The latest release of the Shield Security plugin for WordPress is focused on adding some helpful UX refinements, while also taking our first step into one of the biggest enhancements to WordPress security for 2020.
As with many earlier releases we’ve made huge strides in improving code quality and performance. While we’ll always continue to improve our code, we’re looking to make WordPress administrators’ lives that bit easier.
Continue reading to discover the features we’ve added in this release and a new feature that we’re more than very excited about, which is…
#1: Integrity Scanning for Premium WordPress Plugins and Themes
We dive much deeper about this exciting new feature in our previous blog article. But the summary is this:
WordPress.org provides MD5 Checksums for all official WordPress files contained within each official WordPress release. This lets us check for corruption or changes to these files.
But there’s nothing official for WordPress.org Plugins and Themes – so we built our own API last year, namely WPHashes.com.
The exciting development we want to share with you is the beginning of MD5 Checksums for premim plugins and themes.
This enhancement needs the cooperation of premium plugin and theme developers. Our first collaboration has been with Elliot, the lead developer of the hugely popular Advanced Custom Fields Pro plugin.
As of this release, 8.5, Shield Security Pro will now scan files in ACF Pro against MD5 Checksums from their official releases! How awesome is that?
The goal now is to get as many premium plugin and theme developers onboard as possible…
#2: Switch-Off Security Admin, by Email
Since Shield Security was first released we’ve provided the “forceoff” option that unlocks Shield and lets admins to regain access to a site if they’ve been blocked.
The process can also be used when the site admin has forgotten or lost their Security Admin access key, and they can’t get back into the Shield UI.
While it’s a simple feature, it does cause trouble and some find it a little cumbersome.
To help admins stuck in this predicament, we’re making it easy to quickly disable the Security Admin feature. You can simply request that Shield sends you a confirmation email and once you click to confirm it, the Security Admin feature is disabled.
2 important points to note are these:
- The confirmation email is sent to the email address set within Shield’s default options. If unset, it defaults to the Site admin email address.
- The confirmation link within the email must be opened from within the same browser as that which was used to request the email.
#3: Automatic Repair of WordPress.org Theme Files
Shield can now automatically repair files contained within themes, that are installed from WordPress.org.
The auto-repair of plugin files has been with Shield for a long time, so this feature was long overdue. It’s been made possible with our recent developments in handling and scanning WordPress.org plugins and themes.
#4: Filter Lists of IP Addresses
Sometimes an IP address gets blacklisted incorrectly and we need to remove it from the list.
But if your sites has a large list of offenders, finding that particular IP can be time consuming. Not any more! You can now filter any list by a specific IP address, getting immediate access to them faster and take action more quickly.
#5: Completely Custom Content Security Policies
Shield lets you provide some default Content Security Policies, but it’s limited to that for ‘default-src
‘ only.
With Shield Pro 8.5, you can provide as many custom Content Security Policy rules as you need to. The UI is simple, but there is no validation that your rules are structured correctly, nor whether they’re appropriate for your particular site and circumstances.
Great care should be taken when providing your custom rules and advice should be sought from your web developer on what is most appropriate.
As always, test, test, test.
#6: Redesign of Plugin/Theme Guard Scanner
The plugin/theme guard has been a great defence against modifications and intrusions made via our plugins and themes. It helps detect malicious intrusion earlier.
But there were some problems with the original scanner which we’ve tried to overcome in this release, most notably they were:
Scan depth was limited
We’d provided an option to limit the depth (the number of directories) into which the scanner would look. This was to keep both memory usage, and scan times, as low as possible.
Our recent scanner developments mean that we can do away with this limitation. We’ve removed the scan depth option and examine all files within the entire plugin and theme folders.
Capturing file signatures was problematic
Before a plugin directory can be scanned, we had to build “original” checksums so that we had a baseline to compare against. For whatever reason, these wouldn’t always get fired, and everything got out of sync.
We’ve now simplified this so that checksums get built each time there’s a change in a plugin version. It’s not infallible, but we’re striking a balance between reliability and usability. If something is buggy and unreliable, then you wont use it in the first place.
As our efforst continue to get premium plugin and theme developers onboard (as outlined above) we can adjust this behaviour, and continue to improve our approach.
#7: Whitelist Paths Against IP Blocking
We recently had a need to whitelist our license checking API on our own site so that it wouldn’t block servers that wanted to test for a license.
For some reason, certain sites would trigger the blacklist while looking for a license and this would then prevent them from checking licenses.
We wanted a way to whitelist all requests to our license checking API endpoint, but keep security everywhere else. To do this, we added the option to Shield to whitelist any path they wished to.
This is a powerful option and should be used with great care.
Other Noteworthy Improvements To Shield Security 8.5
There are many changes to this release, so we’ll summaries the biggest ones here:
Redesign of Scan Results Tables
The tables for showing results have been greatly simplified. We’ve also combined the results of all file scanners, rather than having separate tables.
Fixed 2x bugs with Two-Factor Authentication (2FA)
We discovered 2 bugs with Shield’s 2FA login page. One allowed certain requests to by-pass the 2FA confirmation page, while the other was a redirection bug that completely broke 2FA login confirmation requests, preventing users from completing their logins.
Better detection of Server IP addresses
One of the hardest things we do is detect a visitor’s true IP address. It’s an art in many cases, not an exact science. Part of the process involves detecting the server’s own IP address so as to eliminate it completely from the list of possibilities. The changes in this release improve this process even further, and add support for IPv6 server addresses also.
Comments, Questions and Suggestions
There are many changes in this release and certainly something for everyone. If you have any questions, then it’s likely someone else has the same one – post it below and we’ll get right back to you, and update the article if it’s needed.
As always, we appreciate your continued support.