- Part 1: Why we built the Shield
- Part 2: WordPress Super Admin Protection
- Part 3: WordPress Firewall Feature
- Part 4: WordPress Login and Brute Force Hacking Protection
- Part 5: The WordPress Comment SPAM Killer
- Part 6: WordPress Automatic Updates Management
Shield is our answer to WordPress security management.
We built it to solve a few key issues we found with WordPress security and existing WordPress security plugins, namely:
- Ease of use (or lack thereof)
- WordPress and web hosting compatibility (or lack thereof)
- Effectiveness combined with simplicity (or lack thereof)
In this article I’ll give a bit of background to the ethos and motivations behind the Shield, and what exactly drives the development of features.
I want to answer some questions, such as why we set out to make this plugin in the first place, and where do we see the plugin going in the future, and why you might use this plugin over some of the more established alternatives.
Hopefully all these questions will be cleared up by the time you reach the end. Buckle in. 🙂
Why did we build the Shield Security Plugin for WordPress?
Basically it came down to being unhappy with the current state of WordPress security plugins on the market.
Let me first be clear, there is no way to fully secure your sites against all of the many different attack methods out there, and WordPress security should be only 1 part of your security plan. All you can do is reduce surface area to attack.
The best way to understand why we built Shield is to see the principles upon which it is constructed. We found many of the pre-existing plugins didn’t meet our requirements for a security plugin, and felt we had a role to play in making WordPress security more accessible, more compatible, and above all… more secure.
Key Tenets of the Shield
We made a decision at the beginning of the Shield development:
→ to maximise WordPress and web hosting compatibility
What does that mean?
- it uses as many native (in-built) WordPress functions and features wherever possible and it makes sense to do so. Where necessary, we built in backwards compatibility with older versions of WordPress, and we’re committed to maintaining the plugin to ensure it is fully compatible with the latest available versions of WordPress. It means that if other plugins also use WordPress native functions, we’ll all play happily together 🙂
- it has no disk writing dependency. We learned with iControlWP that writing to disk by WordPress is a troublesome thing for many web hosting environments, so while we do write to disk sometimes, we don’t rely on it. And, when we do do it, we use the native WordPress objects where possible.
- it makes no modifications to site-wide .htaccess files. We will never be responsible for toasting your WordPress site because we introduce a bug and destroy your .htaccess. Too many plugins are hitting these files, we found, and more-often-than-not they break websites because the variables involved are too numerous to count. The last thing we want is a broken .htaccess party – the worst kind of party.
All this means is, we are far, far less likely to knock your website offline, or lock you out of your WordPress admin, or block legitimate visitors.
When WordPress upgrades, it means we’re going to be compatible, and it means for really restrictive web hosting environments, we still work as we’re not reliant on disk-writing, and we’re using WordPress itself to do our heavy lifting.
We felt it was better to build a plugin that played nice, was highly effective, and was easy for you to get started.
Tenet 1: Our Special No More Tears Formula
There are 2 things we really hate… getting shampoo in our eyes since it really stings, and getting locked out of our websites.
Shield can’t stop the tears from stingy shampoo, but it can stop the hair-pulling, frustration-induced, tears that come from being locked out of your website by a security plugin.
We provided a simple “off” switch to completely turn off all firewall features in case you get locked out, or we accidentally release a dud (this has never happened!)
Tenet 2: Maximum Compatibility
There are “popular” WordPress security options out there that don’t actually protect your site, they typically add complications to your WordPress installation, and if it goes wrong, locks you completely out of your site.
We’ve opted for Pareto’s Principle and we employ seriously simple security mechanisms to block hugely common attack vectors.
Tenet 3: Easy to use
There’s nothing worse than installing a plugin and being overwhelmed by all the gadgets and gizmos, like buttons, graphs, and everything else that plugin developers squeeze into their products.
We knew this plugin would have a lot of options, there’s no way around that. But we wanted selecting options to be intuitive, and for the users to know why they are choosing an option, and the changes they would make to the site.
Every option in the plugin is a clear checkbox or text area, each option has a summary title and a summary explanation/description. And most now contain direct links to our plugin support centre where the option is explained in much more detail.
We feel it’s harder to make the plugin more accessible for users than it currently is, though of course, we’re always open to suggestions
Tenet 4: Prevent attacks through data posted to the site
This is the main backbone of the plugin – the Firewall.
It analyses all data passed to the site and looks for patterns in that data. The users have full control over which type of patterns are blocked, and thus it ensures maximum compatibility with all sites, since no one configuration is suitable for everyone.
Tenet 5: Protect against unauthorized security plugin access
WordPress administrator access should not necessarily mean access to WordPress security management.
This plugin is the only security plugin available that allows administrators to completely lock-down access to the plugin options itself. This means that any unauthorized access, or any uninformed administrator, cannot unwittingly (or otherwise) disable or change any Shield options.
Tenet 6: Performance – as small a processing/memory footprint as possible
With so many options, it’s easy to store an option for each setting individually in the WordPress database. This isn’t very efficient.
Instead, we have settled for 1 or 2 options stored per plugin feature section. This makes options storage and loading more efficient, and it only loads those options that are required depending on the features enabled.
We also make full use of WordPress filters and action hooks to ensure that code is loaded/processed only when it’s required.
There are always ways to improve performance and efficiency, and we recognise this an ongoing process. We’re happy to take on any feedback users/developers have on this topic.
Tenet 7: No premium upgrade options that cause feature-gating
There will never be a premium version of the Shield plugin that arbitrarily locks away features from the free version.
Any premium versions will have to do with our central WordPress management platform and business support.
Where To Next – the holy grail of WordPress Security Management
It’s important to note that while there is no premium version, one of our long-term goals for Shield is centralized WordPress security management. We plan to achieve this using our iControlWP multiple WordPress Management control panel (there is no way to build this into the plugin itself)
We will be offering the ability to centrally control options across all your WordPress sites at once, instead of directly on the sites.
We feel this is the easiest, most advanced method of WordPress network and security policy management.
This factor was also a motivation for the development of this plugin in the first place.
I hope after reading this you understand much more about the development principles underlying the plugin. Please feel free to leave a comment below, or drop us an email if you have any questions.