ShieldNET: WordPress Network Threat Intelligence

We’re levelling-up your WordPress security by giving ShieldPRO access to data about threats seen throughout the entire WordPress network.

We’re calling this new platform ShieldNET, and in this article we’ll outline what it is, and how it’ll revolutionise your WordPress security and protection.

Please watch the video below outlining what ShieldNET is and why it’s so important:

What is ShieldNET?

ShieldNET is the all-encompassing term that covers the technology and features that we use to gather security and threat information from across our entire WordPress ecosystem.

By collecting information from all active Shield Security plugins, we can offer this information back as threat intelligence to all sites running Shield.

The responsibility of identifying threats is then shifted away from individual sites to the collective.

A single site only knows what it knows. But when 10,000 sites get together and share information, they each know what 10,000 sites know.

This is massive. It completely transforms what’s possible when mitigating threats to our WordPress sites.

A ShieldNET Example: Bad Bot Identification

You may have come to realise we’re focusing a lot of our attention on bad bots and malicious visitors. As we learn more about websites security, our priorities shift towards areas that will yield the greatest impact.

For this reason we’re heavily invested in speedy and reliable indentification of bad bots.

Each time a visitor accesses a WordPress site running ShieldPRO for the first time, Shield starts from zero. It has no information about that visitor from which to make any adjustments to protect the site.

Shield must rely on the visitor to perform a number of requests and capture those behaviours, before it can make an assessment. And while Shield uses 25+ different signals to build a threat assessment, it’s still doing so completely independently.

But what if we could give it a head-start? What if we could tell Shield that this IP address has been seen on 100 other WordPress websites already? Perhaps those sites have already identified it as a bad bot?

Wouldn’t that help Shield make an informed decision, much more quickly, to block that visitor?

But now think of it the other way around. Perhaps the IP has been seen elsewhere and it has a great reputation, but on 1 particular site it’s triggered the plugin and Shield is about to block the visitor.

False positives is something we absolutely want to avoid!

With intelligence drawn from the network, we can reduce false positives where legitimate visitors are locked-out from a site.

Imagine then, all of this happening across all WordPress sites for all visitors, in real time?

ShieldNET and Privacy

Privacy of information and data is an critical aspect in a system like ShieldNET.

Let’s first discuss what information ShieldNET tracks and stores and just as importantly, what it doesn’t.

When a Shield plugin sends us IP information, it sends:

• IP Addresses
• Bot Signals that Shield has tracked for the IP addresses
• Offense Counts
• IP Blocked status

It’s important to also understand what information is NEVER shared.

It doesn’t share:

• Any activity log data
• Any traffic log data
• Any associated WP users and sessions
• Any information about any individual requests

When Shield receives the data, it makes a unique, one-way hash of the site’s useragent to help identify and eliminate duplicates.

“One-way hash” means that if anyone ever had access to the resulting hash, they can’t ever “reverse” the hash to identify the originating user-agent/site.

ShieldNET then records the information about the IP address.

If this IP data is accessed, either internally or externally by a 3rd party, there is no way to derive information about any IP address and its relationship to any websites. The data is structured in such a way as to be absolutely useless, except for the purpose it’s intended – to build a picture of activity on an IP address across many different websites.

The Future Of ShieldNET and Opting Out

If you feel that you don’t want to be a “part” of ShieldNET and share this sort of anonymised information, that’s entirely up to you. We always respect that choice.

We don’t fully understand why, given that there are no privacy implications as we’ve already discussed. But this doesn’t mean we don’t respect your decision, so we’d love to hear your thoughts on it, if this is the case.

You can simply select to not be involved in ShieldNET, and then any IP reputation data wont be shared. The downside is that since ShieldNET is built by the network, if you’re not contributing to it, then you can’t draw from it.

It’s only by working together, pooling resources and information, can we really work to thwart the ever-evolving nature of threats to our sites.

As always, the choice is entirely yours.

Over time the features and enhancements provided by ShieldNET will only grow. If you decide to opt-out of contributing, your site security won’t benefit from these changes.

Availability of ShieldNET

We’re doing a soft-launch of ShieldNET in ShieldPRO 11.4 due out very soon.

It’ll include some integrated access to network-based IP address information but it wont yet be used by Shield itself to make any important decisions. There’ll be more detailed information in our release notes for Shield 11.4 at a later date.

As always, please do leave us your thoughts in the comments about anything discussed here.