Review of All-in-One Security (AIOS): Pros and Cons

If you’re looking for an All-In-One Security review, you may be hoping to find out whether this WordPress security plugin is effective in protecting your website from threats such as hacking, malware, and other security vulnerabilities. You may also want to learn about its features and ease of use, as well as its compatibility with other WordPress plugins and themes. 

We’ve tested All-In-One Security on multiple sites, allowing us to assess its performance and compatibility across a range of configurations. Our review is unbiased and based on our knowledge as security experts. We aim to provide a comprehensive and trustworthy review. 

This in-depth review will provide valuable insights into these areas, helping you make an informed decision about whether All-In-One Security is the best security for WordPress.

TL;DR: The 3 majorly advertised features of All-In-One Security are: login protection, firewall, and content protection. Login protection? Doesn’t work too well and is prone to mistakes. Firewall? Not a good configuration. Content protection? Basically anti-spam features which are decent. All in all, this is nowhere close to a security plugin. MalCare is a vastly better alternative. It has a great scanner, one-click malware removal, and a powerful firewall.

Overview

All-In-One Security is not the comprehensive security plugin it claims to be. Instead, it is simply an anti-spam plugin with a few mediocre security features at best, and a few that are completely absent or non-functional. 

There is some good news though. The content protection feature helps to protect against spam. There is a two-factor authentication feature for extra security and you can limit logins which prevents unauthorized access. The lack of load on the site server and the absence of excessive alerts are a bonus.

Now, let’s talk about the bad. The free version of All-In-One Security does not include a malware scanner, so we were not able to test this feature. Therefore we cannot comment on its effectiveness. There is also no vulnerability detection, malware cleaner, or cleaning service. The firewall is heavily reliant on the .htaccess file, and seems to be limited to blocking certain categories of bad bots. The hardening features are decent, but nothing that you can’t get just as easily from a smaller plugin.

We only suggest installing All-In-One Security for the anti-spam features, although we prefer CleanTalk or even Akismet for this purpose. The plugin actually reminds us of iThemes in some ways. The multitude of settings on the wp-admin page appear to be attempting to hide the fact that the plugin is lacking in actual value. We do not recommend this plugin as a security plugin at all.

Critical security features and All-In-One Security

Every viable security plugin must have three non-negotiable features: malware scanning, firewall protection, and malware removal. Does All-In-One Security have these features? How well does All-In-One Security manage these features? 

Malware scanner

We weren’t able to test the malware scanning feature as it is a premium feature. However, according to their website, they utilize their own servers to scan for malware, which is a good practice to avoid overloading the site. So, this is excellent. 

Malware removal

Unfortunately, All-In-One Security does not provide a malware cleaning feature or any professional cleaning service. They do offer advice, but it is not very useful. So, if your WordPress site has been hacked, All-In-One Security is not going to be helpful at all.

Firewall

The firewall feature came with a surprise. 

All-In-One Security uses the 6G firewall by Perishable Press, and that’s a bit of a bummer. They rely heavily on the .htaccess file for operations and, while we love the power of the .htaccess file, it’s not designed to do the work of a real firewall. Plus, 6G only works on Apache servers, as it uses the .htaccess file, so it’s useless for sites on nginx servers. Not ideal!

All-In-One Security might have some firewall-esque features. You can blacklist IPs and user-agents from the dashboard, if you’re brave enough to try it out. 

The firewall can stop some bots (spam, brute force logins, and scrapers) and block access to certain files. It is a rudimentary type of bot protection that’s supposed to keep out fake googlebots—which is great—but it also stops the actual Googlebot just as well. Sites have reported losing rankings because of the plugin. 

We haven’t experienced this issue firsthand though, and there is a chance that this could be misapplied geoblocking. We’re unsure. Geoblocking itself is a premium feature.

Secondary security features 

The critical security features weren’t up to par. What other security features does All-In-One Security have (or lack)?

Login protection

There are a bunch of settings for preventing brute force attacks on the user login screen. We tested it out by trying to brute force the login page with incorrect passwords and usernames, and it worked great. You can use the other settings to tweak your preferences, but on the whole this feature is one of the better versions we have seen for limiting logins.

There is also a separate set of toggles specifically for brute force prevention, one of which is changing the login URL. This is a hardening measure, and a particularly egregious one, that is masquerading as brute force prevention. 

Plus, there is also a honeypot option, which will be visible only to bots. You can enable this to automatically reject registrations that fall into the honeypot trap. This feature is to prevent spam registrations.

Vulnerability detection

Looks like All-In-One Security is missing out on vulnerability detection altogether. Most security plugins have this feature bundled in with their malware scanner, so we assumed it would be in the premium version. But, after doing a lot of checks, it doesn’t appear to be there either.

