September 7, 2018 by Paul G. | Releases, Shield Pro

WP Shield Security – Release 6.9

Shield Image

The latest release for our WordPress security appliance is a big one in many ways.

We’ve added a whole new module that lets you monitor and review all web requests to your WordPress site, added a few new options and enhancements, and made some major improvements and bug fixes throughout the system.

This article will briefly outline the most important improvements.

#1 See Your Site HTTP Traffic With The Traffic Watcher (Pro-only)

Often it’s difficult to know what exactly is going on with your site if you can’t see it. How do you know if you’re getting “hit” if you can’t see the actual traffic?  Sure, if you had access to your Apache access log files, you can see exactly what’s happening.

But not everyone can do that, and not everyone wants to do it.

We often get support requests telling us that someone is being hit by “bots”, when in-fact there’s no way that they could know this. And often, what might appear to be bots, is legitimate traffic that they’re just not aware their site is configured to instigate.

Before you can debug a problem like this and assign meaning to it, you need to see what exactly is happening.

For this purpose, we’ve created the Traffic Watcher system in Shield Security v6.9.  On the surface it quite simple, but we want to very clearly lay out what it is, and what it is not.

Shield’s Traffic Watcher Is Not …

  • A traffic analytics system or any sort of alternative to analytics.  It has nothing to do with analytics.
  • It is not a security feature. It doesn’t secure anything; it doesn’t block anything; it doesn’t allow anything;
  • It is not a log analyser. It doesn’t use your apache/server logs or any other logs.

Shield’s Traffic Watcher Is …

  • A window; a view into your WordPress site traffic and any requests made to your WordPress site.
  • A log of HTTP requests made to your WordPress site that provides a summary of each request including:
    • time
    • IP address (and Geo-location)
    • WP username (if logged-in)
    • request path (including any query parameters)
    • the HTTP response code for the request e.g. 200 (a successful request)
    • whether the request was transgression against the Shield Security plugin

Traffic Watcher Options

This sort of information is great when you need it, but bulky and space-consuming when you don’t. So we have provided some important options to maximise the efficacy and the efficiency of this service.

Probably by-far the most important set of options are the traffic exclusions. This allows you to monitor a specific sub-set of traffic to keep your logs to a minimum with as little “noise” as possible.

Please note that any web requests that match any active exclusion will not be logged in the Traffic Watcher system.

Your possible traffic exclusions are:

  • Simple requests – any requests that do not contain any data parameters either in the GET query, or in the POST data.
  • REST API
  • AJAX
  • Logged-In – any requests made by a user that is considered to be “logged-in” to the WordPress site.
  • WP Cron
  • Search Engine Spiders/Bots – supports Google, Bing, and Duck Duck Go (at the time of writing)
  • Uptime Monitoring services – supports StatusCake, Pingdom, Uptime Robot

As well as having exclusion rules to keep your logs to a minimum, we provided an option to automatically disable the logging system after 1 week.

This is so that you don’t turn it on and then forget about it, leaving the system logs traffic indefinitely, which would be a complete waste of resources.

Note: The Traffic Watcher module is a Pro-only feature.

#2 Multiple Yubikeys Per User Profile (Pro-only)

This is a feature that we’ve had requested many times.

We use Yubikeys here to secure some of our most important services and assets, but as with any Multi-factor authentication device, we’re always nervous if it breaks or gets lost.

This is the same with Yubikeys if you’re using them on your WordPress sites – losing your Yubikey could cause some major headaches.

So with Shield v6.9.0 (pro-only) users can now add as many Yubikey devices to their accounts as they’d like!grea

#3 Other Shield Improvements

Here are some of the more significant improvements with Shield 6.9:

  • Option to delete the Security Admin Access Key.
    – It’s rare that this is needed, but sometimes it’s handy to just remove the access key rather than disable the whole module (especially if you’re using White Label).
  • AJAX Security Admin session checking.
    – If your Security Admin session has timed out, Shield now warns you and prompts you to reload.
  • Password Policies system now redirects users to password reset page.
    – We got feedback that redirecting users to their profile pages was confusing, so instead we direct users to WordPress’ password reset form.
  • Added WooCommerce and Easy Digital Downloads user roles to the Email 2FA settings
    – Now you can enforce email-2FA for your Shop Workers, Managers, and even Customers.
  • Delete ‘forceoff’ from inside the WP admin
    – You no longer need to use your FTP/File browser to remove the ‘forceoff’ file.
  • Audit Trail message improvements
    – Shield now identifies the actual PHP file used to send emails (so you can track it better) and also identifies Post types when posts are updated.
  • Loads of other bug fixes and system improvements
    – We fixed bugs and rewritten and improved our database code, bot-checking javascript code, sessions handling, stats code, login cooldown, plugin/theme guard.

This is a huge release in many ways and has undergone a lot of testing and refinements. But with so many changes, it’s quite possible something gets overlooked.

As always, please drop us a line if there’s something you’d like to see, or if something doesn’t quite as you’d expect.

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@doc-savage's Gravatar @doc-savage

Outstanding

Simple, does what it claims,well designed and no bloat. I use it on all of my sites. Continue to be awesome guys! 🙂 Best regards, Doc

@zazkia's Gravatar @zazkia

it does what it should do

Very stable and good support!

@tdmalone's Gravatar @tdmalone

Easy to use and configure – recommend for every site!

The title says it all. This plugin just works – it is easy to use and configure, with a range of options that do what they promise. Of course no firewall plugin can completely prevent attacks but this plugin certainly makes your site that bit harder to attack which makes…

@musichymist's Gravatar @musichymist

So far so good!

I’m new to wordpress and I’m still exploring its potential. To date, I’m more than satisfied as the interface is user friendly, even for an absolute beginner like me.

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese