Shield Security

Shield Security Changelog


Released: Sep 26, 2023 - Release Announcement | Upgrade Guide 18.4 ↗

Main Release (18.4.0)

  • NEW: Improved Page Loading Performance
    Performance improvements for page loading & TTFB through various optimisations.
  • NEW: Developers: New Filters
    Provide a filter for admins to adjust the lost password URL for suspended users.
  • FIXED: 2FA Login Redirects
    Fixed a rare scenario where the redirect_to flag for WP logins wasn't being completely honoured when 2FA was used.
  • FIXED: Google Authenticator QR Codes
    Fixed broken rendering of QR Codes for Google Authenticator.


Released: Sep 18, 2023 - Release Announcement | Upgrade Guide 18.3 ↗

Patch Releases

Patch 18.3.9 (Sep 20, 2023)
  • NEW: Add activity log event for WP Core Reinstall (distinct from core upgrade)
  • FIXED: Fixed Fatal error on older WordPress installations for missing function get_user_count().

Main Release (18.3.0)

  • NEW: Custom Reports
    You can now create custom reports on-demand, for any period for which you have data.
  • NEW: Live Traffic Log
    You can now temporarily switch the Traffic Log to live logging mode to capture all WordPress requests.
  • NEW: Live Traffic Log View
    Live logging tool lets you view all requests sent to the site, and automatically refreshes with the latest requests.
  • NEW: Reports Archive
    Automated and manually-created reports are now full HTML pages and are saved/archived for future reference.
  • NEW: Enhanced Summary Dashboard
    We've created a brand new dashboard, to be used as a launchpad for many security actions.
  • NEW: Traffic Log Download
    All traffic logs can be downloaded to plain-text log files.
  • IMPROVED: Breadcrumbs For Better Navigation
    Navigating the plugin and various pages is improved and more intuitive for users.
  • IMPROVED: User Sessions Management
    Improved the loading of user sessions to be more thorough.
  • IMPROVED: Activity and Traffic Logging Conflicts Resolved
    In the case that logging was disabled where you had a conflicting PHP logging library, logs are now available for you again.
  • IMPROVED: Many Code Improvements
    Major reworking and improvements of code for reliability and performance.


Released: Jul 26, 2023 - Release Announcement | Upgrade Guide 18.2 ↗

Patch Releases

Patch 18.2.11 (Aug 29, 2023)
  • IMPROVED: Vulnerability scanning is more efficient.
  • IMPROVED: Improvements and performance optimisation in several areas.
  • IMPROVED: Improvements and optimizations to many SQL queries.
  • FIXED: Mitigate a potential error on upgrade.
Patch 18.2.8 (Aug 14, 2023)
  • NEW: Adding Activity Log tracking for Shield options saving.
  • IMPROVED: Provide ability to filter activity & request log tables by logged-in user.
  • IMPROVED: Refactor & optimise how Shield options are stored, reducing WordPress DB entries.
  • IMPROVED: Updated built-in helpdesk links.
  • IMPROVED: Provide an easily access function to trigger manual scans.
  • IMPROVED: Performance improvements when loading activity log and traffic log tables.
  • FIXED: Snapshots performance improvements and fixes for some edge cases.
Patch 18.2.4 (Jul 28, 2023)
  • IMPROVED: Updated some JS & CSS assets.
  • FIXED: Refactored license verification to reduce chances of licenses being deactivated.
  • FIXED: Other smaller bug fixes.

Main Release (18.2.0)

  • NEW: Change Reports
    You can now create summary and detailed reports for important changes on your WordPress site. More Info ↗
  • NEW: Additional Event Logging
    Shield now captures events such as plugin/theme uninstallation and user password updates. More Info ↗
  • NEW: Enhanced Event Logging
    Shield now logs changes to the site that were done 'outside' of the WordPress environment. It can capture changes to critical WordPress core options that were modified directly on WordPress DB, for example. More Info ↗
  • NEW: Protect WordPress Permalinks Option
    Security Admin now protects the WordPress Permalinks and the New User Default Role options.


Released: Jun 8, 2023 - Release Announcement | Upgrade Guide 18.1 ↗

Main Release (18.1.0)

  • NEW: Add Bot-Protection Support for more 3rd party plugins
    Plugins include: 'Classified Listing', 'ProfilePress'
  • NEW: Support and integration with WP Umbrella
    Ensures that requests coming from WP Umbrella are never interrupted or trigger Shield's defenses. More Info ↗
  • IMPROVEMENTS: Huge underlying code cleanup and improvements..
  • IMPROVEMENTS: Improved fallback support for Bing Search Engine Bots and SEMRush.
    If your site is having temporary rDNS lookup issues and can't verify the Bing bot, we've provided some fallback mechanisms.
  • IMPROVEMENTS: Improvements to Plugin Notifications.
  • IMPROVEMENTS: Upgraded Assets, such as Bootstrap to the latest available.
  • FIX: Bug: Filelocker wasn't always creating the file lock correctly.
  • FIX: Bug: Incorrectly identifying Contact Form 7.
    Shield would report Contact Form 7 is installed, when it wasn't.


Released: Apr 17, 2023 - Release Announcement | Upgrade Guide 18.0 ↗

Patch Releases

Patch 18.0.7 (Apr 26, 2023)
  • FIXED: FileLocker would fail to lock files in certain scenarios.
Patch 18.0.6 (Apr 26, 2023)
  • NEW: Added support for scanning .mo after MAL{ai} malware analysis indicate this is a common injection file type.
  • IMPROVED: ADE Not-Bot checking will only run if the IP module and NotBot options are enabled. Otherwise, no bot assessment will be performed.
  • IMPROVED: Apply some automatic malware scanning exclusions.
  • FIXED: UI and menu fixes.

