’t stay logged in indefinitely. With AIOS you can force logouts for all users after a configurable amount of time.

Google reCAPTCHA


Add Google reCAPTCHA, plain maths CAPTCHA or a honeypot to registration pages to prevent spam registration or enable manual approval of user accounts instead.

captcha alternative

CAPTCHA alternative

Verify your visitors "invisibly" with Cloudflare's Turnstile alternative to CAPTCHA, a more privacy-respecting option.

Simple two-factor authentication

Our unique role based feature allows site owners to turn off TFA for some user roles or make it compulsory for others. AIOS TFA supports Google Authenticator, Microsoft Authenticator, Authy and many more.

Password strength tool

Calculates how long it would take for your password to be cracked in the event of a brute force attack.

General visitor lockout

Put your site into “maintenance mode” and lock down the front-end to all visitors. This can be useful while doing back end tasks, like performing site upgrades or investigating security threats.

Stops user enumeration

Prevent external users and bots from fetching user information via author permalink.


A Web Application Firewall (WAF) is your website's first line of defence, protecting your site by monitoring traffic and blocking malicious requests. Activate firewall settings ranging from basic, intermediate and advanced. Get comprehensive and instant protection with All-In-One Security.

Automatic protection from the Latest Threats

Our team maintains a list of known exploits, actively building protections against them which are then released as new firewall rules to free and paying customers.

.htacces file protection

.htaccess file protection

Web servers process the .htaccess file before anything else on your site. AIOS firewall adds rules to your .htaccess file to deny access to both itself and your wp-config.php file, limit file upload size and disable the server signature.

6G blacklist

AIOS incorporates ‘6G Blacklist’ firewall rules, protecting your site against a known list of malicious URL requests, bots, spam referrers and other attacks (courtesy of Perishable Press).

Block bots stealing content

Protect against fake Google bots

Bots presenting as Google crawlers can steal your content and litter your webpage with comment spam. Protect against it with AIOS Firewall.

Blacklist and whitelist functionality

Ban users by IP address, IP address range or by specifying user agents. Add important IP addresses to the whitelist so that firewall rules aren't run on their requests.

Prevent DDOS attacks

Prevent DDOS attacks

Prevent malicious users from performing DDOS attacks through a known vulnerability in WordPress XML-RPC pingback functionality.

Prevent image hotlinking

Protect server bandwidth and your website’s content by preventing other sites from using your imagery via hotlinking.

Cross-Site Scripting (XSS) Protection

AIOS prevents attackers from injecting malicious script into your website via a special cookie.

File Change Detection

Our scanners alert you to file changes in your WordPress system, so you can see if a change is legitimate or suspicious, and investigate as appropriate.

Disable PHP file editing

Protect your PHP code by disabling the ability to edit files in the WordPress administration area.

User Permission settings

Permission setting alerts

Identify files or folders where the permission settings are not secure and correct with one-click.

Create custom rules

Ability to create custom rules

Advanced users can add custom rules to block access to various resources on your site.

Access Prevention

Access prevention

Prevent external users from accessing the readme.html, license.txt and wp-config-sample.php files of your WordPress site.

Blocks post requests with blank user-agents and referers

Many brute force login hacking scripts send login attempts and comment spam attempts using a blank user-agent header. This means they don’t specify which browser they're using. They often also use blank referer headers, which means they don’t specify which URL they arrived from. This feature blocks post requests from these suspicious accounts.


Eliminate spam, protect your WordPress content, and your search engine rankings with these important security features from All-In-One-Security.

Comment SPAM prevention

Webpages littered with spam comments damage your brand, effect the user experience and impact SEO. AIOS stops SPAM at the source by preventing comments that originate from other domains. AIOS automatically and permanently blocks Spammers’ IP addresses. Site owners can use reCAPTCHA to reduce comment spam and block malicious users with just one click.

iFrame protection

Preventing other websites from reproducing your content via an ‘iFrame’ is an important feature that protects your intellectual property and your website visitors.

