- Part 1: Why we built the Shield
- Part 2: WordPress Super Admin Protection System
- Part 3: WordPress Firewall Zone
- Part 4: WordPress Login and Brute Force Hacking Protection
- Part 5: The WordPress Comment SPAM Killer
- Part 6: WordPress Automatic Updates Management
Shield is our answer to WordPress security management.
We built it to solve a few key issues we found with WordPress security and existing WordPress security plugins, namely:
- Ease of use (or lack thereof)
- WordPress and web hosting compatibility (or lack thereof)
- Effectiveness combined with simplicity (or lack thereof)
In this article I’ll give a bit of background to the ethos and motivations behind the Shield, and what exactly drives the development of features.
I want to answer some questions, such as why we set out to make this plugin in the first place, and where do we see the plugin going in the future, and why you might use this plugin over some of the more established alternatives.
Hopefully all these questions will be cleared up by the time you reach the end. Buckle in. 🙂
Why did we build the Shield Security Plugin for WordPress?
Basically it came down to being unhappy with the current state of WordPress security plugins on the market.
Let me first be clear, there is no way to fully secure your sites against all of the many different attack methods out there, and WordPress security should be only 1 part of your security plan. All you can do is reduce surface area to attack.
The best way to understand why we built Shield is to see the principles upon which it is constructed. We found many of the pre-existing plugins didn’t meet our requirements for a security plugin, and felt we had a role to play in making WordPress security more accessible, more compatible, and above all… more secure.
Key Tenets of the Shield
We made a decision at the beginning of the Shield development:
→ to maximise WordPress and web hosting compatibility
What does that mean?
- it uses as many native (in-built) WordPress functions and features wherever possible and it makes sense to do so. Where necessary, we built in backwards compatibility with older versions of WordPress, and we’re committed to maintaining the plugin to ensure it is fully compatible with the latest available versions of WordPress. It means that if other plugins also use WordPress native functions, we’ll all play happily together 🙂
- it has no disk writing dependency. We learned with iControlWP that writing to disk by WordPress is a troublesome thing for many web hosting environments, so while we do write to disk sometimes, we don’t rely on it. And, when we do do it, we use the native WordPress objects where possible.
- it makes no modifications to site-wide .htaccess files. We will never be responsible for toasting your WordPress site because we introduce a bug and destroy your .htaccess. Too many plugins are hitting these files, we found, and more-often-than-not they break websites because the variables involved are too numerous to count. The last thing we want is a broken .htaccess party – the worst kind of party.
All this means is, we are far, far less likely to knock your website offline, or lock you out of your WordPress admin, or block legitimate visitors.
When WordPress upgrades, it means we’re going to be compatible, and it means for really restrictive web hosting environments, we still work as we’re not reliant on disk-writing, and we’re using WordPress itself to do our heavy lifting.
We felt it was better to build a plugin that played nice, was highly effective, and was easy for you to get started.
Tenet 1: Our Special No More Tears Formula
There are 2 things we really hate… getting shampoo in our eyes since it really stings, and getting locked out of our websites.
Shield can’t stop the tears from stingy shampoo, but it can stop the hair-pulling, frustration-induced, tears that come from being locked out of your website by a security plugin.
We provided a simple “off” switch to completely turn off all firewall features in case you get locked out, or we accidentally release a dud (this has never happened!)
Tenet 2: Maximum Compatibility
There are “popular” WordPress security options out there that don’t actually protect your site, they typically add complications to your WordPress installation, and if it goes wrong, locks you completely out of your site.
We’ve opted for Pareto’s Principle and we employ seriously simple security mechanisms to block hugely common attack vectors.
Tenet 3: Easy to use
There’s nothing worse than installing a plugin and being overwhelmed by all the gadgets and gizmos, like buttons, graphs, and everything else that plugin developers squeeze into their products.
We knew this plugin would have a lot of options, there’s no way around that. But we wanted selecting options to be intuitive, and for the users to know why they are choosing an option, and the changes they would make to the site.
Every option in the plugin is a clear checkbox or text area, each option has a summary title and a summary explanation/description. And most now contain direct links to our plugin support centre where the option is explained in much more detail.
We feel it’s harder to make the plugin more accessible for users than it currently is, though of course, we’re always open to suggestions
Tenet 4: Prevent attacks through data posted to the site
This is the main backbone of the plugin – the Firewall.
It analyses all data passed to the site and looks for patterns in that data. The users have full control over which type of patterns are blocked, and thus it ensures maximum compatibility with all sites, since no one configuration is suitable for everyone.
Tenet 5: Protect against unauthorized security plugin access
WordPress administrator access should not necessarily mean access to WordPress security management.
This plugin is the only security plugin available that allows administrators to completely lock-down access to the plugin options itself. This means that any unauthorized access, or any uninformed administrator, cannot unwittingly (or otherwise) disable or change any Shield options.
Tenet 6: Performance – as small a processing/memory footprint as possible
With so many options, it’s easy to store an option for each setting individually in the WordPress database. This isn’t very efficient.
Instead, we have settled for 1 or 2 options stored per plugin feature section. This makes options storage and loading more efficient, and it only loads those options that are required depending on the features enabled.
We also make full use of WordPress filters and action hooks to ensure that code is loaded/processed only when it’s required.
There are always ways to improve performance and efficiency, and we recognise this an ongoing process. We’re happy to take on any feedback users/developers have on this topic.
Tenet 7: No premium upgrade options that cause feature-gating
There will never be a premium version of the Shield plugin that arbitrarily locks away features from the free version.
Any premium versions will have to do with our central WordPress management platform and business support.
Where To Next – the holy grail of WordPress Security Management
It’s important to note that while there is premium version and automatically import options from site to site feature, one of our long-term goals for Shield is centralized WordPress security management. We plan to achieve this using our iControlWP multiple WordPress Management control panel (there is no way to build this into the plugin itself)
We will be offering the ability to centrally control options across all your WordPress sites at once, instead of directly on the sites.
We feel this is the easiest, most advanced method of WordPress network and security policy management.
This factor was also a motivation for the development of this plugin in the first place.
I hope after reading this you understand much more about the development principles underlying the plugin. Please feel free to leave a comment below, or drop us an email if you have any questions.
Your plugin works well with all my blogs and I like the fact it’s free.
I recommend every WordPress blogger out there takes it for a spin. Web attacks are real and a intelligently crafted protection, like yours, evens out the battle field.
Let’s face it, I’m not in front of my computer all the time and if a web attack arrives, I’ll know much later and by that time, there will likely be nothing left of my blog so that’s how important your plugin is, to me.
Continue your great work!
Hey Glaude!
Awesome 🙂 I love that the plugin is working for you and as you say, it’s important to have something there especially while you’re not.
Thanks for taking the time to leave a comment and share your thoughts! Much appreaciated.
Cheers,
Paul.
Hi Paul
I love the plugin and your 7 tenets should be the guiding force behind every plugin.
I recently tried a well known slider plugin, which has a premium version and I couldn’t believe how slow the free version was.
Evidently the premium version is 10x faster – not much consolation if you’re using the free version.
I’m glad you shared your long term goals because it’s important for all of us to look to the future.
Hey Keith,
Yea, I’m not a big fan of crippling a plugin so as to push sales… just not the angle we want to take with this.
Thanks for dropping in and sharing your thoughts… appreciate your feedback!
Cheers,
Paul.
I just installed your plugin and like the simplicity of it. It’s my one and only security plug in. I’m no pro at all, so I did lots of research… it took me more than a week to decide which plugin to use. That it doesn’t mess with .htaccess was a deciding factor. I added some code there myself. I got rid of jetpack in the process too. I’m curious what you think about cloud flare since its offered by the hosting company I use. Would it work with your plugin? Thanks so much!
