WP Shield Security PRO – Release 18.5

ShieldPRO 18.5 is out and comes packed with many great features and improvements.

We’ll outline the biggest items in this article, but to follow all the changes and to know what you should pay most attention to, check out the 18.5 upgrade guide.

#1 WebAuthn & Passkeys for Two-Factor Authentication

We’ve written about the new passkey feature in detail, but to summarise, ShieldPRO 18.5 will let you add unlimited Passkeys to your WordPress accounts to use as 2nd factors during WordPress login.

Passkeys are at the cutting edge, in secure user authentication and they make 2FA super smooth.

Easy-to-use 2FA is critical for WordPress login security because it ensures that more users will adopt it.

The least secure two-factor authentication is the one that’s never used.

#2 Automatic Email 2FA Login Links

Keeping with the theme of making WordPress Two-Factor Authentication as easy-to-use as possible, we’ve added automatic login links (a configurable option) alongside email 2FA codes.

The user verifies their identity using the automatic login link, without manually entering the 2FA code. It doesn’t materially change the email 2FA process, except to make it a bit smoother and less manual for the user.

The 1 important difference worth bearing is mind is that the login link will automatically login the user on the browser window that opens the link – it doesn’t matter which browser was originally used to start the login process.

#3 Full Site Lockdown

There are rare occassions where you may want to completely lock down access to a site. Perhaps the site is under some sort of attack, or you’re not sure what exactly is happening but want to limit access until you figure it out.

You may even want to have a public internet-connected site, but only accessible to a few select clients.

Whatever the use-case for such a configuration, ShieldPRO 18.5 now provides the ability to do so. Site Lockdown blocks all access to a site, except to only those IP addresses registered on the bypass/whitelist.

It’s important to consider the consequences of such a move:

• Only visitors with IPs registered on the bypass/whitelist will be permitted to access the site.
• The one exception to this is if a request originates from the site’s hosting server.
• Any requests from “known” bots, such as Google, Bing, etc. will be blocked.
  (a option may be supplied to configure exceptions, with future development)
• The full site lockdown will remain in-place until a security admin disables it.
• ‘forceoff‘ may be used to regain access if it’s required.

#4 A Technical Debt Repaid – Complete Javascript Rewrite

It tooks a couple of intense months, but we’ve undertaken the task of completely rewriting and bringing Shield’s Javascript library up to a much better standard.

We’ll never proclaim to be proficient in Javascript and frontend development, as our expertise lies mainly in PHP and the backend. But we’ve known for a long while that our Javascript code, while it worked, left much to be desired. Its dated structure prevented us from optimising the code and writing new features to improve the frontend usability.

This technical debt has built up for a while and we’ve now invested the effort into repaying it. And we couldn’t be more delighted with the final result. There are still more areas to improve upon, but the foundation is solid. You’ll see some tweaks throughout the dashboard and it’s even allowed us to implement some neat UX enhancements.

For example, just last week a customer wrote to us explaining that after they updated the Shield configuration, the site security grade wasn’t updating – they’d have to refresh the entire page. This has been a long standing bugbear of ours, too – but the technical juggling needed to fix this quite involved. With our latest improvements we were able to provide an elegant solution, quite quickly. It’s not perfect yet, but we’re on our way to making the Shield dashboard dynamic, reducing how often we need fully reload the page.

We’ve applied this to the IP Rules table, too – the table will simply reload (instead of the entire page) when an IP Rule has been deleted or added.

And we’ll continue to add improvements over the next few releases.

#5 Google reCAPTCHA and hCAPTCHA removed

We deprecated the options to use CAPTCHAs in Shield over 2 years ago, following the release of the AntiBot Detection Engine.

The challenge with CAPTCHA implementation, you need to integrate with the individual forms in question. This is easy with the WordPress login & comment forms, as they basically never change.

However, it’s a massive challenge with 3rd party forms – there are so many form providers and they can potentially change their code at any time.

To mitigate this challenge, the AntiBot Detection Engine doesn’t rely on any particular form structure. It operates quietly in the background, completely independently of any form.

With ADE in-place, there’s little need to use CAPTCHA on your forms, so we’ve removed it.

Other Improvements & Fixes

This release includes many other notable improvements, including:

• updated User Sessions table using our newer UI, with more reliable sessions data and ability to purge sessions in-bulk
• Improved reliability of Antibot Detection Javascript
• navigation improved so that refreshing a page with tabs will correctly re-open the previously active tab.
• Link-Cheese feature reliability improved
• Added the ability to export the entire IP Rules table as CSV

Comments, Suggestions and Feedback

There’s some massive improvements in this release, so the look and feel of the ShieldPRO dashboard will have changed slightly. We hope you agree it’s for the better and you find it more dynamic and reliable overall. There’s always many areas to improve and refine and we’d love to hear your feedback on it and whether you have any suggestions for improvements… please feel free to leave your comments below.