Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts
AIOS is an all-in-one security plugin. It can protect your website with a web application firewall, IP blocking, two-factor authentication, a malware scanner, and much more.
Have you used "All-In-One Security" before? Add Your Review to help the community.


  • All-in-one security plugin
  • Two-factor authentication
  • Automated malware scanner
  • Web Application Firewall (WAF)
  • Login screen protection
  • CAPTCHA generator
  • Protection against content theft

WPBeginner users can get started from $84 per year!

Visit All-In-One Security

(this discount will be applied automatically)

All-In-One Security Review: Is It the Right Security Plugin for You?

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Are you looking for an All-In-One Security (AIOS) review, to help you decide whether it’s the right security plugin for you?

AIOS is an all-in-one solution that can protect your site against brute force attacks, malware, cross site scripting (XSS) and other common security threats. It comes with a built-in firewall and IP blocking, so it promises to stop hackers from even reaching your site.

In this All-In-One Security (AIOS) review, we’ll take a closer look at this popular security plugin, to see whether it’s right for your WordPress website.

AIOS review: Is it the right security plugin for your WordPress website?

All-In-One Security Review: Why Use It in WordPress?

All-In-One Security (AIOS) is a popular security auditing, monitoring, and firewall plugin. It can protect your site against a wide range of security threats including brute force attacks, malware, and content theft.

In particular, its firewall can filter out suspicious traffic before it even has a chance to reach your website. If hackers do get around the firewall, then it has a ton of features that can protect your dashboard including changing the login URL and database prefix, and requiring two-factor authentication (2FA).

The All-In-One Security dashboard

If a malicious third-party does gain access to your dashboard, then AIOS records everything that happens across your WordPress blog. This helps you spot suspicious behavior quickly, so you can take steps to protect your site.

If you’re just getting started or have a limited budget, then you can download the lite version of AIOS from the official WordPress repository.

The free All-In-One Security (AIOS) WordPress plugin

This free plugin has essential features that can combat comment spam and secure your dashboard with two-factor authentication. It also creates a detailed audit log and notifies you about suspicious behavior.

AIOS can even protect your site from content thieves by disabling RSS and Atom feeds, and preventing users from right-clicking on your site.

However, the premium plugin comes with additional features including a security scanner, the option to block traffic based on country of origin, and more.

All-In-One Security Review: Is It the Right Security Plugin for You?

WordPress security is an important topic for all website owners. Even if you’re just getting started or don’t get much traffic, a lot of attacks are performed using bots and automated scripts. This means that every website, blog, and online store is a potential target.

With that said, let’s see if AIOS is the right security plugin for your WordPress website.

1. Protect Against Brute Force Attacks

AIOS can help defend your site against brute force attacks by automatically blocking an IP address following a certain number of failed login attempts. In the plugin’s settings, you can set the maximum number of login attempts before the user gets locked out of their account, change the lockout period, and more.

How to limit login attempts in WordPress

Sometimes, bots will generate lots of 404 errors as they search your site for security weaknesses. With that said, AIOS can monitor your site and automatically block IP addresses that are generating an unusual number of 404 errors.

Finally, AIOS can block traffic based on country of origin. If you do enable this feature, then you can whitelist specific IP addresses or IP ranges in the plugin’s settings, even if they’re part of a blocked country.

2. Activate Two-Factor Authentication (2FA)

AIOS allows you to add two-factor authentication to WordPress using tools such as Google Authenticator, Microsoft Authenticator, and Authy.

This two-factor authentication is compatible with WooCommerce, so you can even add it to your online marketplace.

How to add two-factor authentication (2FA) to WordPress

You can limit this feature to specific roles, or even make two-factor authentication compulsory for certain user roles. For example, you might enforce two-factor authentication for everyone with an admin or editor role.

You can also ask new users to activate two-factor protection after a certain period of time, such as once they’ve had an account for 1 week.

For more on this topic, please see our guide on how to securely manage passwords.