Hi Maya,
Thank you for your comment, and for putting your trust in our plugin to protect your sites.
As to CloudFlare, we’ve written about it a few times ( http://www.icontrolwp.com/2012/08/cloudflare-boost-wordpress-security-performance/ ) because we use it on nearly every site we run. Definitely worth having is not for the security, but for the caching and speed upgrade.
Thanks again for leaving your comments 🙂
Paul.
I am really impressed with this security plugin. One question, with this plugin, should i need any other security plugin
Hi Rahul,
Thanks for leaving us a comment here … glad to hear you like it!
We believe you shouldn’t need another WordPress security plugin – this one covers all the basis. You also shouldn’t need a SPAM comments plugin such as Akismet, or a login attempts/lockdown plugin etc…
Our latest review here told of how they were able to remove 4 other plugins:
http://wordpress.org/support/topic/replaced-3-4-plugins-with-this-plugin?replies=1
Hope that helps!
Paul.
Hi, can this plugin block all dos and ddos attacks? If it could, then this would be an out-this-world plugin…
Hi,
this sounds great and I really appreciate all your effort for a free tool (which looks like a very good hook for your payed service, nice strategy). Also caring about user feedback looks great. And I can agree with Keith, “your 7 tenets should be the guiding force behind every plugin”.
One question: it says there will never be a premium version, however it’s planned to implement it in IControlWP. When it’s done will it still be possible to use the free version on a single WP install and configure it from WP dashboard, just as now?
Keep it up!
Ps: looks like your spam protection doesn’t like ‘ in the button text:
“Please check the box to confirm you’re not a spammer”
Great plugin. It’s been working well for me so far. Congrats.
Keep up the good work!
Cheers.
Hi
I’ve just started using your Simple Firewall plugin, and recently joined your newsletter (with a different email address, in case you’re wondering). What a great idea for a plugin to have its own newsletter! Quick question – does the Simple Firewall protect against all spam (eg in the contact us form/email) or just in the comments section?
Thanks
Hi,
Currently it’s just in the comments section. Eventually I would like to release an API for this, but it’s not there yet.
Thanks!
Paul.
Thanks for your reply, Paul
Hi iControlWP Team, I am so glad I stumbled on your site. I operate an Amazon Affiliate blog which I hope will generate income in coming months. And I am aware of attacks, even brute force attacks by hackers on wordpress blogs. So I cannot imagine running a blog of this status without securing it one way or another.
Your simple firewall plugin as the name suggests might be small, but may turn out to be highly effective security wise. Above all, it is free. What else than that we all pray your project will continue to grow from strengh to strengh and the web will be the better for it.
Thanks and God bless!
We just started to use this plugin… this is really awesome. Before i installed the plugin i thought we can expect all these feature only pro version. fortunately this is really free… 🙂
I really like using Shield. Not only for it’s ease of use, but mainly since it allows me to use 3 factor autentication for login-in. And while I did found a small bug it was solved fast after letting them know. Not sure how fast, but after checking it 24h hours later, all was fine.
I was searching for a good WordPress security tool trying to keep my website safe. Now I am using Jetpack but I am not satisfied enough. After using it, I say, “it is really awesome”. It’s 3-factor authentication features remove my concern and I am always in a fresh mind.
[…] Shield Security is a plugin based on certain principles. The team behind this plugin has a stated goal of simplifying security, and saving 62.5 million hours per year by the year 2022. With clear goals in mind, this has resulted in key tenets like utilizing in-built WordPress features to the maximum, not relying on disk-writing, and not rewriting .htaccess file.The development team has written a series of blog posts detailing why they built Shield, and what are the issues they intend to tackle. The 4-part series is a worthy read and can be found here […]
This article underscores the critical role of multi-factor authentication (MFA) in enhancing security posture. With the increasing sophistication of cyber attacks, relying solely on passwords is no longer sufficient. Implementing MFA significantly reduces the risk of unauthorized access and strengthens overall security.