WordPress security is a massive topic and depending who you talk to, you’ll get wildly different opinions on what you should do to protect your WordPress sites. There are even huge differences of opinion between organisations that work within the WordPress security space itself.

Not only that, as we’ve often discussed, security isn’t “one-size-fits-all”. Security rules that may work well on 1 type of site (e.g. e-commerce) may have absolutely no significance on a totally different type of site (news/blog).

This presents the following challenge for developers of WordPress security software:

How can we provide security options for all possible customer requirements?

Until now, no WordPress security vendor has been able to meet this challenge.

The formula for WordPress security plugins is the same as that for every other WordPress plugin – provide lots of options pages and ask admins to switch them on/off, as desired. If a particular option/scenario hasn’t been catered for, customers can make feature requests and hope they get added.

But this approach can’t address all possible options that admins need to secure WordPress effectively.

Shield itself has many options pages. If we were to offer options for every feature request we’ve been asked for, it’d be 3 or 4 times the size.

But what if there was another way; an alternative to infinite security options?

What if you could create your own security rules?

What if, like a gourmet chef, you could mix your own ingredients together to design WordPress security rules to do exactly what you need them to do.

Now you can!

With ShieldPRO 19 you’ll have exclusive access to design your own custom security rules with our brand new WordPress Security Rules Builder.

What Is Shield’s Custom Security Rules Builder?

It’s all in the name – Shield’s custom security rules builder will let you design and build (almost) any security rule you want.

A Security Rule is simple, it works like this:

IF {{ certain conditions are met }} THEN {{ take specific actions }}

Here are some rules that Shield already provides for you, although you normally think of them as options in the plugin…

Disable XML-RPC Option, As A Rule

Shield Option:


  • Request is sent to XML-RPC endpont;


  • Ensure the XML-RPC response is disabled
  • Trigger an “offense” against the IP address that made the request

Detect Fake Web Crawlers, As A Rule


  • Requester identifies as Googlebot
  • Shield’s verifies it and determines it to be fake


  • Trigger offense against the IP address; increment counter by 2.

Block IP Address With 10 Offenses, As A Rule


  • Current visitor trigger 10+ offenses


  • Kill the request with Shield’s IP Block Page.

How Does The Custom Rules Builder Work?

Building custom security rules can be complex – this should only be done by someone familiar with it and its implications. If you want to learn how to use it, you’ll need to take time to get to know it and understand how it works.

We’ll provide further articles in the helpdesk, but for now we’ll outline how it might work with a demo video, below.

To highlight some important points, you should always bear in mind when designing your security rules.

  1. Always, always include the option to honour Shield’s existing whitelisting rules and exceptions. This is a critical component. If you don’t include this option, you won’t be able to use things like ‘forceoff’ to get back into the plugin if you lock yourself out.
  2. You can create unlimited security rules, so don’t try to do too much with a single rule.
  3. Wherever possible, design each rule to do a single job based on a set of conditions, and no more.
  4. The conditions you choose for your rules are critical. You must always remember that Shield can’t know what you want, except for what you tell it, so your rules must be highly targeted and specific.
  5. Here are some conditions you should nearly always put in your rules (where it makes sense):
    • Is the visitor logged-in?
    • Is the request to the WordPress admin area?
    • Is the request an AJAX request (or not)?
    • Is the request GET or POST?
    • Is it a WP Cron job request (or not)?
    • Is the request originating from a valid public IP address?
  6. If you choose to create a rule that redirects a request, use 302 (instead of 301) status code until you’re absolutely confident it works as intended. In this way browsers won’t cache an invalid redirect.

What If A Custom Security Rule Locks You Out?

As always, when you get locked out by the Shield plugin, you have the ability to get back into the site easily via FTP.

But this will only be the case if you’ve taken heed of point #1 above when creating the security rule.

Custom Security Rules are a powerful way of controlling site security, but if you create a dysfunctional rule you’ll need to be comfortable with how to regain access.

What Support Does The Shield Team Offer For Custom Security Rules?

The Shield support team is always on-hand to provide help to you, but to clarify, these should be your guidelines when you consider asking us for support:

  • If you’ve found bug in the custom rules system, please let us know. We fully support the rules system to work as described. Bugs are never good, so please tell us what you find.
  • When contacting us for support for any issues that doesn’t directly involve custom rules, we’ll ask you to disable all custom rules while we work with you to resolve the issue.
  • We don’t directly support any custom rules you’ve created, or desire to create. You’ll need to design and build the rules yourselves. You can certainly ask for guidance and clarification (and we’ll likely use this to refine our documentation if it’s unclear), but we won’t build, or help you build, custom rules.
  • We will provide demos & examples of rules that you can create on your site, but these are suggestions only, and should only be used after careful consideration of the impact on your site.

Where Can We See Some Examples Of Custom Security Rules?

Creating custom security rules can be confusing… it’s a complex system, so it’s not trivial to design and build your own security rules.

We think one of the best way to get familiar with it, it to watch demonstrations of rules being created for specific purposes.

This is why we’ve created a dedicated section in the Helpdesk called The Custom Rules Cookbook – a collection of “recipes” for creating your own rules. By watching and following along with the videos, you’ll be able to understand how rules can be constructed to meet a wide variety of challenges.

At the time of writing we’ve already provided some recipes, which you can see below:

Future Plans For The Custom Security Rules System

The plan is to make a library of custom rules available for download – you’ll eventually be able to browse new rules and apply them to your site. This would be a bit like selecting options as you currently do, but instead you’ll have access to a remote library of custom built rules to pick and choose from.

We’ll also be looking to use the custom rules system to supply automatic Firewall updates. We have much more planned for Shield’s Firewall, but this newer system will provide the foundation.

We also want to make it easier to import/export rules within your Shield Network – so that all your client sites will automatically download rules from your Master Site. There is quite a bit more work to do on achieving this, but we’re closer than ever.

How To Get Shield’s Custom Security Rules Builder

The Rule Builder will be available with ShieldPRO 19, that’ll be released within the week. It’s only available to our premium members.

We hope you’ll see the power that the custom rules system offers, and that you’ll grab the opportunity to take more control over your WordPress security. Never before have WordPress admins been given so much power over their site security, and we’re excited to see where it leads!