3. Malware Scanner

Malware can have a big impact on the visitor experience and your SEO. In the worst case scenario, search engines such as Google may even blacklist your site if it contains malware.

With that said, you’ll be happy to learn that AIOS comes with a malware scanner. This tool will notify you about any suspicious code it discovers on your website.

In addition, AIOS will monitor your site’s status with the search engines. Typically, if you get blacklisted then there’s a serious problem with your WordPress security, so AIOS will notify you about it straight away.

4. Protect Against Comment Spam

Spam comments can hurt the user experience, and may even damage your WordPress SEO.

With that said, AIOS can block comments that originate from other domains. Depending on your settings, AIOS can even trash and delete these comments, so you never see them.

How to block comment spam on your WordPress website, blog, or online store

AIOS will also automatically block IP addresses that are linked to known spammers.

5. Automated Security Scanner

AIOS comes with a built-in security scanner that will check your site for file changes, and notify you if it finds anything suspicious. You can perform this scan manually, or set it to run automatically based on a schedule set by you.

How to scan your website for security threats automatically

6. Web Application Firewall (WAF)

A firewall can protect your site against hacking, brute force and distributed denial of service (DDoS) attacks. The good news is that AIOS comes with a built-in Web Application Firewall (WAF).

It uses ‘6G Blacklist’ firewall rules, which protect your site against known malicious URL requests, bots, spam referrers and other attacks. AIOS can even protect your site against bots that pretend to be Google crawlers.

New security threats are being discovered all the time. With that said, the AIOS team maintains a list of known exploits and releases them as new firewall rules, so you can be confident that your site is protected against the latest known security threats.

7. Change the Login URL

WordPress powers over 40% of websites, which makes it the most popular CMS platform. However, this popularity also makes it an attractive target for hackers. With that in mind, bots and automated scripts may try to break into your site using common login URLs such as wp-admin and wp-login.

With AIOS, you can choose a custom login URL instead. Immediately, this makes it more difficult for hackers to find your login page, and target it using brute force attacks.

8. Force Logouts

For added security, it’s a good idea to log users out automatically after a certain period of time. This is particularly important if these people might access the WordPress dashboard on shared computers, or you allow user registration on your WordPress website.

With AIOS, you can forcibly log out users based on a schedule set by you.

How to automatically block users

9. Approve Accounts Manually

Do you allow user registration on your WordPress website? For example, you might accept guest blogs or allow customers to create an account on your WooCommerce store.

Unfortunately, hackers and bots might try to create spam accounts on your site, so they can gain access to the dashboard or other members-only areas.

With AIOS you can mark new accounts as ‘pending’ until you manually approve them in the WordPress dashboard.

How to require admin approval for new users

For each account, AIOS displays the login name, registration date, email address, account status, and IP address, so you can make an informed decision about whether this is a legitimate new user, or a spam registration.

10. CAPTCHA Generator

Your site’s login and user registration pages are a prime target for hackers, spammers, and brute force attacks. With that said, AIOS helps you secure these pages by generating a CAPTCHA and then adding it to your various forms.

How to add a CAPTCHA to your WordPress blog or website

Even better, you have the option to use Cloudflare Turnstile, Google reCAPTCHA v2 or a plain maths CAPTCHA form.

11. Enable Honeypot

To help keep your site safe, AIOS comes with a honeypot feature. When activated, this honeypot adds a field that’s only visible to bots on your login and registration pages.

How to add a honeypot to your WordPress website

If this field contains a value when the form is submitted, then AIOS will redirect that user, rather than allowing them to log into your website.

12. Rename ‘Admin’ Accounts

When you install WordPress, it usually creates an account with the name ‘admin.’ Since so many WordPress sites have an ‘admin’ account, many hackers use this as a starting point for their brute force attacks.

If someone is using the ‘admin’ username on your site, then it’s best practice to change it. The good news is that AIOS can find every account that has an ‘admin’ username, and prompt the user to replace it with another name.

Change the 'admin' username in WordPress

For extra security, AIOS can also identify people who are using the same display name and username, and ask them to change their username.

