Hi @pdjp ,
Appreciate you taking the time to write this up. Let me address both points directly.
1) Why most settings are disabled by default
This is intentional. Many AIOS features (firewall rules, login renaming, .htaccess changes, 6G blacklist, brute-force lockouts, etc.) can break a site or lock an admin out depending on the host, theme, caching layer, or other plugins installed. Turning them all on by default would cause more broken sites than blocked attacks, especially for users who don’t yet know which features fit their setup.
We hear the “it’s overwhelming” feedback though, which is exactly why we already shipped an Onboarding Wizard. It walks you through the main settings we recommend enabling, in plain language, and at the end you have a site configured with the recommended baseline without having to hunt through dozens of pages.
2) The audit log
The audit log isn’t optional bloat, it’s core security infrastructure. Brute-force protection, login lockouts, IP-based blocking, and several other detection features all rely on event data being recorded. Switching logging off would effectively disable parts of the plugin that are doing the blocking you want it to do. This is consistent with how Wordfence, Sucuri, Solid Security and other reputable security plugins operate: no log, no protection.
I’d love to understand what would turn this from 3 stars into 5 stars for you. The “settings off by default” piece is already solved by the Onboarding Wizard. The audit log piece is a design choice we’re not going to reverse, but we’d be happy to look at retention rules and how we could address this bloat.
If you’re up for it, drop a thread on the support forum (https://ww.wp.xz.cn/support/plugin/all-in-one-wp-security-and-firewall/) tagging this review, and we can look into how to address your issues. If we earn a higher rating after that, great. If not, your feedback still shapes where the product goes next.
Alexandru Bucsa
Product Manager, AIOS
