ShieldPRO 19.0 delivers on our commitment to empower admins to take control of their WordPress security, by providing the tools to create any security rule you’ll ever need.
Along with our Custom Security Rules Builder – we’ve refined many other areas of the plugin. Read on to discover everything that’s new and improved.
#1 DIY WordPress Security – Build Your Own Security Rules
We’ve gone into detail about Shield’s new Custom Security Rules Builder in this earlier article. We encourage you to read that article and to watch the video below. Building custom security rules for WordPress can be complicated, but once you see how it’s done, you’ll have the power to customise your WordPress security in any way you wish.
#2 Support for ShieldPRO Extensions
Until now we’ve included everything for ShieldPRO within the same plugin. This makes it easy to keep Shield up-to-date and means you have only 1 plugin to manage. Some premium plugins prefer to offer separate addons/extensions, but we find this adds more work for admins.
However, there are some features that we feel are better suited to for Extensions. The main reason for providing an extension instead of integrating the feature directly, is because such features aren’t required, or desired, by all administrators.
One-such feature is IP Geolocation.
With our latest ShieldPRO release, we’ve offered access to basic Geo-location data (via CloudFlare) directly within the plugin. However, the functionality is limited to only “country codes”, and only if you’re serving your site behind CloudFlare. Since there’s normally a cost to running Geo IP services on a WordPress site, we don’t feel that providing such features within the main ShieldPRO plugin is the best way to go.
We hope to provide a IP Geolocation Extension for ShieldPRO in the coming months.
#3 Protection Against WordPress Session Hijacking & Theft
There’s a lot of talk about how WordPress vulnerabilities within plugins and themes can leave your site at risk to being compromised.
The simplest protection against this vulnerability is to keep your plugins up-to-date as much as possible, and perform daily (at least) vulnerability scans using ShieldPRO. Then you must immediately upgrade vulnerable items, or remove any that don’t have updates available.
But an often overlooked WordPress vulnerability is the huge risk from session hijacking. Session hijacking is when an existing WordPress user (or admin) session is stolen or taken-over by someone else.
How on earth could that happen, you might wonder?
To understand the answer to this, you need to understand a bit more about how sessions work for WordPress. Full details of this topic are beyond the scope of this article, but basically every time you log into WordPress, you get a cookie set in your web browser that “tells” WordPress who you are (the user) and that you’ve correctly authenticated with the site.
But if you were to copy these cookies from 1 browser to another, then you’ll be logged-in on that other browser, too. This means that I could potentially gain adminstrator access to your site if I steal your browser cookies.
It’s not trivial to steal browser cookies, but it’s not impossible. Here are a few ways it can happen:
- Non-HTTPS Traffic – if you’re accessing into your WordPress site using Non-HTTPS protocol, you’re open to traffic sniffers that can grab your cookies in-transit. (of course, your username/passwords are also vulnerable to the same risk!)
- Local Malware Infections – if your computers/laptops/phones are infected with malware, they could steal your cookies, which can be sent anywhere and re-used to gain unauthorised access to the site.
- (Compromised) Forward Proxies – if you use ccertain types of forward proxies to access the internet (e.g. in your corporate office) and its compromised, the details of web requests (cookies) can be stolen.
So how can we mitigate the risk of stolen cookies using ShieldPRO?
The simplest way is to “lock” a user sessions to certain properties present at the moment of user login.
One of these properties is the IP Address of the user – we can direct ShieldPRO to check whether the IP address changes each time this session is used – if it’s different, then we destory the session.
Another approach is to do the same for the web browser of the user. We check the web browser by recording the “useragent” at the moment the user logs-in.
ShieldPRO 19 offers these options and you can choose to use 1 or all of the options available. To read more about this option, please see the associated helpdesk article here.
#4 FileLocker Technical Improvements
We recently migrated our ShieldPRO hosting to a new provider and in doing so it exposed a couple of weaknesses in our FileLocker implementation.
To summarise, when we originally built the FileLocker, we made assumptions about the ciphers that would be available for encryption & decryption on our servers and yours. It didn’t take into account that, as libraries (OpenSSL) were updated, some ciphers would become unavailable over-time and the overlap of available ciphers between your servers and ours would change.
Basically, some WordPress sites were encrypting data using ciphers
that weren’t available on our servers so that when you came to examine your wp-config.php
files, for example, you couldn’t view the original file contents as our servers didn’t support the ciphers you’d used, and the file couldn’t be decrypted.
We’ve made a lot of improvements to the FileLocker in this release, helping to ensure that going forward, this shouldn’t be a problem.
#5 Improved Platform Support For Passkeys
Our previous release of ShieldPRO brought one of our favourite features to WordPress security – Passkeys!
This is the future of two-factor authentication and we encourage all our members to start using it asap.
As we mentioned earlier we moved our servers to new hosting. This exposed a lack in our Passkeys implementation such that if a WordPress site didn’t have PHP’s GMP
extension loaded, the passkey functionality wouldn’t properly work.
After some digging, we discovered that we weren’t using the most optimal set of PHP libraries and after a update to this, we’ve been able to ensure that Passkeys are available to all WordPress sites that have either the GMP
or BCMATH
extensions loaded. You don’t need both, but you’ll need one or the other.
We’ve also added some compatibility tests to the Shield plugin to prevent errors, and provide some information if your site isn’t meeting the necessary minimum requirements.
Other Improvements & Fixes
As always with any major release, we do a lot of code maintenance and updating to ensure we squash bugs and keep the code running optimally.
Alongside that, 1 other point to note for this release, upon a request by a members is that we’ve restored the ability to filter sessions on the User Sessions table by username.
There are big features in this release and we appreciate that they can feel a little complex. We encourage everyone to watch the video about the Security Rules Builder and play with the system to see what they can do with it.
As always, we welcome any suggestions and feedback you may have. Please leave any comments below and we’ll get right back to you!