13. Blacklist IP Addresses

Blocking an IP address from accessing your website is an effective way to deal with unwanted visitors, comment spam, email spam, hacking attempts, and DDoS attacks. That said, with AIOS you can quickly and easily ban specific IP addresses, IP ranges, and user agents.

How to blacklist IP addresses on your WordPress website, blog, or online marketplace

14. Protect Against Content Theft

Third parties may steal your content and either repost it without your permission, or sell it as a digital download.

To protect against this, AIOS can block other sites from displaying your content via an iframe. It can also disable right-click across your WordPress website, which makes it more difficult for people to steal your images.

Protecting your site against content theft and content scraping

Beyond images, bots might use RSS and Atom feeds to scrape your website’s content and present it as their own. Sometimes, they may even paste that content directly into another blog or website.

To guard against this, AIOS can disable RSS and Atom feeds for your WordPress website.

15. Disable Hotlinking

Some people may steal your images by loading them from your servers and then displaying them on third-party websites without your permission. This increases your server load and bandwidth usage, so it may even cost you money.

The good news is that AIOS prevents hotlinking, so you can protect your digital artwork and graphics against image theft, and save your server resources.

How to prevent third-parties from hotlinking your images

16. Password Strength Tool

Weak passwords make your site vulnerable to brute force attacks. To help your users create strong, secure passwords, AIOS comes with a built-in password strength checker.

How to test the strength of your WordPress password

This AIOS tool calculates how long it would take for someone to crack your password using a current model desktop PC with a high end processor, graphics card and appropriate password cracking software.

17. Disable User Enumeration

By default, people can look up the usernames of anyone who has published a WordPress page or post on your website, via the author permalink. This information can help hackers launch successful brute force attacks, since they only need the password to access a person’s account.

With AIOS you can disable user enumeration, and stop hackers from getting a list of valid usernames on your website.

18. Additional Salts

WordPress can remember login credentials by storing the user’s authentication details in cookies. However, this information can be compromised, especially if the person is using a public computer. That’s why WordPress uses security keys, or salt keys.

These cryptographic salt keys add extra information to the user’s login details, which provides another layer of security. AIOS adds 64 new characters to the standard WordPress salts and changes them weekly, which makes it even more difficult for hackers to steal the user’s login information.

How to improve your website's security

19. Disable XML-RPC

XML-RPC is a WordPress API that allows you to interact with your website using XML and HTTPS protocols. For example, you might want to manage your site using a mobile app or connect to automation services such as Uncanny Automator.

However, some WordPress security experts recommend disabling XML-RPC if you’re not actually using it. For more on this topic, please see our guide on how to disable XML-RPC in WordPress.

With that said, AIOS can completely block external access to XMLRP.

How to improve your WordPress security by disabling XML-RPC

Alternatively, if you’re using Jetpack or other plugins that need access to XML-RPC, then you can enable protection against WordPress pingback vulnerabilities instead.

20. Disable File Editors

WordPress comes with a built-in editor that allows you to edit your theme and plugin files directly in the WordPress dashboard. Although these editors are useful, hackers might use them to add malicious code to your website, or steal your data.

With that said, you can disable these editors in the AIOS settings.

21. Custom Database Prefix

AIOS can help you avoid automated attacks by changing your database prefix from ‘wp_’ to a random value. This will make it more difficult for hackers to find your database prefix and exploit vulnerabilities on your WordPress website.

Changing the WordPress database prefix

Often, this simple change is enough to protect against simple attacks, especially automated attacks. However, just be aware that hackers can still find your database prefix programmatically, so this won’t stop more determined hackers.

22. Permission Settings

The default WordPress permission settings are fairly secure. However, some WordPress plugins might change the permission settings of core WordPress folders and files, in a way that makes them less sure.

AIOS can identify any files or folders where the permission settings aren’t ideal. You can then correct these missing permissions with a single click.

How to quickly and easily change file permissions in WordPress

Beyond that, you can prevent external users from accessing your readme.html, license.txt and wp-config-sample.php files.

23. Detailed Audit Log

If a hacker does gain access to your site, then they may start changing your website’s code, installing new WordPress plugins, deleting content, and making other major changes. With that said, it’s a good idea to monitor exactly what’s happening on your site.

This is also important if you share the dashboard with other people. For example, if you run a multi-author WordPress blog then an activity log can help you identify any problems, figure out why they happened, and who caused them.

The good news is that AIOS has a detailed audit log that allows you to monitor changes and user activity, including the person’s username, their IP address, and the event’s date and time. For example, it will record every time a plugin or WordPress theme is installed, activated, deactivated, and updated.

You can then use this information to spot suspicious activity and secure your website.

Tracking user behavior in a security log

24. Response and Uptime Monitoring

If your site is running slow or experiencing downtime, then you’ll want to know about it as soon as possible.

The good news is that AIOS can your site every 5 minutes and notify you about any downtime or performance issues it discovers. For more on this topic, please see our guide on how to monitor your WordPress website server uptime.

25. Maintenance Mode

Sometimes, you may want to stop people from accessing your site. For example, you might put your site into maintenance mode while you’re making big changes such as switching your WordPress theme.

With AIOS, you can put your site into maintenance mode simply by clicking a slider. You can also create a custom message that AIOS will show to anyone who tries to access your site.

How to activate maintenance mode for your WordPress website, blog, or online store

26. Community and Professional Support

Although this plugin is easy to use, WordPress security is a huge topic. With that in mind, you may want some additional help to get the most out of this popular security plugin.

To start, there’s online documentation that you can access 24/7. Here, you’ll find detailed posts about the plugin’s features, including how to block IP addresses, set up country blocking, and disable RSS feeds.

There’s also the AIOS blog where they post about a range of security topics, and even share their security audit checklist.

AIOS' online documentation

Finally, if you buy the premium plugin then you’ll also get access to professional support. Simply submit a ticket and a member of the AIOS team will aim to respond within 24 hours.

For more on this topic, please see our guide on how to properly ask for WordPress support and get it.

All-In-One Security Review: Pricing and Plans

If you’re looking for a free security plugin, then you can download the lite version of AIOS. However, the premium plugin comes with an additional malware scanner, and more options for two-factor authentication.

The premium plugin also offers uptime and response time monitoring, and checks whether your site is blacklisted by the search engines.

Unlike some other security plugins, all the AIOS plans include the full set of features. However, the pricing does vary depending on the number of sites where you want to use AIOS.

  • Personal. For $84 per year, you can install AIOS on 2 websites.
  • Business. Priced at $114 annually, Business allows you to use AIOS on up to 10 websites. With that said, this plan is ideal if you run multiple business websites or blogs, such as a series of related affiliate marketing blogs.
  • Agency. For $174 per year, you can install AIOS on up to 35 websites. With that in mind, this plan is a good fit for smaller WordPress development agencies, freelance developers, or anyone else who manages a portfolio of client sites.
  • Unlimited. For $234 per year, you can use AIOS on as many websites as you want. This makes Unlimited ideal for large WordPress development agencies.

All-In-One Security Review: Is It the Right Security Plugin for You?

After looking at the features, support options, and pricing, we’re confident that AIOS is a great security plugin.

It offers a ton of features that can protect your site, including the option to change the WordPress login URL, rename any accounts using the insecure ‘admin’ name, and change the database prefix. With that done, you can enable two-factor authentication for added security.

AIOS can also automatically scan your site for malware and notify you about any suspicious code it discovers.

We hope this AIOS review helped you decide whether it’s the right security plugin for you. You can also check out our guide on how to increase your blog traffic, or see our expert pick of the best analytics solutions for WordPress users.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

WPBeginner users can get started from $84 per year!

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Reader Interactions

1 User ReviewAdd Your Review

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

Leave A Review

Thanks for choosing to leave a review. Please keep in mind that all reviews are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Your Rating: