Getting Started with BD Security Firewall

Introduction

BD Security Firewall is an enterprise-grade WordPress security plugin that protects your website against SQL injection, cross-site scripting (XSS), brute-force attacks, malicious bots, and unauthorized access. It also provides two-factor authentication, geo-blocking, activity logging, file integrity monitoring, and a built-in malware scanner.

This guide walks you through the complete process of installing the plugin, activating your license, and configuring the recommended settings so your site is protected from day one.

Requirements

WordPress 5.8 or later
PHP 7.4 or later (PHP 8.x recommended)
A valid BD Security Firewall license key (purchased from getbdshield.com)
Administrator access to your WordPress dashboard

Step 1: Install the Plugin

Log in to your WordPress admin dashboard.
Navigate to Plugins → Add New.
Click the Upload Plugin button at the top of the page.
Click Choose File and select the bestdid-security.zip file you downloaded from your BDShield account.
Click Install Now and wait for the installation to complete.
Click Activate Plugin.

Tip: If you are upgrading from a previous version, WordPress will handle the update automatically once your license is activated. You can also upload the new ZIP file over the existing installation.

Step 2: Activate Your License

BD Security Firewall requires an active license for all security features to function. Without a valid license, the plugin will load its admin interface but will not enforce any protections.

After activation, you will see an admin notice at the top of every dashboard page indicating that the license is not active.
Navigate to Security → License in the left-hand admin menu.
Enter your license key in the License Key field. Your key was emailed to you when you purchased the plugin, and is also available in your My Account → Licenses page.
Click Activate License.
The page will reload and show a green “Active” status if activation was successful.

Important: Each license key is tied to a specific number of sites depending on your plan. If you have reached your site limit, you will need to deactivate the license on another site first, or upgrade your plan.

The plugin validates your license with the BDShield license server periodically (once every 24 hours). If the license server is temporarily unreachable, the plugin trusts the locally stored “active” status so your site remains protected.

Step 3: Navigate the Admin Dashboard

Once your license is activated, the Security menu in the WordPress admin sidebar expands to show all available pages:

Security (Dashboard) — An overview of your security status, including active protections, recent threats, and currently blocked IP addresses. You can also unblock IPs from this page.
Scanner — The built-in malware scanner. Run on-demand scans, review results, quarantine threats, and configure automated scans.
Geo-Blocking — Block or allow traffic based on the visitor’s country of origin.
Activity Log — A chronological record of important events: logins, logouts, failed login attempts, content changes, plugin/theme activations, user role changes, and more.
File Integrity — Hash-based monitoring of your WordPress core files, themes, and plugins. Detects unauthorized modifications.
Logs — The security threat log showing all blocked requests, including the IP address, threat type, severity, and request details.
Settings — All configurable security options organized into sections (Login Security, Attack Prevention, Brute Force, Rate Limiting, and more).
License — Manage your license key activation and status.

Step 4: Recommended First Settings

Navigate to Security → Settings to configure your protections. The plugin ships with sensible defaults, but we recommend reviewing and adjusting the following:

Login Security

Hide Login Error Messages: Turn this ON. When enabled, WordPress will not reveal whether the username or the password was incorrect — it simply says “Invalid login credentials.” This prevents attackers from confirming valid usernames.
Auto Logout: Set this to 480 (8 hours) or your preferred session length. This automatically logs out inactive users after the specified number of minutes. Set to 0 to disable.
Custom Login URL: Optional. If you want to hide your login page from bots, enter a custom slug (e.g., my-secret-login). Your login page will then be at yoursite.com/my-secret-login/ and the default /wp-login.php and /wp-admin will return a 404 for non-logged-in visitors.

Warning: If you set a custom login URL, bookmark it immediately. You will not be able to access your site via /wp-admin or /wp-login.php until you are logged in.

Attack Prevention

SQL Injection Protection: ON (enabled by default)
XSS Attack Prevention: ON (enabled by default)
Block Bad Bots: ON (enabled by default)
Block Dangerous Uploads: ON — prevents uploading PHP, EXE, shell scripts, and other executable files through the WordPress media uploader. Also catches double-extension tricks like file.php.jpg.

Brute Force Protection

Enable Brute Force Protection: ON (enabled by default)
Max Login Attempts: 3–5 is recommended. After this many failed login attempts, the IP address is locked out.
Lockout Duration: 30–60 minutes is recommended. This is how long a locked-out IP must wait before trying again.
Force Strong Passwords: ON — requires all user passwords to be at least 12 characters with uppercase letters, lowercase letters, numbers, and special characters.

Rate Limiting

Enable Rate Limiting: ON (enabled by default)
Requests Per Minute: 60 is the default and works well for most sites. Lower it if you are under attack; raise it if legitimate users are being rate-limited.

IP Whitelist

Whitelisted IP Addresses: Add your own IP address to prevent accidentally locking yourself out. Enter one IP per line.
Whitelist Logged-in Admins: ON — ensures administrators are never blocked by rate limiting or brute force protections while logged in.

Additional Hardening

Hide WordPress Version: ON (enabled by default) — removes the WordPress version number from page source, scripts, styles, and RSS feeds.
Disable XML-RPC: ON (enabled by default) — blocks the XML-RPC endpoint that is commonly exploited for brute-force and DDoS attacks.
Disable File Editor: ON — removes the built-in Theme Editor and Plugin Editor from the WordPress admin. This prevents attackers who gain admin access from editing PHP files directly.
Log Retention Days: 30–90 days — how long security logs are kept before automatic cleanup.

Step 5: Save and Verify

After configuring your settings, click the Save Settings button at the bottom of the page.
Return to the Security dashboard to confirm that protections are active. You should see a green “Protected” status badge.
Check the Logs page — after a few hours, you will begin to see blocked threats appearing in the security log.

What Happens Behind the Scenes

Once activated and configured, BD Security Firewall works automatically:

Security headers (X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy, and optionally HSTS) are sent with every page response.
User enumeration is blocked — the ?author=1 query, author archive pages, and the /wp-json/wp/v2/users REST API endpoint are all disabled for non-authenticated visitors.
Sensitive files like readme.html, license.txt, wp-admin/install.php, and plugin/theme readme files are blocked from public access.
REST API endpoints from WooCommerce admin, LiteSpeed, Fluent SMTP, and other plugins are hidden from unauthenticated requests.
A daily cron job cleans up old security logs based on your retention setting.

Next Steps

Read Security Settings & Configuration for a detailed explanation of every setting.
Set up Two-Factor Authentication (2FA) to add an extra layer of login security.
Enable the Malware Scanner and File Integrity Monitor from the Settings page for continuous file-level protection.
Configure Geo-Blocking if you want to restrict access by country.