WP Shield Security – Release 6.9

The latest release for our WordPress security appliance is a big one in many ways.

We’ve added a whole new module that lets you monitor and review all web requests to your WordPress site, added a few new options and enhancements, and made some major improvements and bug fixes throughout the system.

This article will briefly outline the most important improvements.

#1 See Your Site HTTP Traffic With The Traffic Watcher (Pro-only)

Often it’s difficult to know what exactly is going on with your site if you can’t see it. How do you know if you’re getting “hit” if you can’t see the actual traffic?  Sure, if you had access to your Apache access log files, you can see exactly what’s happening.

But not everyone can do that, and not everyone wants to do it.

We often get support requests telling us that someone is being hit by “bots”, when in-fact there’s no way that they could know this. And often, what might appear to be bots, is legitimate traffic that they’re just not aware their site is configured to instigate.

Before you can debug a problem like this and assign meaning to it, you need to see what exactly is happening.

For this purpose, we’ve created the Traffic Watcher system in Shield Security v6.9.  On the surface it quite simple, but we want to very clearly lay out what it is, and what it is not.

Shield’s Traffic Watcher Is Not …

• A traffic analytics system or any sort of alternative to analytics.  It has nothing to do with analytics.
• It is not a security feature. It doesn’t secure anything; it doesn’t block anything; it doesn’t allow anything;
• It is not a log analyser. It doesn’t use your apache/server logs or any other logs.

Shield’s Traffic Watcher Is …

• A window; a view into your WordPress site traffic and any requests made to your WordPress site.
• A log of HTTP requests made to your WordPress site that provides a summary of each request including:
  • time
  • IP address (and Geo-location)
  • WP username (if logged-in)
  • request path (including any query parameters)
  • the HTTP response code for the request e.g. 200 (a successful request)
  • whether the request was transgression against the Shield Security plugin

Traffic Watcher Options

This sort of information is great when you need it, but bulky and space-consuming when you don’t. So we have provided some important options to maximise the efficacy and the efficiency of this service.

Probably by-far the most important set of options are the traffic exclusions. This allows you to monitor a specific sub-set of traffic to keep your logs to a minimum with as little “noise” as possible.

Please note that any web requests that match any active exclusion will not be logged in the Traffic Watcher system.

Your possible traffic exclusions are:

• Simple requests – any requests that do not contain any data parameters either in the GET query, or in the POST data.
• REST API
• AJAX
• Logged-In – any requests made by a user that is considered to be “logged-in” to the WordPress site.
• WP Cron
• Search Engine Spiders/Bots – supports Google, Bing, and Duck Duck Go (at the time of writing)
• Uptime Monitoring services – supports StatusCake, Pingdom, Uptime Robot

As well as having exclusion rules to keep your logs to a minimum, we provided an option to automatically disable the logging system after 1 week.

This is so that you don’t turn it on and then forget about it, leaving the system logs traffic indefinitely, which would be a complete waste of resources.

Note: The Traffic Watcher module is a Pro-only feature.

#2 Multiple Yubikeys Per User Profile (Pro-only)

This is a feature that we’ve had requested many times.

We use Yubikeys here to secure some of our most important services and assets, but as with any Multi-factor authentication device, we’re always nervous if it breaks or gets lost.

This is the same with Yubikeys if you’re using them on your WordPress sites – losing your Yubikey could cause some major headaches.

So with Shield v6.9.0 (pro-only) users can now add as many Yubikey devices to their accounts as they’d like!grea

#3 Other Shield Improvements

Here are some of the more significant improvements with Shield 6.9:

• Option to delete the Security Admin Access Key.
  – It’s rare that this is needed, but sometimes it’s handy to just remove the access key rather than disable the whole module (especially if you’re using White Label).
• AJAX Security Admin session checking.
  – If your Security Admin session has timed out, Shield now warns you and prompts you to reload.
• Password Policies system now redirects users to password reset page.
  – We got feedback that redirecting users to their profile pages was confusing, so instead we direct users to WordPress’ password reset form.
• Added WooCommerce and Easy Digital Downloads user roles to the Email 2FA settings
  – Now you can enforce email-2FA for your Shop Workers, Managers, and even Customers.
• Delete ‘forceoff’ from inside the WP admin
  – You no longer need to use your FTP/File browser to remove the ‘forceoff’ file.
• Audit Trail message improvements
  – Shield now identifies the actual PHP file used to send emails (so you can track it better) and also identifies Post types when posts are updated.
• Loads of other bug fixes and system improvements
  – We fixed bugs and rewritten and improved our database code, bot-checking javascript code, sessions handling, stats code, login cooldown, plugin/theme guard.

This is a huge release in many ways and has undergone a lot of testing and refinements. But with so many changes, it’s quite possible something gets overlooked.

As always, please drop us a line if there’s something you’d like to see, or if something doesn’t quite as you’d expect.