All-In-One WordPress Security Settings for Instant Image Compatibility

[Update: I’m no longer using AIOWPS. I’m leaving this post mostly to remind myself to clear old plugin junk completely from the database.]

Everything is Figureoutable. Thanks, Marie Forleo, for three words that helped me keep slogging through the not-so-fun stuff.

This post explains how I got All-in-One WordPress Security, Instant Images, IFTTT, WordPress and FaceBook to play together nicely. I’m creating a secure, functional website that lets me pull free images from Unsplash and share my blog posts on Facebook by simply hitting “Publish.” It will make more sense if you read yesterday’s post first.

I’ve been troubleshooting how to set up Instant Images and All-in-One WordPress Security. Instant Images was already working when I had Wordfence, but switching security plugins proved to be tricky. And it had to be done.

Why I Switched from Wordfence to All In One WordPress Security

I was testing out the All In One WordPress Security plugin (AIOWP) because of IFTTT. I’d been unable to connect WordPress to IFTTT with WordFence activated, even though I’d selected “SKIPPED” for the XML-RCP thingy. (Who knew that WordFence would continue affecting my site even though it was disabled? But it did. Keep reading.)

As I explained in yesterday’s post, my goal is to build a secure platform and set up automated systems to social media. I’m playing the long game, and don’t want a foundation built on sand.

Here’s what I learned through trial, error, and a whole lot of Google, while walking through the steps in this helpful post by Instant Images.

Inactive Plugins Affect Your Site

Part of the troubleshooting process with IFTTT (listed in detail here) involves looking at a phpinfo file. After following instructions here, here, and finally here, I was finally able to confirm “allow_url_fopen” was indeed “on”… but only after I deleted the inactive WordFence and WordFence Login plugins.

Turns out, leaving the WordFence and WordFence Login plugins in my directory, though they were inactive, prevented me from viewing the phpinfo file. I kept getting this error message:

403 Forbidden Error
403 Forbidden Error

Ya’ll, I should have thought of this sooner. My first site was hacked through an inactive plugin. Duh. I deleted the Wordfence plugins, confirmed the proper setting, and went on to the next steps.

IMPORTANT: I’m not saying WordFence is bad. I’m sure this is a “me” problem. But after spending over 483 minutes trying to get WordFence and IFTTT to play nicely, it was time for me to move on.

The Culprit: AIOWP Firewall Settings

I reset my file permissions per the checklist and increased my maximum upload size to 20 MB. But Instant Images continued to have the “Still resizing” endless loop. Fast forward through several hours of trying other stuff that didn’t work. This morning I remembered Instant Images worked with WordFence, so I turned off the Firewall settings in AIOWP. Voila! Instant Images worked again!

By activating only one Firewall setting at a time and testing Instant Images each step along the way, here’s what I found:

Resetting file permissions for wp-config.php to 640 is fine.

Enabling Basic Firewall Settings is fine (select Disable Pingback Functionality From XMLRPC so IFTTT will work).

5G Firewall Protection is fine, but 6G Firewall Protection throws Instant Images into a tizzy. I’m guessing it’s because the list has gotten so long. (5G and 6G Firewall Protection are basically “blacklists” of known hacker attacks. These work sort of like the security guard at a gated community. With this Firewall Protection enabled, anyone with a rap sheet won’t even make it to your home site to go through the other layers of security you’ve set up.)

Prevent Image Hotlinking does not affect Instant Images, so enable it.

Enabling 404 IP Detection and Lockout does not affect Instant Images.

So yippee, it appears my site is reasonably secure.

Aiowp Security Strength Meter
Aiowp Security Strength Meter

I know 240 out of 515 “Achievable Points” doesn’t look awesome, but it’s not accurate either. I’d have more points by using certain functions in AIOWP that I choose to do with other plugins. So I have a plugin that “duplicates” some of the options offered by AIOWP. Duplicate plugins, right? Wrong.

Why Use “Duplicate” Plugins?

Sometimes alternative plugins offer more functionality. I’m all about streamlining and only using what you NEED on your site, but in this case, I think it’s worth the trade-off of having more plugins to track and maintain. Besides, I’ve learned how to manage all the plugins on multiple sites from a single dashboard, so it’s no big deal.

But that’s another post for another time. For now, I’m going to celebrate a secure, functional website that lets me pull free images from Unsplash, resize them automagically, and share my blog posts on Facebook simply by publishing. What a wonderful time to be alive.

Leave a Comment