Main Release (18.0.0)

  • NEW: MAL{ai} - Artificial Intelligence for WordPress Malware Detection
  • NEW: File Scan Areas Option
    We've added new scan areas, in particularly the entire /wp-content/ directory, and the WP installation root directory. You can now select these to be scanned - you'll have more results to review, but you'll have more visibility on the files sitting on your site.
  • NEW: Added Extra Protection To Security Admin
    We've added some protection against adjustments to the WP Default User Role option within the Security Admin system.
  • NEW: Toggle Security Analysis Overview
    Added the option to view your Security Overview as either ShieldFREE or ShieldPRO.
  • IMPROVEMENTS: Improved, More Compact Plugin Layout
    We've received a number of piece of feedback about the latest plugin layout and have restructured some elements to be more compact. This cleanup ensures we waste less space on the screen and can display more content that you need to see.
  • IMPROVEMENTS: Scan Results Display
    We've continued with our tweaking of the Scan Results pages, making them faster to load and easier to read.
  • IMPROVEMENTS: Plugin Code and Performance
    We've continued our code clean-up and code enhancements, following our previous major release.


Released: Feb 28, 2023 - Release Announcement | Upgrade Guide 17.0 ↗

Patch Releases

Patch 17.0.20 (Mar 24, 2023)
  • IMPROVED: Further enhancements to the automated import/export subsystem.
  • FIXED: build failed for .19, so had to release .20 to create a new version.
Patch 17.0.18 (Mar 20, 2023)
  • SECURITY: Address an 'Unauthenticated XSS' security issue where an attacker could inject scripts via the HTTP User-Agent header. Further details to follow.
  • SECURITY: Address a minor 'Insufficient Authorization' security issue where arbitrary activity logs could be created via the WP plugin/theme file editor. Further details to follow
Patch 17.0.17 (Mar 20, 2023)
  • FIXED: Improve automated import/export for sites that use server caching heavily.
  • FIXED: Prevent reports resending alerts about previously notified scan results.
Patch 17.0.11-14 (Mar 5, 2023)
  • FIXED: Prevent fatal errors in the event of a Monolog library conflict, but disable Activity Logging features to facilitate this.
Patch 17.0.9 (Mar 3, 2023)
  • FIXED: Attempt to prevent errors being thrown with conflicting Monolog libraries.
  • FIXED: Prevent unnecessary logs being generated for disabled reports.
Patch 17.0.7 (Mar 1, 2023)
  • FIXED: Ensure Link Cheese robots.txt contains the necessary user-agent directive.
  • FIXED: Fix bug with handshake API.
  • FIXED: Fix bug with Reports migration upon upgrade.

Main Release (17.0.0)

  • NEW: UI Enhancements
    We've made huge progress forward in improving the Shield Dashboard interface making it easier to get to exactly where you need to. Shield is a big plugin, so organising all the tools and features is a challenge, but this is our best UI yet!
  • NEW: WeForms Integration
    We've added native support for protection against contact form SPAM directed against WeForms.
  • IMPROVED: Much Improved IP Rules Management
    IP Rules management could be slow as the IP rules table grew, but we've done a lot of work to speed this up.
  • IMPROVED: Much Improved File Locker
    The OpenSSL encryption process has been hugely improved in order to run better on newer systems that don't support legacy encryption ciphers.
  • IMPROVED: NotBot JS Improvements
    Following some feedback and issues reported with SiteGround, we've made a few enhancement to the NotBot JS code.
  • IMPROVED: Filter Tables By Date
    The Activity Log and Traffic Log can now be filtered by date, letting you quickly find the logs you need.
  • IMPROVED: Better Security Overview
    We've made some adjustments to how the Overview dashboard is created alongside tweaks to the scoring logic. We've also aligned the Admin dashboard widget score with the overall Shield Dashboard score.
  • IMPROVED: Major Code Overhaul
    Nearly all functionality of the plugin has been rewritten and improved.
  • NEW: Whitelist/Bypass IP Are Included In Exports
    It is now possible to share Bypass IPs from a master site to its client site using the import/export feature. Only IP addresses added after the upgrade will be included in any subsequent exports.
  • IMPROVED: Much Improved Automatic Import/Export
    The process of automatic notification of client sites to import configurations from the master site has been much improved.
  • IMPROVED: Better Plugin Search
    We've improved the UI for searching the plugin alongside adding the ability to search for partial IP addresses.
  • IMPROVED: Pwned Passwords API
    We've made our implementation of the Pwned Passwords API more forgiving of API errors. Instead of blocking passwords when there's an error with the API, we bypass the test altogether allowing the request to succeed.
  • IMPROVED: Plugin Re-Install Feature Improved
    Depending on your particular plugin soup, the plugin reinstall feature could fail.
  • CHANGED: Removed Reporting Module
    As part of our focus on simplifying the Shield plugin, we've removed the separate Reporting module. You'll still get email Reports, but the options are now configured under the General Settings module.
  • CHANGED: Minimum PHP Version: 7.2
    To stay ahead and on top of the latest developments in our PHP libraries, we've pushed our minimum PHP version to 7.2. More Info ↗
  • CHANGED: Minimum WordPress Version: 4.7
    Based on Shield telemetry data, we're pushing our minimum supported WordPress version up to 4.7. We'll continue to push this upwards as usage data suggests it make sense to do so.
  • REMOVED: Removed Password Policy Option: Minimum Password Length
    Shield has an option to enforce minimum password strengths, and also an option to enforce minimum length. Enforcing password length is unnecessary when a more holistic password strength meter is also applied.


Released: Sep 12, 2022 - Release Announcement | Upgrade Guide 16.1 ↗

Patch Releases

Patch 16.1.15 (Feb 8, 2023)
  • FIXED: Have I Been Pwned API Error.
Patch 16.1.14 (Nov 23, 2022)
  • CHANGED: Marks Shield 16.x as the final series supporting PHP 7.0 and 7.1. Shield 17 will require PHP 7.2.
  • IMPROVED: Performance improved when loading the WordPress Users page for sites with large users counts.
  • FIXED: Dashboard widget showing incorrect dates for user last login if it's never been recorded.
  • FIXED: Tweaks to CrowdSec Signals map.
  • FIXED: Plugin/Theme file scanner bug fixes.
  • FIXED: Minor bug fixes.
Patch 16.1.13 (Nov 1, 2022)
  • IMPROVED: Attempt to eliminate CrowdSec API issues.
  • IMPROVED: Attempt to mitigate import/export errors for certain configurations.
  • IMPROVED: Accessibility of user 2FA setup form has been improved for screen readers.
  • IMPROVED: Improved the data used to construct the QR codes for Google Authenticator setup.
  • FIXED: Minor bug fixes.
Patch 16.1.9 (Sep 28, 2022)
  • FIXED: Bug where fatal error could be caused in some hosting environments.
Patch 16.1.8 (Sep 28, 2022)
  • FIXED: Bug Fix: ensure expired crowdsec IPs are always purged.
  • IMPROVED: Optimise the checking and building of file hashes.
  • IMPROVED: Improvements to requirements checking for the File Locker feature.
  • IMPROVED: Update Swedish translations file.
Patch 16.1.6 (Sep 15, 2022)
  • FIXED: Bug Fix: for Rate Limiting Rule failing to build
Patch 16.1.5 (Sep 15, 2022)
  • IMPROVED: Improvements to MainWP Extension
    As part of our plans to enhance our MainWP extension we've made a number of fixes and tweaks.
  • SECURITY: Obscure Access To Local Plugin/Theme Hashes
    It was pointed out that the storage of plugin/theme hashes locally were accessible on nginx servers. It made info publicly available about which plugins/themes were installed, for some sites. Not a security problem in itself, but not ideal either.
  • SECURITY: QR Code Rendered Locally.
    It was pointed out that there are other means of generating QR codes that are preferrable to sending data to Google's API. QR Code images are now rendered locally on the browser using Javascript.
  • CHANGE: Logged-In User Won't Be Rated Limited.
    If you're logged-into a site, and you trigger the rate limiter, you won't be limited. You may still trigger the rate limiter if you issue non-authenticated requests, such a REST API requests.
Patch 16.1.4 (Sep 13, 2022)
  • FIXED: Security fix for reported 2FA vulnerability. More info will be released after allowing time for client upgrades.
    Note: sites are only vulnerable to this particular exploit IF it has an SQL-injection vulnerability caused by another plugin/theme. As we always say, please ensure you keep ALL your plugins, themes and WordPress core up-to-date, particularly if they have known vulnerabilities!
  • CHANGES: Reverted minimum WP version to 3.7 to allow for security patching.
  • FIXED: Bug: an error was generated when assessing some IP addresses.
  • FIXED: Bug: API requests for certain types of options were appearing to fail (they weren't) and generating an error.
Patch 16.1.2 (Sep 12, 2022)
  • FIXED: Bug fix unable to start scans.
  • FIXED: Bug fix DB creation error on initialisation on a new website.
  • FIXED: Bug fix error with Overview page when analysing the firewall grade, after removing Leading Schemas.

Main Release (16.1.0)

  • NEW: CrowdSec Partnership
    Shield Security and CrowdSec are now partnered to deliver powerful IP block lists to WordPress sites. More Info ↗
  • NEW: Complete Rewrite of IP Rules System
    The previous system for block/black and bypass/white lists was quite old and needed completely upgraded to handle the CrowdSec integration. The new system is far faster and smarter with a much-improved table display.
  • NEW: Custom Activity Log Events
    There is now the option to log custom events to Shield's Activity Log. It's impossible that Shield can log every possibly event for every plugin and scenario, so you can now add logging for all your desired site events. This is an advanced option and will require professional software development experience to implement. More Info ↗
  • NEW: Super Search Box
    The Super Search Box is accessible and visible from every page inside the plugin. You're currently able to search for configuration options, tools and IP addresses.
  • NEW: Improved Scan Results Display
    Eliminated errors and slow processing when displaying scan results pages for large datasets. Shield now uses highly optimised queries to request only the records required to display the current table page.
  • NEW: Improved Human Comments SPAM Detection
    Based on some customer feedback we'd improved Human Comment SPAM detection. Shield will now also look at recently posted comments by the same IP addresses when deciding whether a comment is SPAM.
  • NEW: Beta Access Option
    A new option is provided to allow easy access to beta version of the Shield Security plugin. More Info ↗
  • IMPROVED: Shield Nav Bar
    Shield offer a much better navbar on the dashboard with built-in search, helpdesk links and updates.
  • IMPROVED: Protection Against Unauthorised Deactivation
    The Security Admin feature that protects against unauthorised deactivation has been further strengthened with offenses.
  • NEW: Logging: App Password Creation
    Shield now captures creation of new Application Passwords in the Activity Log.
  • NEW: Removed: Leading Schema Firewall Rule
    This rules flags too many false positives for members.
  • CHANGED: Minimum WordPress Version: 4.7
    Based on Shield telemetry data, we're pushing our minimum supported WordPress version up to 4.7. We'll continue to push this upwards as usage data suggests it make sense to do so.
  • FIXED: Various Fixes
    • Mitigate a fatal error caused by the latest wpForo plugin passing NULL to locale filters.
    • Bug when specifying a particular list when adding/removing an IP address using WP-CLI.
    • Shield now correctly honours WordPress' built-in 'disallowed keywords' feature when flagging comments for spam.
    • Shield no longer attempts to solve the issue of invalid 'from' email addresses on a WordPress site.