Front End copyright protection

Copywriting protection

Stop users from stealing your content by disabling the right-click, select and copy text function.

Disable RSS and Atom Feeds

RSS and Atom Feeds can be used by bots to ‘scrape’ your website content and present it as their own. This feature prevents that by disabling RSS and Atom Feeds on your website.

What are the additional benefits of Premium?

Get Malware scanning, Flexible Two-Factor Authentication, Smart 404 Blocking, Country Blocking, Premium Support and extra peace of mind with AIOS Premium.


Finding out by accident that your site has been infected with malware is too late. Malware can have a dramatic effect on your site’s search rankings and you may not even know about it. It can slow your WordPress site down, access customer data, send unsolicited emails, change your content or prevent users from accessing it.

Automatic malware scanning:

Best-in-class scanning for the latest malware, trojans and spyware.

Alert you to blacklisting by search engines:

​Search engines can very quickly blacklist a site hacked with malicious code. AIOS Premium monitors your site's status and alerts you if you've been blacklisted.​

Notification if something is amiss:

We’ll notify you of any issues so you can take action, before it’s too late.

Response time monitoring:

You’ll know if a website's response time is negatively affected.

Up-time monitoring:

AIOS checks website uptime every 5 minutes! We’ll notify you straight away if your site/server goes down.

Flexible assignment:

Register and remove WordPress sites from the scanning service at any time.


Reports are available via the ‘My Account’ page and directly via email.

Support team:

If issues are detected, our dedicated team here to help.


With Two-Factor Authentication (TFA) users enter their username and password and a one-time code sent to a device to login. TFA is a feature in both our free and premium packages, but AIOS Premium affords whole new levels of control over how TFA is implemented.

Role specific configuration:

Make TFA compulsory for certain roles, e.g. for admin and editor roles.

Require TFA after set time period:

For example, you could require all admins to have TFA once their accounts are a week old.

Trusted Devices - Control how often TFA is required:

Ask for TFA after a chosen number of days for trusted devices instead of on every login.

Anti-bot Protection:

Option to hide the existence of forms on WooCommerce login pages unless JavaScript is active.

Customise design layout:

Customise the design of TFA so that it aligns with your existing web design.

Emergency Codes:

Generate a one-time use emergency code to allow access if your device is lost.

Multisite Compatible:

Compatible with WordPress multisite networks and sub-sites.

Support for login forms:

Support for WooCommerce and Affiliates-WP, Elementor Pro, bbPress and all third-party login forms without any further coding needed. Also compatible with ‘Theme my Login’.

Authenticator apps:

AIOS supports TOTP and HOTP protocols. It can be used with Google and Microsoft Authenticator, Authy and many more.


404 errors can occur when someone legitimately mistypes a URL, but they’re also generated by hackers searching for weaknesses in your site.

Block bots producing 404s:

AIOS Premium provides more protection than the competition by automatically and permanently blocking IP addresses of bots and hackers based on how many 404 errors they generate.


Handy charts keep you informed of how many 404s have occurred and which IP address or country is producing them.


Most malicious attacks come from a handful of countries and so it’s possible to prevent most attacks with our country blocking tool.

Block traffic based on country of origin:

AIOS Premium utilises an IP database that promises 99.5% accuracy.

Block traffic to specific pages:

Block access to your whole WordPress site or on a page-by-page basis.

Whitelist some users from blocked countries:

Whitelist IP addresses or IP ranges even if they are part of a blocked country.


Premium Support for Premium Customers

Unlimited support

Personalised, email support from our team of Security experts, as and when you need it.

Guaranteed response time

We offer a guaranteed response time of three days. 99% of AIOS Premium customers receive a response to their enquiry within 24 hours.

Back to top


You don’t need to be a security expert to use the All-In-One Security plugin for WordPress. Get peace of mind. Get AIOS.