Quick Setup


This section is written with Admin Tools Professional in mind. If you are using Admin Tools Core you will not see all of these features.


You can quickly apply all of the following settings by using the Quick Setup Wizard page of Admin Tools. A prominent link to that page will appear at the top of your site's administrator (wp-admin) section as a standard WordPress notification until you run the wizard or manually configure Admin Tools through the Configure WAF and .htaccess Maker pages or import a configuration from the Import Settings page.

While the Quick Setup documentation section and the Quick Setup Wizard feature will help you to get started with basic protection for your site it is very strongly advisable that you read the documentation in its entirety. It will help you understand the different ways Admin Tools protects your site and the impact each option may have to your site's operation.


If you have already configured Admin Tools and wish to change its configuration you are NOT supposed to use the Quick Setup Wizard. In fact, this is not supported and we will provide no support if you choose to do that. Instead go to Admin Tools, Web Application Firewall, Configure WAF to configure the security protection settings or Admin Tools and .htaccess Maker to configure the server-level protection settings.

The fundamental functionality of Admin Tools is to allow you to secure your site. However, setting up your site's security does require some tweaking, as each site is has different structure and needs than the next. When you first install Admin Tools Professional you may feel a bit overwhelmed by the abundance of security options. Well, the good news is that setting it up is not even half as hard as it looks! The Quick Setup Wizard lets you get up to speed very fast. It has the following options:

  1. Administrator secret URL parameter If you enter "foobar" (without the quotes) in here, then you must access your site's backend as http://www.example.com/wp-admin/?foobar i.e. append a questionmark and the secret word. If you skip the ?foobar part, you can't even see the login page. If you do not want to enable this feature please delete its contents and leave this field blank.

    Important notes: This field will contain either your existing Administrator secret URL parameter (if you have already configured one) or a new, random one if there is no Administrator secret URL parameter already set up on your site. Do keep in mind that if you have disabled the Administrator secret URL parameter and you run the Quick Setup Wizard again a NEW, COMPLETELY RANDOM value will be shown in this field.

  2. Password-protect WP administration This is designed to add an extra level of protection to your site's administrator (wp-admin) back-end, asking for a username and password before accessing the administrator login page or any other file inside the wp-admin directory of your site. It does so by using Apache .htaccess and .htpasswd files, so it won't work on IIS or NginX hosts.

  3. Enter your email address in Send an email for all administrator login attempts. Admin Tools will be sending you an email whenever anyone tries to log in to your site's wp-admin as an Administrator. The minute you receive an email which wasn't triggered by a trusted person, you know you have to get your site off-line a.s.a.p. Do note that this is a very useful feature! It will send you an email even in the unlikely case that someone, for example, hacks your Wi-Fi, steals your login cookie and then uses your own Wi-Fi connection and login cookie to log in to your site.

  4. Allow administrator access only to IPs in Whitelist will prevent anyone from accessing wp-admin unless they are coming from an IP address in the whitelist. Please only use this if your ISP assigns you a static IP. If you are on a dynamic IP, like most people, enabling this feature will only keep locking you out of your site all the time. If you are unsure set it to No.

  5. Disable editing users' properties prevents any operation on users which would allow the creation of an Administrator user or the elevation of a user's privileges to Administrator status. You will not be able to edit Administrator users or create new Administrator users until you disable this feature!

  6. Enable Web Application Firewall activates the security features which block malicious access attempts to your site.

  7. Enable IP workarounds is only necessary when your site is behind a proxy server. While Admin Tools tries to detect the recommended setting for your site this cannot always be accurate. If you start getting locked out of your site and you see that all blocked access attempts seem to originate from the same IP address - which is different that the IP address you access your site from - you most definitely need to set this to Yes.

  8. Automatically block repeat offenders blocks IPs raising repeated security exceptions on your site, i.e. we have strong reasons to suspect they are hackers. Please note that you may not want to enable this feature until you are sure everything is working smoothly, so that you don't accidentally block yourself out of your site.

  9. Blacklist incorrigible offenders is an extension of the previous feature. If an IP address gets blocked automatically all the time it means that it's very likely not a user who screwed up but a hacker who tries hard to get into your site. Enabling this option will permanently blacklist their IP address so they don't bother you anymore.

  10. Email this address on security exceptions. Enter your email address here to get email notifications about every blocked malicious access attempt. You should be aware that in case of a massive attack against your site you might get plenty of emails. This feature does not serve any real security purpose, it's basically there to make you and your clients feel good by receiving emails whenever something is blocked.

  11. Optional but highly recommended, go to http://www.projecthoneypot.org/httpbl_configure.php and open yourself a Project Honeypot account. After your registration, visit that URL again and you'll see something called "HTTP:BL key". Copy it and paste it into the Project Honeypot HTTP:BL Key field. Project Honeypot analyses data from a vast number of sites and positively identifies IPs currently used by hackers and spammers. This Admin Tools feature integrates with Project Honeypot, examining your visitors' IP addresses. If they are in the black list (known hacker or spammer) they will be blocked from accessing WordPress.

  12. Create a security tightening .htaccess is for advanced users who are using the Apache web server. This feature adds carefully curated directives to increase the performance and tighten the security of your site at the web server level - long before PHP, let alone WordPress, has the chance to run. This is a great line of defense but it may also cause problems with third party plugins. Please read the documentation to understand how it all works!

After applying all of the above protections, it is very likely that some of your site's functionality is no longer working or you can't access your site anymore. This is normal. The default settings are very restrictive by design. That's why you get a list of URLs with troubleshooting instructions. Make sure you print them out before you save the changes. If you get locked outside of your site or cannot access your site follow their instructions to regain access.