Shield Security v6.10 for WordPress released 15th October, 2018
This release delivers one of our most requested features, along with other great enhancements to improve your WordPress security and experience.
1) Two-Factor Authentication Recovery Codes
Two-Factor Authentication (2FA) is powerful way to secure your WordPress login, while not adding too much complexity.
Simply put, 2FA is where you’re prompted for another piece of information in addition to your account password, when you login.
An example is email-based 2FA. This is where, after you successfully login, you’ll be sent a unique code by email. Only by providing this code to the site, can you complete your login.
This secures your WordPress login because only you (should) have access to your email account.
But what happens when you temporarily can’t get to your email? Or perhaps your email provider is having delay/delivery issues? You’re basically locked out of your account, and until now, you have very few options to work around it.
With 2FA Recovery Codes, you’ll have a special “code” that you can use to regain access to your account when your normal 2FA options aren’t available.
We go into this feature in much more detail here.
2) Custom Exclusion Rules For The Traffic Watcher
Being able to monitor the requests hitting your site helps work out what’s going on when you can’t “see” the traffic.
The ‘Traffic Watcher’ feature was released in Shield v6.9 and with this enhancement, we’ve provided an easy way to exclude traffic that you don’t want to see.
Shield already lets you exclude traffic that comes from official bots such as Google, Bing etc, and some uptime-monitoring services. But there’s no limit to the services available that can access your site, so the ‘custom exclusions’ option helps you filter out the specific services that you use.
3) Whitelist Official Web Crawlers and Bots
If Shield were to block legitimate web crawlers such as Google, this could present serious problems for websites and their search results (SERPs). Until now we’ve avoided trying to detect these crawlers since mistakes could be disastrous.
Web crawlers and spiders normally identify themselves by name. Google, for example, lets us know it’s them by using the name “Googlebot”. Bing, uses the name “BingBot”.
So you might think that all we need to do is look at the name and whitelist it. It’s not that simple because malicious bots would then just tell us they’re “Googlebot” too and by-pass our defences.
To prevent this from happening, whenever a bot tells us it’s an official web crawler, Shield attempts to verifies this to ensure that they’re really who they say.
We’ve taken considerable time to find the most reliable (and efficient) way of detecting official web crawlers. “Wont this slow down my site?”, you might ask.
There will be a tiny delay for the requests where a bot needs to be verified, but …
- Normal site visitors don’t present as search engines, so they’ll never need to be verified and there’s no delay whatsoever.
- Shield only performs the checks if a visitor identifies itself as an official bot (one that we can actually verify – see below)
This means that if a bot isn’t really who they say they are, they’ll always experience the delay but we don’t care since they’re misrepresenting themselves. - Shield caches the results of all successful checks so that future requests from the same sources don’t experience a delay.
So which official web crawlers do we support? (i.e. which bots we can verify)
- Bing
- Yahoo!
- Apple
- DuckDuckGo
- Yandex
- Baidu
Future Plans For Shield’s Web Crawlers Support:
Depending on how well this enhancement works, we’ll look to using the transgression system to black mark, and eventually block, all web crawlers that misrepresent themselves.
Simply put, if a bot presents itself as “Googlebot”, but we check and find that it isn’t, we can kill the request and eventually block the bot altogether.
4) Many More Enhancements
We’ve improved many aspects of Shield, including:
- White Label: You can now provide a banner logo for the two-factor authentication landing page.
- White Label: You can now provide site-relative URLs for images.
- Major under-the-hood refactoring of the 2FA system with some critical bug fixes.
- Improved Audit Trail entries for 2FA events.
- Security Admin restrictions that prevent modifying administrator users is much improved.
- All Shield cookies default to Secure-only for HTTPS sites.
- Fix for GASP login checkbox for particular scenarios.
Question & Comments
We’re on the mission to make your WordPress security easier, and more powerful, while minimising the complexity that comes with it.
We trust our improvements and enhancements are simplifying your WP security work, but if you have any questions or comments, please leave them below.
Thank you!
Hello dear reader!
If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)
You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.
We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.
ShieldPRO Testimonials
@appsol
One of your essential plugins
There are some plugins that get installed on every new WordPress site I build, and this is definitely one of them. – It protects your site from brute force login attempts – It screens incoming data to prevent hacking attempts – It prevents spam bots submitting comments on your site…
@akashiktruth
Great resource for website add-ins
WordPress and its forums are full of practical plugins to enhance your website.
@horncastlecs
My website was hacked through google ads. Using this now and it seems to do gr8!
My website was hacked through google ads. Using this now and it seems to do gr8! Free version. Thanks.
@joe113
Simply my favorite security plugin
Simply my favorite security plugin. I use it for all my sites. I upgraded one already and will eventually upgrade to pro on all my sites. I can’t afford not to. Security is very important online. Everyone knows that.