Released: Jun 6, 2022 - Release Announcement | Upgrade Guide 15.1 ↗

Patch Releases

Patch 15.1.4 (Jun 14, 2022)
  • IMPROVED: Yet another complete rewrite of the Shield Cache Dir builder to work around restrictive web hosts.
  • IMPROVED: Restore the event 'Connection Killed' that explicitly states that a request was terminated for a blocked IP.
  • FIXED: File diff UI display was broken when comparing modified WordPress Core files with the originals.
Patch 15.1.5 (Jun 20, 2022)
  • IMPROVED: Log the IP address in the Activity Log when IP has been manually unblocked.
  • FIXED: Address a potential fatal error in the admin area when the minimum server requirements aren't met.
Patch 15.1.6 (Jul 19, 2022)
  • FIXED: A rare error involving Composer versions lookup used by other plugins.
  • FIXED: Remove some PHP 8.1 deprecated notices.

Main Release (15.1.0)

  • NEW: Optimised File Scanning
    Significant optimisation in file scanning with reduction of full file scan times by up to 66%. For example, if a file scan would have normally lasted for 3 minutes, it'll now take less than 1 minute. This means faster scanning, less waiting, and much lighter load on your servers by using fewer resources.
  • NEW: Happy Forms
    Full support available for SPAM protection on Happy Forms.
  • IMPROVED: Whitelabelling
    We've refactored our white labelling feature to ensure your custom brand displays more consistently throughout the plugin.
  • IMPROVED: Automatic Visitor IP Detection
    The 100% fully automatic detection of visitor IP addresses is a lofty goal and with each release we get a bit closer. You can always help Shield by manually setting your Visitor IP source option: Shield > Config > General IP Source.
  • IMPROVED: Plugin Loading
    Shield is a large and complex plugin so we've done a lot of work to help ensure it's more reliable when loading.


Released: May 9, 2022 - Release Announcement | Upgrade Guide 15.0 ↗

Patch Releases

Patch 15.0.4 (May 9, 2022)
  • FIXED: File scanner alerting to Shield's own file (rules.json) on every scan.
  • FIXED: Tracking Login Block events for statistical purposes wasn't always happening.
Patch 15.0.5 (May 9, 2022)
  • FIXED: Prevent a warning being displayed during WP login.
  • FIXED: Prevent a reported fatal error.
Patch 15.0.6 (May 10, 2022)
  • FIXED: Fix for reCAPTCHA on login forms not properly rendering.
Patch 15.0.8 (May 12, 2022)
  • IMPROVED: Adjusted how the security progress meters are displayed and switch to grades instead of percentages.
  • FIXED: Work around a horrendous Godaddy server 'protection' that was blocking access to the site entirely.
  • FIXED: Prevent an error when handling user meta data.
  • FIXED: Ensure Whitelabel logo is correctly displayed on dashboard widget.
Patch 15.0.9 (May 13, 2022)
  • IMPROVED: More accurate detection of crawlers such as Facebook that interchange IPv6 and IPv4 in their primary IP resolving.
Patch 15.0.12 (May 15, 2022)
  • IMPROVE: Make automatic Visitor IP Source detection quieter and run more often.
  • FIXED: Prevent error that occurs when rendering the Firewall Block page in some cases.
  • FIXED: Prevent error that can occur when assessing whether plugin version is very old.
Patch 15.0.13 (May 19, 2022)
  • FIXED: An sporadic error relating to Shield's User Meta.

Main Release (15.0.0)

  • NEW: Rules Engine
    Massive performance and processing optimisations with a brand new core Shield Rules Engine. All requests are now processed using a unique and customisable (future releases) set of rules. More Info ↗
  • NEW: Brand New Shield Block Pages
    We now offer more user-friendly block pages to the visitor for all scenarios: firewall, IP block, username fishing.
  • NEW: All-New Dashboard Overview
    The Shield Dashboard Overview provides detailed and actionable insights into your WordPress security and how to improve it.
  • NEW: All-New WordPress Dashboard Widget
    The original WordPress Admin Dashboard widget was pretty basic, so we've completely revamped it with some of your latest site activity.
  • NEW: Removed: Legacy Comment SPAM Detection
    We've completely removed the older, less reliable comment spam detection using Javascript and CAPTCHAs. Please use the newer AntiBot Detection Engine.
  • IMPROVED: Visitor IP Source Detection
    It's critical that Shield can get the correct visitor IP address. Unfortunately many webhosts drop the ball when it comes to their configurations. We've added a completely automated and highly reliable method of determining the best source for Visitor IP addresses. If it's there, Shield will find it.
  • IMPROVED: Shield Dashboard Navigation
    We've done quite a bit of work to smooth out and simplify Shield's admin UI making it easier to navigate and find what you need.
  • IMPROVED: Massive Performance Improvements
    Shield has undergone major enhancements and performance improvements.
    • Removed duplicate and unnecessary DB requests.
    • Consolidated and removed many excess WP Transients (fewer DB requests).
    • Optimised several DB queries.
  • IMPROVED: Author Discovery/Fishing
    This feature is now a Bot Signal which is recorded in the Activity Log and triggers offenses.
  • IMPROVED: New Filters: Adjust scanner notices about plugin/theme update/active status
    You can now use filters to adjust whether Shield warns about inactive plugins/themes or those with updates.
  • IMPROVED: A New WP Filter To Add Custom Shield Template Directory
    If you're looking to adjust some of our page templates, such as the block pages, you can now provide custom templates more easily using the new filter.
  • CHANGED: Audit Trail Renamed to Activity Log
  • CHANGED: Deprecated: Options For CAPTCHA and GASP Bot Checking On WordPress Login Forms
    The options to use CAPTCHA and/or GASP Bot Checking for WordPress Login SPAM has been deprecated. These options are replaced with the AntiBot Detection Engine and will be completely removed in a future release.
  • CHANGED: Option Removed: Auto-Filter Scan Results
    Shield will now filter unnecessary scan results automatically. This option can now be adjusted using a WP filter.
  • CHANGED: Option Removed: XML-RPC bypass option
    This option can now be adjusted using a WP filter.
  • CHANGED: Options Removed: XML-RPC bypass option
    This option can now be adjusted using a WP filter.
  • FIXED: Numerous bug fixes
    • Broken password reset links in some cases when using hidden login page
    • fix for some scan results browsing errors
    • help ensure forward compatibility for sites with newer TWIG libraries also installed


Released: Mar 14, 2022 - Release Announcement | Upgrade Guide 14.1 ↗

Patch Releases

Patch 14.1.1 (Mar 21, 2022)
  • FIXED: Fix for 'find as you type' in the options search dialog.
  • FIXED: PHP Warning.
Patch 14.1.2 (Mar 21, 2022)
  • FIXED: Audit Trail and Traffic Log search panels didn't always load correctly.
Patch 14.1.3 (Mar 21, 2022)
  • FIXED: Ensure database upgrade doesn't stall for large traffic logs.
Patch 14.1.5 (Mar 22, 2022)
  • IMPROVE: Allow direct searching of request path in Traffic Log.
  • FIXED: Provide a more robust database migration for large request log tables.
  • FIXED: Adjust the traffic log database to account for very long request paths.
Patch 14.1.6 (Mar 24, 2022)
  • IMPROVE: Improve the updating Shield user metas to now bypass WP's User Query subsystem that fires massive SQL queries.
Patch 14.1.7 (Mar 25, 2022)
  • FIXED: Fix for an error during certain Firewall scanning.

Main Release (14.1.0)

  • NEW: Complete REST API
    Partners and developers can now manage the Shield Security plugin completely with the new REST API.
  • NEW: REST API Routes
    New REST API endpoints let you manage many areas of the Shield Security plugin.
    • get/set any single option, or group of options
    • get scan results & status, and start new scans and check their status
    • add/remove IP addresses to/from any list (block or bypass)
    • check for, and remove, ShieldPRO license
    • run Debug to get general site information summary for debug purposes
    More Info ↗
  • NEW: Option To Load Shield as a WordPress Must-Use (MU) Plugin
    To prevent unwanted or accidental deactivation of the Shield plugin, Shield can be converted to an MU plugin.
  • NEW: Show Recent User Session In Admin Bar
    Show quick links to recently active (10 minutes) user sessions in the admin bar and the most recently active sessions.
  • NEW: Support For Application Password Authentication Failures
    Shield detects and logs when application passwords have been used incorrectly and applies offenses.
  • IMPROVED: Speed-Up For Audit Trail and Traffic Log Tables
    Audit Trail and Traffic Log tables are usually huge and loading them were slow. They're now entirely AJAX based and fast-loading.
  • IMPROVED: Support 3rd Party Traffic Log Handlers
    3rd parties can now easily integrate with Shield's Traffic Log to send log records to any destination.
  • IMPROVED: Support 3rd Party Audit Trail Handlers
    3rd parties can now easily integrate with Shield's Audit Trail to send log records to any destination.
  • IMPROVED: IP Record Management Error
    When inserting a duplicate IP address record into the database, we now INSERT IGNORE to reduce error messages in logs.
  • IMPROVED: Updated Dutch Translations
  • CHANGED: Deprecated: Options For CAPTCHA and GASP Bot Checking On WordPress Comments
    The options to use CAPTCHA and/or GASP Bot Checking for WordPress Comment SPAM has been deprecated. These options are replaced with the AntiBot Detection Engine and will be completely removed in a future release.
  • IMPROVED: Display of Shield's Admin Menu Bar items can be controlled using a plugin configuration option.
  • FIXED: Shield's REST API supports non-permalinks style requests (?rest_route=), regardless of permalinks configuration.
  • FIXED: Fix for non-URL-encoding of password reset URL parameters when using Rename Login feature.
  • FIXED: Traffic Request Log wasn't correctly indicating a request was an offense in the log viewer.


Released: Jan 28, 2022 - Release Announcement | Upgrade Guide 14.0 ↗

Patch Releases

Patch 14.0.2 (Feb 9, 2022)
  • IMPROVED: Integration with some 3rd party membership plugins + 2FA.
  • FIXED: Alert displayed that U2F isn't support when U2F isn't in-use.
  • FIXED: A rare issue which Custom MFA login triggering an HTTP 402 error!
  • FIXED: Options Search dialog failed to open (can't find-as-you-type yet).
Patch 14.0.3 (Feb 16, 2022)
  • FIXED: Work around WP Engine login mechanism blocking 2FA verification.

Main Release (14.0.0)

  • NEW: WP Login Style 2FA Screen
    Users can complete their 2FA login using the UI they're most familiar with.
  • NEW: Custom Redirect For Hide WP Login & Admin
    Rather than display an unfriendly 404 error page for the hidden login page, you can decide to redirect requests to any page you wish.
  • NEW: Easier Access To User 2FA Settings with WP Admin Menu
    Users can now update their 2FA account settings from a dedicated WP admin page.
  • NEW: Improved 2FA User Experience
    Smoother, faster, more reliable and more secure 2FA experience.
  • CHANGED: Multi-factor Authentication Removed
    The option to force users to supply ALL two-factor authentication options has been removed.
  • IMPROVED: Dedicated table for User meta information
    This allows for new filters and better user status on the WP Admin User page.
  • IMPROVED: Updated Translations - Dutch (thanks J.P.!)
  • IMPROVED: Further page caching mitigation for NotBot
  • CHANGED: Updated Bootstrap Libraries
  • FIXED: Various bugs and errors


