Shield Security v6.10 for WordPress released 15th October, 2018
This release delivers one of our most requested features, along with other great enhancements to improve your WordPress security and experience.
1) Two-Factor Authentication Recovery Codes
Two-Factor Authentication (2FA) is powerful way to secure your WordPress login, while not adding too much complexity.
Simply put, 2FA is where you’re prompted for another piece of information in addition to your account password, when you login.
An example is email-based 2FA. This is where, after you successfully login, you’ll be sent a unique code by email. Only by providing this code to the site, can you complete your login.
This secures your WordPress login because only you (should) have access to your email account.
But what happens when you temporarily can’t get to your email? Or perhaps your email provider is having delay/delivery issues? You’re basically locked out of your account, and until now, you have very few options to work around it.
With 2FA Recovery Codes, you’ll have a special “code” that you can use to regain access to your account when your normal 2FA options aren’t available.
We go into this feature in much more detail here.
2) Custom Exclusion Rules For The Traffic Watcher
Being able to monitor the requests hitting your site helps work out what’s going on when you can’t “see” the traffic.
The ‘Traffic Watcher’ feature was released in Shield v6.9 and with this enhancement, we’ve provided an easy way to exclude traffic that you don’t want to see.
Shield already lets you exclude traffic that comes from official bots such as Google, Bing etc, and some uptime-monitoring services. But there’s no limit to the services available that can access your site, so the ‘custom exclusions’ option helps you filter out the specific services that you use.
3) Whitelist Official Web Crawlers and Bots
If Shield were to block legitimate web crawlers such as Google, this could present serious problems for websites and their search results (SERPs). Until now we’ve avoided trying to detect these crawlers since mistakes could be disastrous.
Web crawlers and spiders normally identify themselves by name. Google, for example, lets us know it’s them by using the name “Googlebot”. Bing, uses the name “BingBot”.
So you might think that all we need to do is look at the name and whitelist it. It’s not that simple because malicious bots would then just tell us they’re “Googlebot” too and by-pass our defences.
To prevent this from happening, whenever a bot tells us it’s an official web crawler, Shield attempts to verifies this to ensure that they’re really who they say.
We’ve taken considerable time to find the most reliable (and efficient) way of detecting official web crawlers. “Wont this slow down my site?”, you might ask.
There will be a tiny delay for the requests where a bot needs to be verified, but …
- Normal site visitors don’t present as search engines, so they’ll never need to be verified and there’s no delay whatsoever.
- Shield only performs the checks if a visitor identifies itself as an official bot (one that we can actually verify – see below)
This means that if a bot isn’t really who they say they are, they’ll always experience the delay but we don’t care since they’re misrepresenting themselves.
- Shield caches the results of all successful checks so that future requests from the same sources don’t experience a delay.
So which official web crawlers do we support? (i.e. which bots we can verify)
Future Plans For Shield’s Web Crawlers Support:
Depending on how well this enhancement works, we’ll look to using the transgression system to black mark, and eventually block, all web crawlers that misrepresent themselves.
Simply put, if a bot presents itself as “Googlebot”, but we check and find that it isn’t, we can kill the request and eventually block the bot altogether.
4) Many More Enhancements
We’ve improved many aspects of Shield, including:
- White Label: You can now provide a banner logo for the two-factor authentication landing page.
- White Label: You can now provide site-relative URLs for images.
- Major under-the-hood refactoring of the 2FA system with some critical bug fixes.
- Improved Audit Trail entries for 2FA events.
- Security Admin restrictions that prevent modifying administrator users is much improved.
- All Shield cookies default to Secure-only for HTTPS sites.
- Fix for GASP login checkbox for particular scenarios.
Question & Comments
We’re on the mission to make your WordPress security easier, and more powerful, while minimising the complexity that comes with it.
We trust our improvements and enhancements are simplifying your WP security work, but if you have any questions or comments, please leave them below.