Shield Security for WordPress v8.6 introduces several new features and paves the way for the addition of new two-factor authentication services with future releases.
We’ve also brought in a new feature to help protect against SPAM user registrations by assessing the email address domain to ensure it’s legitimate and isn’t from a disposable email service. Read on to find out more…
#1 WordPress 2-Factor Authentication with Shield Security
Two-Factor Authentication is one of the simplest, yet more powerful ways to secure access to your WordPress sites. It works by simply adding another “factor” to the WordPress login.
Currently, the standard WordPress login is “single-factor” i.e. with just a “password”.
By adding another factor, you significantly decrease the chances of anyone else getting access to your account.
These other “factors” can take several different formats, but generally they fall into 1 of 3 categories:
- something you know,
- something you have,
- something you are.
Passwords are something you know.
Sometimes you might use SMS to verify an account you own – banks often take this approach. This type of factor is something you have (your phone).
Shield currently integrates 3 providers of these factors:
- Google Authenticator
- Yubikeys
Just like SMS, these factors are all things you have, so adding 1 of these to your WordPress login improve your account integrity by ensuring whoever logs in, is more likely to be you.
With Shield Security 8.6, we’ve redesigned and rewritten how our two-factor authentication system works. This opens up the possibility of adding more providers to Shield, giving you and your users greater flexibility.
We’ve also enhanced the user profile UI, making it easier to manage your two-factor options within WordPress, for your users. It’s now clearer which factors are active, and it’s easier to turn them on and off.
We’ve also added a new option for Email-based two-factor authentication. Until now it was up to the Security Admin to enforce Email 2FA upon users. This was done by selecting the particular user roles.
Now, it’s possible to turn on email 2FA for everyone, and each user can enable it for their own profile whenever they want (if they aren’t already forced to use it).
#2 Protection Against SPAM User Registration
Shield Pro 8.6 comes with a new feature that scans new user registrations for spam email address. It examines the domain name of the email address in 3 key areas:
- checks that the domain name exists and resolves to an IP address.
- checks that the domain name has MX records.
- that the domain name is not from a disposable email provider.
Each of these 3 checks helps ensure the email address being registered is legitimate and not a random spam bot.
It can’t, of course, eliminate spam user registrations when a valid domain name is used, such as outlook.com. But it goes a long way towards deflecting the most common rubbish, particularly for e-commerce sites.
You have 3 options when you enable this feature. You can:
- log it in the Audit Trail – useful when you want to assess the feature for your site.
- allow the user registration to continue, but increment the offense counter against that IP address.
- immediately block the user registration and kill the request.
Go here for more details on this new feature.
#3 Manually Block IP Address Ranges
This feature has been requested from us for a long while, but it’s only been made possible with some of the recent enhancements to the plugin.
You can now supply an IP CIDR range when blocking IP addresses. Shield won’t validate your range or compare it with other ranges on the IP lists for overlaps. You’ll need to take care when using ranges as you could unintentially block thousands of visitors with an incorrect range specification.
If you’re unfamiliar with IP CIDR notation, we encourage you to do some research to understand it fully, before attempting to use it. We don’t offer support in building CIDR ranges – we’ll leave this to you. If you’re unsure, it’s best to leave Shield to manage your blacklist for you, completely automatically.
Notice Of Future Changes To Shield
We haven’t decided when exactly we’ll make these changes, but we’re outlining them here so that you’re made aware of them as early as possible.
These proposed changes haven’t been confirmed, but they are highly likely:
- Increase the minimum supported PHP version from 5.4.0 to 5.6.0, or maybe as far as 7.0.
- Remove the Automatic Updates module from the plugin entirely.
Of course if you have any comments or suggestions about these changes, we’d love to hear from you.
Comments, Questions and Suggestions
As always, we’re open to hear your thoughts on anything mentioned in this release article. Feel free to leave your comments in the section below and we’ll get right back to you.