June 21, 2015 by Paul G. | Migrated, Shield Security

Further WordPress Admin Access Lockdown

Shield Image

For a long time now our Shield Security plugin has had a unique ability to protect itself from intruders. We called this module ‘Security Admin’.

We’ve been working on extending this feature so that you may in-fact lock down certain elements of your WordPress site, not just your security plugin, from other Administrators. This in-effect will make the administrator of the security plugin a “Super Administrator”.

What does Security Admin feature do?

The Security Admin feature of our Shield Security plugin is unique among WordPress plugin in that it allows you to not only setup your WordPress site security, but it allows you to secure the very plugin that implements this security.

Think of it like you’ve wrapped a padlock-chain around your website. It’s very secure now, but the padlock is exposed. Admin Access Restriction jams glue into the padlock preventing any one from getting to the lock itself to undo your chains.

We highly recommend you enforce this feature on all sites where you use our plugin.

What are the new extensions to the Security Admin feature?

With these extensions, you will be able to lock down admins, plugins, themes, posts, and pages.

When you use the admin access restriction module, you will have the added option to select certain, key actions relating to these areas and prevent any other users, even administrators, from accessing them.

What does this mean?  It means, for example, if you were to restrict plugin updates, no other user except an administrator with the Admin Access PIN may perform any actions on your site pertaining to plugin updates.

What exactly can be restricted?

With the Shield Security plugin, the follow areas and associated actions may be restricted:

WordPress Options

  • This will restrict the ability of WordPress administrators from changing key WordPress settings.
    We go into further details on this here.

Admin Users

  • This will restrict the ability of WordPress administrators from creating, modifying or promoting other administrators.

Plugins

  • Activate – restricts plugin activation/deactivation
    Note: Enabling ‘Activate’ restriction will restrict all other plugin actions
  • Update – restricts plugin updates
    (with this option selected, you can also hide vulnerable plugins from the non-security admins)
  • Install – restricts installation of plugins
  • Delete – restricts deletion of plugins

Themes

  • Activate – restricts theme activation/deactivation
  • Edit Theme Options – restricts editing key Theme options
    Note: Enabling ‘Activate’ and ‘Edit Theme Options’ restrictions will restrict all other plugin actions
  • Update – restricts theme updates
  • Install – restricts installation of themes
  • Delete – restricts deletion of themes

Posts & Pages

  • Create / Edit – restricts the creating of drafts and editing of any posts and pages
  • Publish – restricts the publishing of any new posts and pages drafts
  • Delete – restricts deletion and undelete of posts and pages

How to access this feature

These are extensions to the Security Admin feature and may only be enabled for sites where admin access is active or activated.

Please see the screenshot below for how to access this:

Security Admin Access Restriction Extensions
Security Admin Access Restriction Extensions

What do you think?

Let us know what you think of this feature in the comments below – we’re keen to here your thoughts on this and what more you’d like to see in the plugin.

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@mikyo's Gravatar @mikyo

Easy to setup

Easy to setup and easy to use.

@pocbooks's Gravatar @pocbooks

Does what it says

One of the best!

@michaldunaj's Gravatar @michaldunaj

Great plugin

All the security options you can imagine + setup is really simple & easy, you don´t need to be expert to secure your website from all the bad internet things. Yes, and it´s FREE! I would suggest to display the firewall badge on your website – it gives visitors confidence…

@goldsmyth's Gravatar @goldsmyth

Essential plugin for any WP install

Met the folks behind this plugin at a recent WordPress meetup and have been using it on my WP installs ever since. The range of customisation and features is simply excellent. If you’re an expert, or if you’re new to security, the plugin can be as broad or precise as…

Comments (5)

    Hi

    Thanks for this amazing and awesome plugin you give free to us all!

    Will this option mentioned here make it impossible for me as superadmin to edit content on the site, install/delete plugins and so forth unless I am logged in and ‘open’ with admin access password?

    What regarding auto-update settings which I enabled – will this option here cancel updates? – this confuses me!

      Eileen,
      I just enabled this. Right, it restricts ALL admins, but all I need to do as the super-admin (admin of all admins) is type in the key, and then I can do whatever I need to do just like before I enabled the Admin Access Lockdown.

      I don’t know about the auto-updates and whether it makes a difference whether the auto-update is set on the plugin’s/theme’s settings in the site, or whether the auto-update is set via iControlWP (the most awesome WP-site management system which is made by these guys, the same who make the Simple Firewall plugin).

      I bet they’ll clarify this here for everyone. Thanks, guys!

        Eileen, Lynn,

        The automatic updates system is WordPress-controlled and run on a WordPress cron. The Security admin access shouldn’t affect this. If you have enabled automatic updates, but restricted the system using the admin access and you find it’s not working as it should, please let me know in the support forums.

        To your first question, if you enable this Security Admin system and lock-down any features, then you must, as an administrator or not, authenticate with the Security Admin system before you can make changes to the zones that have been restricted.

        Let me know if it’s still unclear and I’ll elaborate further on areas you need.
        Thanks!

    The Themes lockdown feature is nice, but it also blocks access to the Navigation Menus menu (and the Customizer for people who use that monstrosity). Could you indicate which option under Themes is responsible for blocking the access to Navigation Menus please?

      Hi Pieter,

      The option is “Edit Theme Options“. If you disable it, access to the Navigation Menu/Customizer will be permitted.

      Let us know if you have any further questions on this.

      Thanks,

      Jelena

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese