October 2, 2015 by Paul G. | Migrated, Shield Security

Lock Down Important WordPress Options

Shield Image

Have you ever had your site hacked or seen a hacked site where the title of the site and various other options have been changed and you’ve no idea how?

Following a suggestion from one of our Shield Security users, we’ve added a feature that let’s you lock down certain key WordPress site options to help prevent their authorized modification.

This short article will outline which options are restricted and how the feature works.

Which WordPress Options Have Been Restricted?

We picked a select number of WordPress options that we believe would benefit from a little extra administrator control.

In the spirit of keeping things simple, we have not provided the option to customize which WordPress options are locked down and which aren’t.  We have selected what we feel are the most critical; options that shouldn’t ever need to be changed unless the underlying functionality or purpose of the site is changing.

So which options are restricted?

  • WordPress Address URL
  • WordPress Site URL
  • Site Title
  • Site Tagline
  • Administrator email address
  • Membership – can new users register
  • Email Me – whenever someone posts a comment
  • Before a comment appears – comment must be manually approved

If you’re running a WordPress WPMS site, the only options that are restricted apply to the Network Administration Area:

  • Administrator email address
  • New Site Registrations
  • Site Title

How Does The WordPress Options Restriction Work?

A couple of month ago we released extensions to the Security Admin access restriction feature. These extensions let you to lock down certain actions pertaining to plugins, themes etc. This feature is an option within the same Security Admin module.

Security Admin WordPress Restrictions Options

It works by analysing all attempts to update the values of those particular options and prevents them changing if the current users isn’t authenticated with the Shield Security.

When the option is active, and you load one of the WordPress admin pages, you will see warnings about how the options are restricted.  See the screenshot below as an example:

Shield Security WordPress plugin Security Admin WordPress Options Restriction
Screenshot: WordPress Options Restriction

Note: Even if a user “by-passes” the Javascript-based UI restrictions (which isn’t hard to do) placed on these options, they still cannot change them – we block it in the code right where WordPress saves the option.

How To Unlock Editing These Restriction Options

There are 2 paths to unlocking these options.  The simplest is to do so directly on the options screens themselves by clicking the ‘Unlock’ link.

When you click the ‘Unlock’ link a small dialogue window will open up and prompt you for your Security Admin Access PIN.  Entering your PIN will cause the page to reload if it is successfully verified.

The alternative option is to browse to any of the Shield Security options screens and enter your key in the prompt provided. Then you just need to browse back to the original WordPress options screen and you’ll be permitted to change them.

How To Turn On The Options Restriction Feature

When you first install the plugin, this feature is not enabled by default – you must first enable the ‘Security Admin’ module:

Shield Security WordPress plugin enabling Security Admin WordPress Options Restriction
Enabling The WordPress Options Restriction

With this module enabled and the corresponding option checks, all attempts to change the protected WordPress options will be blocked unless the administrator user has authenticated with this Super Admin system.

Other options or suggestions?

If you feel there are other options that should be restricted or blocked, please do let us know. Leave us a comment below or in the WordPress.org support forums.


ShieldPRO Testimonials
@mcarpint's Gravatar @mcarpint

Best Security Plugin

The features from this plugin are well worth any investment. My sites have seen a dramatic reduction of attacks thanks to this plugin. Love it!

@christree's Gravatar @christree

This Plugin is Fantastic, and So Is the Support!

This simple, easy to configure plugin is fast becoming my go-to solution for securing WordPress sites for our clients. It has tons of great features and has been error free while keeping the internets most nasty out. I highly recommend this excellent plugin. I want to also mention the fantastic…

@hbk747's Gravatar @hbk747

Amazing plugin!

Hello all. I am Sarmad. I just wanted to rave a bit about Shield! I have used other plugins and found this to the best security plugin. Easy to use and has so many features from a firewall to bad bot blocking, from rate limiting to log in security. I…

@dmitpo's Gravatar @dmitpo

Simple and powerful plugin!

I’ve recently installed Shield and so far I’m pretty happy with it. IMHO a great addition to the security bundle for every wp site.

Hey there gorgeous! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

Follow Your Dreams (and go pro) →

Comments (2)

    Richard Hackathorn

    I have lost my Security Admin Access Key for Shield, hence I can not change any of Shield parameters. However, I have full access as Admin and SFTP. How do I recover this Security Admin Access Key? Richard

      Please see the guide laid out here on how to regain access to the plugin and to then let you reset your key: https://icontrolwp.freshdesk.com/support/solutions/articles/3000000959

Leave a Reply to Richard Hackathorn Cancel reply

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese