May 13, 2014 by Paul G. | Migrated, Shield Security

Part 2: Security Admin – Shield WordPress Security Plugin

Shield Image

One of the most critical aspects to any WordPress security plugin is whether the plugin itself is protected against unauthorized access.

Consider what it means if it isn’t secured – anyone with administrator access to a WordPress site, regardless of whether they are supposed to have it or not, can change your WordPress security features.

For a solo-admin site, this probably isn’t too much of an issue. But for sites with multiple administrators having different roles, this can be a problem.

In this article I’ll outline what the Security Admin feature is, how it works, and why you absolutely must use it.

What is the Security Admin feature?

Simply put, when the Security Admin feature is turned on, you limit access to whole Shield plugin. Only administrators that know the authentication PIN will have access.

When it’s active, until you authenticate you will not be able to:

  • view any Shield plugin settings,
  • change any plugin settings,
  • deactivate the plugin, or
  • uninstall the plugin

This restriction in no-way interferes with the normal operations of the plugin itself… it’ll continue in the background performing its checks and any other settings you’ve put in place.

What options are available for Security Admin?

Keeping in-line with the principles of the plugin itself, security admin is easy to setup.

Currently it is accessible from within the Security Admin section of the Shield Security Dashboard.

Shield’s Security Admin Feature
Shield’s Security Admin Feature

The options are as follows:

  1. Enable/Disable module – This will completely turn on, or turn off, the security admin feature.  You will only be able to turn it on or off if you have access.  When the plugin is first installed, this will be disabled and no authentication password will be set.
  2. Security Admin Timeout – This is the duration of the administrator access and is set using a cookie. When you authenticate (see below) you will be permitted access to the plugin for this length of time (in minutes). Changing this setting while authenticated will only change the setting for the next session and will not affect the current access period.
  3. The 3rd option is the Security Admin PIN.  If you leave this empty, no changes will be made to the PIN, but if you put anything in this option, it will be saved as the authentication PIN and will be used for future Security Admin session.
  4. Persistent Security Admins. Users provided here will be security admins automatically, without needing the security PIN.
  5. Allow Email Override. Allow the use of verification emails to override and switch off the Security Admin restrictions.

The Security Admin feature can’t be enabled with an empty authentication PIN. If the authentication PIN is empty the option will be switched off automatically.

How does the Security Admin work?

When enabled, and the plugin detects whether you haven’t authenticated yet, and if you’re not, you’ll be presented with a screen to enter the authentication PIN.

Security Admin Authentication Form
Security Admin Authentication Form

This screen, as shown above, will always be shown whenever you try to access any page from the Shield menu while not authenticated.

The feature currently works by setting a flag within your cookies to indicate you’re authenticated. Future releases of the plugin make the cookie that is set more robust.

Why should you use the Security Admin?

There is no good reason not to lock down your WordPress security with another, WordPress-independent, authentication layer.

It helps to restrict both accidental and malicious changes to your security policy, and you can be confident in your change management processes that you, or only those that know the authentication PIN, can and could have changed your settings.

We encourage all users of Shield to turn on this feature immediately after installation. This ensures your WordPress security is locked down from the beginning.

Remember, if you forget your PIN you can always turn the whole plugin off using FTP.

Or, if you

What if you forget your Security Admin PIN?

If you forget your PIN, all is not lost.  Since you’re the website administrator, you have power over the site that others do not.

You should use the process outlined here to regain access to the plugin.  It will disable the plugin features without disabling the whole plugin itself.

While the features are disabled, including the admin access system, then you can open up the Security Admin module and set a new PIN.  Just save the settings and turn the plugin back on by removing the file you created earlier.

Suggestions, Ideas and Feedback

We welcome all ideas and feedback you might have for the Shield plugin… please leave a comment below and let us know your thoughts and any suggestions you might have to improve our plugin and our service.

Thank you!

Hey gorgeous!

If you're curious about ShieldPRO and would like to explore the powerful features for protecting your WordPress sites, click here to get started today. (14-day satisfaction guarantee!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and so much more.

Try ShieldPRO Today →

ShieldPRO Testimonials
@sourcehealing's Gravatar @sourcehealing

Used it for years totally effective

I have installed many other expensive firewalls and none of them offer the same intelligent level of protection than this one. It is easy to setup, totally hassle free and does a great job in a very smart and uncomplicated way. Highly recommended.

@yoshuahaxo's Gravatar @yoshuahaxo

The Most Secure, Easy and Useful plugin.

It is simple: this plugin it’s a MUST. I had already written my review, some time ago with the free version of the plugin and my opinion is now even better. I have 10 days since upgrade to PRO and I am truly in love with this plugin. In addition,…

@ach1992's Gravatar @ach1992

The Best Security Plugin

I love this plugin! And I love Paul! Thanks for everything!

@achr15's Gravatar @achr15

Great Security Plugin

Very easy and comprehensive.

Comments (5)

    Hey there. I have the Security plugin on my WordPress site. I had the current site built by someone, and it has been running really well until lately. Shield is sending me daily reports of issues, and the list is in the hundreds. I am trying to get into Shield, but I can’t because of the Admin Access Key. I don’t remember what it is and I don’t seem to have kept it anywhere to reference. I am trying to find a way to either reset it or have it sent to me again so I can log in. Is their a way to retrieve our Admin Access Key that I am just not seeing? Thank you.

      Hi Martin,
      I’ve added a section at the end of the article above. Please follow the link in there to temporarily disable the plugin.


    I forgot my access key code. What can I do to access my Shield plug-in?

      Hi Keith,
      Please take a quick look at the end of the article above with a link to how to handle this scenario.

    צלם לבת מצווה

    you’re article is nice.

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese