This release of ShieldPRO is our final release of the 9.x series and is focused on ironing out some of those niggling UI bugs and issues that affect some clients.
It also brings a neat, new feature that allows logged-in users to automatically unblock their IP address is they get locked out, for whatever reason.
#1 New: Automatic Unblock For Logged-In Users
Way back in February 2019, we added a feature to let any visitor automatically unblock themselves. Enabling this option adds a GASP checkbox to the Shield IP block page which users can check to remove their IP address from the blocklist.
This is useful since legitimate visitors can unwittingly block themselves if they repeat an action that you’ve deemed to be an offense against the site. An example of this is repeatedly trying to login using an old password. It happens.
This new feature can be found under the Block Bad IPs/Visitors > Auto Blocking Rules section and is a bit different and it only applies to users that are currently logged-in. Here’s how it works:
- User is working on the site (such as an admin) and they trigger Shield’s defenses and their IP gets blocked.
- They’re presented with Shield’s “Your IP has been blocked” page.
- They can click a button to have Shield send a “magic unblock URL” which, when clicked, will automatically remove their IP from the block list.
Here’s a screenshot of how that looks in-practice.
Why is this useful? Because it reduces the admin load for the site’s security administrator. If an admin gets blocked, they can unblock themselves and then report the issue, thereby reducing the lost time and frustration they’d otherwise experience waiting on having their IP unblocked.
There are a couple of important points to note here (that are also explained to the user – see screenshot)
- This unblocking link can only be used once in any 60 minute period.
- The link to unblock the IP must be opened-up in the browser window where the user is logged-in.
- Your WP website must be configured to send emails reliably.
#2: Better Integration with WordPress 5.5 Automatic Updates
WordPress 5.5 added enhancements to the WordPress Background updates system – more specifically, to plugins and themes.
The more features they add, the more that we can remove from Shield as some of ours become redundant. The changes we’ve made in this release pertain to the emails that are sent from WordPress when an automatic upgrade has been performed.
The email address setting for notifications in Shield now also applies to plugin/theme upgrades (not just WP Core). And, if you’re running WordPress 5.5, Shield’s notification email is no longer sent at all and instead hands over responsibility to WordPress itself for this.
#3: WP Fastest Cache Integration
Our feelings on Page Cache for WordPress is no secret – we really don’t like it.
However, folk still love to use it and they run into trouble more often than we’d like. One of the plugins that causes most grief for us is WP Fastest Cache. I’m sure it does a wonderful job, but until now it offers little or no ability to integrate with it – i.e. tell it not to cache a page.
It seems they added the option to do this, so we’ve applied this to Shield and hopefully it will help. I can’t honestly say whether it does or not as we couldn’t verify it. But the code is in there nevertheless.
#4: Improvements for Shield’s Admin Page Loading
Shield’s admin pages load over AJAX in many areas – this helps reduce the need to completely reload your WordPress admin. It’s faster, and more efficient.
But, it can break more easily. This happens when other plugins/themes on the site output errors, or PHP notices. With this release, we’ll hopefully reduce the cases where this is a problem for you with some mitigating code against this problem.
If you see the Shield admin pages looking strange, or not loading properly, please report this to us – we can usually dig to the root of the issue and even reach out to the offending plugin developer to have them fix their code.
#5: Auto-Delete Useless WordPress Files
This isn’t so-much a security feature, but an “obscurity” / cleaning assistant.
Each time WordPress upgrades, it leaves us with yet another
wp-config-sample.php file. We don’t want it, or need it, sitting on our WP sites, so we added this feature to Shield to automatically clean it out when it’s discovered.
It’ll also delete the files:
licenses.txt found in the WordPress root directory.
You’ll find this setting under the WP Lockdown > Obscurity section.
#6: Ending Support For PHP 5.x
We outlined some time ago that we’ll be moving ShieldPRO to PHP 7.0+ only.
9.2 is the last major release of the 9.x series and so going forward, from Shield 10 onwards, we’ll only support PHP 7.0+ installations.
We appreciate that this may cause some inconvenience for you for certain sites, but the upgrade from PHP 5 to PHP 7 isn’t as scary and problematic as you might think at first.
We’re getting ever closer to the release of PHP 8 in the Autumn which will further complicate code development that supports all PHP versions, so we must make the switch as soon as possible.
Please feel free to reach out to us if you’d like some guidance and assitance in making the switch to PHP 7.
Numerous fixes and improvements
There are many smaller areas where we’ve fixed and improved things in the plugin that don’t probably warrant a full section all to themselves. But they’re still important.
- Improved detection of
forceofffiles in all their many guises.
- Reduce the chances that the File Locker will trigger an open_basedir warning.
- Session cookie renamed from
- Fix for MemberPress bug.
- Fix for WP-CLI PHP notices.
- Upgrade database to support larger counts for IP offenses.
- Upgrade Bootstrap library to latest available (v4.5.2)
Questions and Comments
We always appreciate your feedback through comments and suggestions either below or when you contact our helpdesk.
Please do feel free to leave us your thoughts in a comment below, or if anything is unclear let us know and we’ll update our article and documentation.
As always, thank you!