Two-factor authentication

All-In-One Security allows you to set up two-factor authentication (2FA) for all types of users or just the ones you feel are most important to secure.

This toggle adds 2FA as an option in the user profile, and users can choose from a variety of authentication mechanisms. All in all, All-In-One Security 2FA is a pretty comprehensive feature.

Activity log

The plugin has a login log feature, but it’s not the greatest. Overall, it feels a little half-baked. It is not a replacement for an activity log.

Hardening features

Hardening measures are never as effective as one may think, no matter how many WordPress security articles talk about them. 

Installing and configuring All-In-One Security

Have we seen any success with the implementation of security features yet? Not really. But, in terms of usability, how simple is the installation and configuration process?

Installation

Installation and activation were a breeze, but configuring our security was a whole other story. Since we already had MalCare installed on our test sites, we couldn’t just switch over to All-In-One Security Firewall. We had to go into the .htaccess file and replace the MalCare firewall with All-In-One Security. That meant we had to be able to list hidden files in the terminal to make the edit. 

Interestingly, this worked only because our sites are on Apache servers. Wonder what would have happened on nginx servers. 

There is a security score for our site on the dashboard. At first glance, it was a bit disheartening. The dial on the plugin says we should have 505 security points, but our site has 0. We like the scoring system, so we started building up our security though by activating the basic security features in the settings menu. However, these settings were by and large quite useless, so the scoring system gives you a false sense of security.

Ease of use

Setting up the dashboard was pretty easy, though it took a while to go through all the options. Most of them didn’t really have a meaningful impact on our security. The biggest issue we ran into with All-In-One Security was that it was too easy to lock ourselves out of our site by turning on the wrong settings.

Even changing the login URL (which isn’t recommended at all) wasn’t as effective. The plugin only helps in changing the URL slug. You actually have to make changes to other parts of the code too for it to function properly.

Notifications and alerts

There are enough alerts for important things like locked out users and so on. Plus, you can customize which notifications you want to receive.

Other factors to consider

Apart from the security features, what else should you take into account when considering All-In-One Security? Well, you’ll want to check out the impact the plugin has on your server, and how responsive the support team is when you need help.

Impact on site performance

We gave the free version of All-In-One Security a try and it didn’t work well. It doesn’t have its own scanner, so it’s a pretty lightweight plugin and didn’t affect our site’s performance.

Help and support

The All-In-One Security team is really active on the WordPress forum. They answer every query that comes their way. Unfortunately, there doesn’t seem to be any other way to contact them for support.

Pricing

For $70 a year for two sites, All-In-One Security isn’t a bad deal at first glance. But keep in mind you don’t get any cleanups, and malware removal will be an added cost. We can’t tell how effective the scanner is either.

Top alternatives to All-In-One Security

Is All-In-One Security the best security plugin? No. So, what are your best options?

• MalCare: MalCare is the best alternative. It has a great scanner and firewall, and won’t have any effect on your server. It’s also easy to remove malware and provides a comprehensive security solution for your site.
• Wordfence: The free version of Wordfence provides formidable security features such as a scanner and firewall, with the latter being consistently updated. However, if any harmful material is detected, upgrading to a pricier plan will be necessary to eliminate it.
  You can also read our comparison between Wordfence and All-in-one WP security.
• Sucuri: Sucuri is a great option for thorough malware elimination. With all of their paid plans, users get access to unlimited malware removal services. However, one downside is that the scanner isn’t great, so it’s crucial to be vigilant of any potential malware problems before utilizing the removal feature.

How to choose a security plugin for WordPress?

With so many WordPress security plugins available on the market, it can be overwhelming to navigate through all the reviews and comparisons, especially with all the jargon that comes with them. However, choosing the right security plugin is crucial to protect your website from potential threats and keep it running smoothly. In this section, we’ll break down the top features and factors to consider when making your choice, making it easier for you to pick the best security plugin for your WordPress website.

Final thoughts

All-In-One WordPress Security is a plugin that provides some good features like anti-spam and two-factor authentication. However, it does not include critical security features like a malware scanner, malware removal or a firewall. Therefore, we recommend investing in a more comprehensive security plugin like MalCare to ensure your website is adequately protected.

FAQs

What is All-In-One WP Security’s firewall settings?

All-In-One WordPress Security utilizes the 6G Firewall by Perishable Press, which is dependent on the .htaccess and therefore only works on Apache servers. The firewall is effective in stopping malicious bots, but can also stop googlebot sometimes. It also allows users to blacklist IPs and user agents from the dashboard.