- Part 1: Why we built the Shield
- Part 2: WordPress Super Admin Protection
- Part 3: WordPress Firewall Feature
- Part 4: WordPress Login and Brute Force Hacking Protection
- Part 5: The WordPress Comment SPAM Killer
- Part 6: WordPress Automatic Updates Management
One of the most critical aspects to any WordPress security plugin is whether the plugin itself is protected against unauthorized access.
Consider what it means if it isn’t secured – anyone with administrator access to a WordPress site, regardless of whether they are supposed to have it or not, can change your WordPress security features.
For a solo-admin site, this probably isn’t too much of an issue. But for sites with multiple administrators having different roles, this can be a problem.
In this article I’ll outline what the Security Admin system is, how it works, and why you absolutely must use it.
What is the Security Admin system?
Simply put, when the Security Admin system is turned on, you limit access to whole Shield plugin. Only administrators that know the authentication PIN will have access.
When it’s active, until you authenticate you will not be able to:
- view any Shield plugin settings,
- change any plugin settings,
- deactivate the plugin, or
- uninstall the plugin
This restriction in no-way interferes with the normal operations of the plugin itself… it’ll continue in the background performing its checks and any other settings you’ve put in place.
What options are available for Security Admin?
Keeping in-line with the principles of the plugin itself, security admin is easy to setup.
Currently it is accessible from within the main Security Zones menu > Security Admin.
The options are as follows:
- Security Admin PIN. If you leave this empty, no changes will be made to the PIN, but if you put anything in this option, it will be saved as the authentication PIN and will be used for future Security Admin session.
- Security Admin Timeout – This is the duration of the administrator access and is set using a cookie. When you authenticate (see below) you will be permitted access to the plugin for this length of time (in minutes). Changing this setting while authenticated will only change the setting for the next session and will not affect the current access period.
- Persistent Security Admins. Users provided here will be security admins automatically, without needing the security PIN.
- Allow Email Override. Allow the use of verification emails to override and switch off the Security Admin restrictions.
The Security Admin system can’t be enabled with an empty authentication PIN. If the authentication PIN is empty the option will be switched off automatically.
How does the Security Admin work?
When enabled, and the plugin detects whether you haven’t authenticated yet, and if you’re not, you’ll be presented with a screen to enter the authentication PIN.
This screen, as shown above, will always be shown whenever you try to access any page from the Shield menu while not authenticated.
The system currently works by setting a flag within your cookies to indicate you’re authenticated. Future releases of the plugin make the cookie that is set more robust.
Why should you use the Security Admin?
There is no good reason not to lock down your WordPress security with another, WordPress-independent, authentication layer.
It helps to restrict both accidental and malicious changes to your security policy, and you can be confident in your change management processes that you, or only those that know the authentication PIN, can and could have changed your settings.
We encourage all users of Shield to turn on this feature immediately after installation. This ensures your WordPress security is locked down from the beginning.
Remember, if you forget your PIN you can always turn the whole plugin off using FTP.
Or, if you
What if you forget your Security Admin PIN?
If you forget your PIN, all is not lost. Since you’re the website administrator, you have power over the site that others do not.
You should use the process outlined here to regain access to the plugin. It will disable the plugin features without disabling the whole plugin itself.
While the features are disabled, including the admin access system, then you can open up the Security Admin system configuration and set a new PIN. Just save the settings and turn the plugin back on by removing the file you created earlier.
Suggestions, Ideas and Feedback
We welcome all ideas and feedback you might have for the Shield plugin… please leave a comment below and let us know your thoughts and any suggestions you might have to improve our plugin and our service.
Thank you!
Hey there. I have the Security plugin on my WordPress site. I had the current site built by someone, and it has been running really well until lately. Shield is sending me daily reports of issues, and the list is in the hundreds. I am trying to get into Shield, but I can’t because of the Admin Access Key. I don’t remember what it is and I don’t seem to have kept it anywhere to reference. I am trying to find a way to either reset it or have it sent to me again so I can log in. Is their a way to retrieve our Admin Access Key that I am just not seeing? Thank you.
Hi Martin,
I’ve added a section at the end of the article above. Please follow the link in there to temporarily disable the plugin.
Thanks!
I forgot my access key code. What can I do to access my Shield plug-in?
Hi Keith,
Please take a quick look at the end of the article above with a link to how to handle this scenario.
Cheers!
you’re article is nice.