WP Shield Security Pro – Release 8.5

Blog, Releases, Shield Pro

The latest release of the Shield Security plugin for WordPress is focused on adding some helpful UX refinements, while also taking our first step into one of the biggest enhancements to WordPress security for 2020.

As with many earlier releases we’ve made huge strides in improving code quality and performance. While we’ll always continue to improve our code, we’re looking to make WordPress administrators’ lives that bit easier.

Continue reading to discover the features we’ve added in this release and a new feature that we’re more than very excited about, which is…

#1: Integrity Scanning for Premium WordPress Plugins and Themes

We dive much deeper about this exciting new feature in our previous blog article. But the summary is this:

WordPress.org provides MD5 Checksums for all official WordPress files contained within each official WordPress release. This lets us check for corruption or changes to these files.

But there’s nothing official for WordPress.org Plugins and Themes – so we built our own API last year, namely WPHashes.com.

The exciting development we want to share with you is the beginning of MD5 Checksums for premim plugins and themes.

This enhancement needs the cooperation of premium plugin and theme developers. Our first collaboration has been with Elliot, the lead developer of the hugely popular Advanced Custom Fields Pro plugin.

As of this release, 8.5, Shield Security Pro will now scan files in ACF Pro against MD5 Checksums from their official releases! How awesome is that?

The goal now is to get as many premium plugin and theme developers onboard as possible…

#2: Switch-Off Security Admin, by Email

Since Shield Security was first released we’ve provided the “forceoff” option that unlocks Shield and lets admins to regain access to a site if they’ve been blocked.

The process can also be used when the site admin has forgotten or lost their Security Admin access key, and they can’t get back into the Shield UI.

While it’s a simple feature, it does cause trouble and some find it a little cumbersome.

To help admins stuck in this predicament, we’re making it easy to quickly disable the Security Admin feature. You can simply request that Shield sends you a confirmation email and once you click to confirm it, the Security Admin feature is disabled.

2 important points to note are these:

  1. The confirmation email is sent to the email address set within Shield’s default options. If unset, it defaults to the Site admin email address.
  2. The confirmation link within the email must be opened from within the same browser as that which was used to request the email.

#3: Automatic Repair of WordPress.org Theme Files

Shield can now automatically repair files contained within themes, that are installed from WordPress.org.

The auto-repair of plugin files has been with Shield for a long time, so this feature was long overdue. It’s been made possible with our recent developments in handling and scanning WordPress.org plugins and themes.

#4: Filter Lists of IP Addresses

Sometimes an IP address gets blacklisted incorrectly and we need to remove it from the list.

But if your sites has a large list of offenders, finding that particular IP can be time consuming. Not any more! You can now filter any list by a specific IP address, getting immediate access to them faster and take action more quickly.

#5: Completely Custom Content Security Policies

Shield lets you provide some default Content Security Policies, but it’s limited to that for ‘default-src‘ only.

With Shield Pro 8.5, you can provide as many custom Content Security Policy rules as you need to. The UI is simple, but there is no validation that your rules are structured correctly, nor whether they’re appropriate for your particular site and circumstances.

Great care should be taken when providing your custom rules and advice should be sought from your web developer on what is most appropriate.

As always, test, test, test.

#6: Redesign of Plugin/Theme Guard Scanner

The plugin/theme guard has been a great defence against modifications and intrusions made via our plugins and themes. It helps detect malicious intrusion earlier.

But there were some problems with the original scanner which we’ve tried to overcome in this release, most notably they were:

Scan depth was limited

We’d provided an option to limit the depth (the number of directories) into which the scanner would look. This was to keep both memory usage, and scan times, as low as possible.

Our recent scanner developments mean that we can do away with this limitation. We’ve removed the scan depth option and examine all files within the entire plugin and theme folders.

Capturing file signatures was problematic

Before a plugin directory can be scanned, we had to build “original” checksums so that we had a baseline to compare against. For whatever reason, these wouldn’t always get fired, and everything got out of sync.

We’ve now simplified this so that checksums get built each time there’s a change in a plugin version. It’s not infallible, but we’re striking a balance between reliability and usability. If something is buggy and unreliable, then you wont use it in the first place.

As our efforst continue to get premium plugin and theme developers onboard (as outlined above) we can adjust this behaviour, and continue to improve our approach.

#7: Whitelist Paths Against IP Blocking

We recently had a need to whitelist our license checking API on our own site so that it wouldn’t block servers that wanted to test for a license.

For some reason, certain sites would trigger the blacklist while looking for a license and this would then prevent them from checking licenses.

We wanted a way to whitelist all requests to our license checking API endpoint, but keep security everywhere else. To do this, we added the option to Shield to whitelist any path they wished to.

This is a powerful option and should be used with great care.

Other Noteworthy Improvements To Shield Security 8.5

There are many changes to this release, so we’ll summaries the biggest ones here:

Redesign of Scan Results Tables

The tables for showing results have been greatly simplified. We’ve also combined the results of all file scanners, rather than having separate tables.

Fixed 2x bugs with Two-Factor Authentication (2FA)

We discovered 2 bugs with Shield’s 2FA login page. One allowed certain requests to by-pass the 2FA confirmation page, while the other was a redirection bug that completely broke 2FA login confirmation requests, preventing users from completing their logins.

Better detection of Server IP addresses

One of the hardest things we do is detect a visitor’s true IP address. It’s an art in many cases, not an exact science. Part of the process involves detecting the server’s own IP address so as to eliminate it completely from the list of possibilities. The changes in this release improve this process even further, and add support for IPv6 server addresses also.

Comments, Questions and Suggestions

There are many changes in this release and certainly something for everyone. If you have any questions, then it’s likely someone else has the same one – post it below and we’ll get right back to you, and update the article if it’s needed.

As always, we appreciate your continued support.

Hey there beautiful! Do you like what you've read here? 🙂

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today.
(no risk, with a 30-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

Take Me To Pro Paradise →

Leave a Reply

Your email address will not be published. Required fields are marked *

×