Released: Nov 15, 2021 - Release Announcement | Upgrade Guide 13.0 ↗

Patch Releases

Patch 13.0.1 (Nov 15, 2021)
  • FIXED: Reduce scan chunk size to improve MySQL query memory usage.
  • FIXED: Automatic selection of IP addresses in IP Analyse tool after switching to AJAX source.
Patch 13.0.3 (Dec 21, 2021)
  • FIXED: Ensure database states are handled correctly.
  • FIXED: MySQL requirements are checked more flexibly.
  • FIXED: Add a class to Google Authenticator QR image.
Patch 13.0.4 (Dec 22, 2021)
  • FIXED: Error with MainWP loading in certain cases.
Patch 13.0.5 (Jan 12, 2022)
  • IMPROVED: Options to provide custom roles for Email 2FA enforcement is now free-form.
  • IMPROVED: Multi-factor authentication settings are available even when your IP is on the bypass lists.
  • IMPROVED: ShieldPRO license lookups when using separate domains for multilingual site versions.
  • IMPROVED: FluentForms integration wasn't always loading and so SPAM submissions could still come through.
  • IMPROVED: NotBot Javascript is improved to better handle server timeouts and work around Page Caching limitations.
  • FIXED: Prevent some fatal errors when integrating with 3rd parties and their data isn't as expected.
Patch 13.0.6 (Jan 14, 2022)
  • IMPROVED: Improved handling of ClassicPress versions and file scanning for migrated WP sites.
  • CHANGED: Official themes that are inactive no longer display a warning in results tables.
  • FIXED: [Minor Security Vulnerability] An authenticated (administrator+) Persistent XSS.
    Privately disclosed to us by Yoru Oni - thank you. More Info ↗
  • CHANGED: It's now possible to add custom exclusions to the anonymous REST API block.

Main Release (13.0.0)

  • NEW: Complete Scanning Engine Overhaul
    We've completely rewritten the scanning engine to be faster and more intuitive. Includes improvements to reduce cases where results are reported and then are no longer visible.
  • NEW: Scans can now be executed using WP-CLI
    Audit Trail now uses our preferred table UI with built-in, useful search and filter controls. There's also rapid and reliable pagination and data reloading.
  • IMPROVED: Support for WP-CLI based cron execution
    Running WP Crons using WP-CLI is full supports automatic scans.
  • IMPROVED: Scan Results Management
    Scan results management is improved with historical scan results display and more descriptive messaging.
  • IMPROVED: Scan Result Diffs
    Wherever possible scan results will allow you to view a file diff showing any and all file changes clearly. This is available only for official WordPress core files and plugins/themes hosted on
  • IMPROVED: Simplified Scan Options
    Hugely simplified and reduced the configuration options available for scans.
  • IMPROVED: Dynamic Search For IP Analyse Tool
    IP Analyse tool use AJAX-based dynamic searching when selecting an IP address on the IP Analyse tool. This makes the tool more practical and performant for sites with large IP datasets.
  • IMPROVED: Traffic Logging for WP-CLI requests
    WP-CLI commands and their arguments are logged for WP-CLI requests just as with paths for web requests.
  • IMPROVED: Yubikey Device Verification
    Yubikey One-Time Passwords are now verified when attempting to register a Yubikey device to your profile.
  • FIXED: Adding/Removing Yubikey Device Reliability
    Adding and removing Yubikey devices to and from your WP user profile is more reliable.


Released: Sep 16, 2021 - Release Announcement | Upgrade Guide 12.0 ↗

Patch Releases

Patch 12.0.4 (Sep 22, 2021)
  • FIXED: Prevent PHP exception being thrown in certain cases.
Patch 12.0.8 (Sep 23, 2021)
  • FIXED: Ensure Shield runs only on supported MySQL servers.
Patch 12.0.9 (Sep 29, 2021)
  • FIXED: Error when processing certain types of query strings in the firewall.
  • FIXED: Yubikey 2FA verification was failing with a nonce less than 16 characters. Who knew?
Patch 12.0.11 (Oct 7, 2021)
  • FIXED: A few minor fixes, along with slight optimisation of NotBot JS.
  • FIXED: Issue with managing Shield Central profiles.
Patch 12.0.13 (Oct 10, 2021)
  • IMPROVED: Improve support for auto-login systems like ManageWP admin login.

Main Release (12.0.0)

  • NEW: Complete Audit Trail Overhaul
    The Audit Trail and Events system has been completely rewritten. It allows for extensions to log to any destination, severity levels, search and more.
  • NEW: New Audit Trail Table & Filters
    Audit Trail now uses our preferred table UI with built-in, useful search and filter controls. There's also rapid and reliable pagination and data reloading.
  • NEW: Audit Trail Events With Severity
    All events are given a default severity of 'Alert', 'Warning', 'Info' and 'Debug. Which event categories are logged can be adjusted in the Configuration.
  • NEW: Audit Trails Logs To File
    As well as logging to the database, you can elect to log certain events to file.
  • IMPROVED: Audit Trail Logs Description
    Logged events now have more descriptive messages along with more meta details for the event.
  • IMPROVED: Audit Trail Meta Data
    By linking the Audit Trail to the Traffic Log, you can now see request data alongside Audit Logs.
  • IMPROVED: Plugin Data Storage
    We're adding some smarter data storage to the plugin through more complex and interconnected database tables. This approach reduces repeated and redundant data storage and disk usage.
  • NEW: Traffic Logging UI.
    The Traffic Log feature now also uses the improved table UI for faster processing and better search.
  • IMPROVED: Scanning Improvements and Fixes
    Based on customer feedback we've made some adjustments and fixes to the scans and results processing.
  • CHANGED: Traffic Log Limits
    Traffic logs are no longer limited by amount. They are instead limited by age (in days). Updated configuration options are available.
  • CHANGED: NotBot JS Is Always Loaded By Default
    Since many customers are using caching and optimisation plugins that interfere with NotBot JS, it is now loaded for all visitors by default. An option within the plugin has been provided to revert to the normal optimised loading of the NotBot JS.
  • CHANGED: U2F 2-Factor Authentication Bypasses MFA
    U2F is a strong 2FA mechanism and so it doesn't really need to be used in conjunction with other factors. When the Chained/MFA option is enabled, when U2F is supplied, this can be done alone without the need for other factors.
  • CHANGED: Minimum Required MySQL Version
    Shield processed IPv4 and IPv6 addresses and stores them in the MySQL database. With this upgrade, the minimum required MySQL database engine is moving to 5.6. More Info ↗


Released: Jul 20, 2021 - Release Announcement | Upgrade Guide 11.5 ↗

Patch Releases

Patch 11.5.1 (Jul 29, 2021)
  • IMPROVED: Prevent overloading ShieldNET API in some cases.
Patch 11.5.2 (Jul 30, 2021)
  • IMPROVED: Add some limited details into the Audit Trail entries for scan results.
Patch 11.5.3 (Aug 2, 2021)
  • FIXED: Plugin/Theme scanning could result in large quantities of unrecognised files.
Patch 11.5.4 (Aug 4, 2021)
  • IMPROVED: Scan results were being reported, but not displayed in results tables in some cases.
Patch 11.5.5 (Sep 9, 2021)
  • FIXED: Scan results wouldn't be updated after scans completed in some cases.
  • FIXED: Shield would apply login blocks for requests originating from a whitelisted IP addresses.

Main Release (11.5.0)

  • NEW: Brand New Arrangements of Scan Results
    To-date scan results have been presented in tabular format, by listing affected files or assets. This release sees a major reorganisation to display results grouped into logical sections and areas, such as by plugin, theme, WordPress etc.
  • NEW: View Scan File Contents In Browser
    We've added the ability to view the contents of any file shown in file results directly within your web browser. There's no longer any need to download the files, though you still can do this of course.
  • NEW: Remove 'Empty' PHP Files From Results
    A common problem is where a PHP file that has no executable code in it gets flagged in certain scans. It isn't trivial to detect whether a PHP file has executable code, but we've added detection for this scenario.
  • NEW: Scan File and Folder Exclusions
    You can specify files and folder which will be excluded from all file scans. Files can be excluded in bulk using the asterisk (*) wildcard. This option is designed to completely replace the exclusions option under the Unrecognised Files Scanner.
  • IMPROVED: Scan Results Management
    We've scrapped the 'WordPress Tables' approach to display results and instead use the powerful DataTables JS plugin. This makes display, pagination, refresh and actions far smoother and completely seamless.
  • IMPROVED: Switch To Crowd-Sourced Plugin and Theme Hashes.
    When scanning plugin and theme files for modification, Shield now uses its ShieldNET crowd-source hashes system. This results in more accurate and adaptive hashes accounting for edge-cases better resulting in fewer false positives in scan results.
  • IMPROVED: Malware Scanner Uses Crowd-Sourced Hashing Data
    False Positives in malware results are frustrating, so the more we can reduce them, the better. Shield already removes 99% of false positives automatically from results, before you even see them. To improve this, ShieldNET now draws upon Crowd-Source Hashes to eliminate false positives even further.
  • IMPROVED: Reporting alert email now lists some repaired/deleted files.
  • IMPROVED: WP Admin warning when 2FA by email verification isn't complete.
  • NEW: Audit Trail entries for IP addresses are added and removed manually.
  • NEW: Audit Trail WordPress filter to allow customisation of event logging.
  • IMPROVED: Improved support and fixes for PHP 8 and WordPress 5.8.


Released: Jul 6, 2021 - Release Announcement | Upgrade Guide 11.4 ↗

Patch Releases

Patch 11.4.2 (Unknown Release Date)
  • FIXED: HTML formatting issue with the 2FA Login Page.
Patch 11.4.3 (Unknown Release Date)
  • IMPROVED: Refinements to the ShieldNET cron processing.
Patch 11.4.4 (Unknown Release Date)
  • FIXED: Prevent a rare fatal error on certain pages.
Patch 11.4.5 (Unknown Release Date)
  • FIXED: Fix for error showing in logs during cron.

Main Release (11.4.0)

  • NEW: Begin ShieldNET Integration To Provide Network Intelligence For Bots & IP Addresses
    You can now start to see ShieldNET scores for IP addresses based on the cumulative intelligence gathered for IP addresses. By combining scores for IP addresses across many different Shield Security installations we can provide a more accurate IP reputation score. These scores won't be used yet to respond to threats on your WordPress site, but this will be the goal.
  • IMPROVED: Generating QR codes for Google Authenticator is improved by using the ShieldNET API.
    The code necessary to generate QR Code for Google Authenticator is quite large and required the GD extension to be enabled. Not all WordPress installation offer this, so we've provided a ShieldNET API endpoint to easily generate the QR codes.
  • IMPROVED: Scanning for vulnerability in WordPress plugins and themes is improved.
  • IMPROVED: Capturing and managing of user sessions is improved.
  • IMPROVED: Capturing and managing user 2-Factor Authentication is improved.
  • IMPROVED: Added enhancement for when local tests for NotBot JS loading fails, use ShieldNET to test.
  • IMPROVED: Tweaks and adjustments to crowd-sourced hashing.
  • FIXED: Certain modules would still run even though 'forceoff' file was present.
  • FIXED: HTML formatting issue with the 2FA Login Page.
  • IMPROVED: Refinements to the ShieldNET cron processing.
  • FIXED: Prevent a rare fatal error on certain pages.
  • FIXED: Fix for error showing in logs during cron.


Released: Jun 7, 2021 - Release Announcement | Upgrade Guide 11.3 ↗

Main Release (11.3.0)

  • NEW: High IP Reputation Bypass
    Added an option to ensure that IP addresses with a high-enough reputation are never blocked by Shield.
  • NEW: Bot Scoring Logic Is Provisioned From ShieldNET API
    To allow for easier and faster updates and improvements to the bot scoring logic, they are served from our ShieldNET API. If, for whatever reason, the API is unavailable the plugin will use its built-in scoring logic.
  • NEW: NotBot Javascript Loading Check
    The NotBot Javascript that loads for visitor is critical to Shield's ability to detect bots - we now show a warning when we can't detect it.
  • IMPROVED: 404 Bot Signal doesn't trigger Shield offense on certain requests for assets
    404s encountered for requests for assets such as images, javascript and CSS no longer trigger offenses. The 1 exception is if the asset URL is within a plugin/theme directory that doesn't exist on the site.
  • CHANGED: Minimum supported WordPress version is now 3.7


Released: May 24, 2021 - Release Announcement | Upgrade Guide 11.2 ↗

Patch Releases

Patch 11.2.1 (Unknown Release Date)
  • FIXED: Some plugin SQL query syntax broke on MySQL 8.
Patch 11.2.2 (Unknown Release Date)
  • FIXED: Fatal error when initiating WP-CLI in some cases.
Patch 11.2.4 (Unknown Release Date)
  • FIXED: Some clients reported a fatal error in certain circumstances.

Main Release (11.2.0)

  • NEW: New And Improved Welcome Wizard
    All-New Welcome Wizard designed to get you up and running with Shield quickly and effortlessly.
  • NEW: Add Shield's Two-Factor Authentication User Settings Anywhere
    With the use of a WP Shortcode, you can add user configuration pages for 2FA into any page. This is useful if you want to offer 2FA options to your customers.
  • IMPROVED: AntiBot Detection Engine Improvements.
    We've adjusted some of the bot scoring and improved the ability to detect legitimate users based on earlier logins. We've also removed the need for the small cookie that was needed to help track the NotBot status. The AntiBot Detection Engine can now be disabled by setting the minimum reputation score to 0.
  • IMPROVED: Google Authenticator QR Codes Are Generated Locally.
    Google's Legacy Chart API wasn't always loading the QR code so we replaced it with a locally generated QR code image.
  • IMPROVED: Brand new Knowledgebase Integration.
    We've moved to a brand new Helpdesk/Knowledgebase and this allows us to integrate instant access to docs inside the plugin itself. Simply click the 'Info' link for any option to view documentation within your WordPress admin area.
  • NEW: Support For Protecting Subscription Forms in Groundhogg CRM.
    Added support for protecting Groundhogg forms from bots. More Info ↗
  • NEW: Support For Protecting Super Forms Contact Forms.
    Added support for protecting contact forms against SPAM in the Super Forms plugin.
  • NEW: Support For Protecting User Forms in LifterLMS.
    Added support for protecting LifterLMS login & registration forms from bots.
  • FIXED: The tour system would run multiple times.
  • FIXED: Some plugin SQL query syntax broke on MySQL 8.
  • FIXED: Fatal error when initiating WP-CLI in some cases.
  • IMPROVED: Adjust default bot scoring logic to reduce spam.
  • FIXED: Some clients reported a fatal error in certain circumstances.


Released: Mar 25, 2021 - Release Announcement | Upgrade Guide 11.1 ↗

Patch Releases

Patch 11.1.1 (Unknown Release Date)
  • FIXED: wpForo integration produced a PHP Warning in certain circumstances.

Main Release (11.1.0)

  • NEW: Improved Dashboard UI and Navigation
    Detecting bad bots on your WordPress sites is a huge challenge, but it's notoriously difficult to do this. We have developed an exclusive system for the detection of bad bots and the option to block requests from them. More Info ↗
  • NEW: A new Quick Stats screen is available to see the activity of Shield over time.
    The implementation is currently basic, but it forms the foundation of future development and offers users the option to offer suggestions.
  • IMPROVED: Code overhaul for Security Admin system to improve reliability and fix various bugs.
  • IMPROVED: Automatic User Unblock now makes use of Shield's AntiBot Detection Engine.
  • IMPROVED: File Locker will better handle the scenario where a site is moved/migrated.
    File Locker for wp-config.php files will also better detect when this file is placed 1 directory higher than the site.
  • IMPROVED: White Label settings that are empty aren't applied and defaults remain.
  • FIXED: Statistics in reporting emails were under-reporting the full stats.
  • FIXED: Audit Trail didn't capture all upgrades when upgrading plugins/themes in-bulk.
    The Audit Trial would only capture 1 upgrade when a bulk upgrade was performed.
  • FIXED: Exclusions for unrecognised file scanner weren't stored correctly in the case of regular expressions.
  • FIXED: In some rare scenarios, user sessions wouldn't be properly created and user automatically logged-out.
  • FIXED: WP Config FileLocker bug not correctly maintaining its state and resulting in locks not being created.
  • FIXED: The .htaccess file in the root of the Shield plugin directory is only created if its supported.
  • FIXED: Whitelabel settings were misleading and didn't properly update the dashboard log.
  • FIXED: SPAM detection for Ninja Forms would report as SPAM when not SPAM.
  • FIXED: wpForo integration produced a PHP Warning in certain circumstances.


Released: Mar 25, 2021 - Release Announcement | Upgrade Guide 11.0 ↗

Patch Releases

Patch 11.0.1 (Unknown Release Date)
  • FIXED: Gravity Form error
Patch 11.0.2 (Unknown Release Date)
  • FIXED: Performance issue.
Patch 11.0.3 (Unknown Release Date)
  • FIXED: PHP Warning message appears in some scenarios.

Main Release (11.0.0)

  • NEW: AntiBot Detection Engine
    Detecting bad bots on your WordPress sites is a huge challenge, but it's notoriously difficult to do this. We have developed an exclusive system for the detection of bad bots and the option to block requests from them. More Info ↗
  • NEW: Contact Form SPAM Protection
    With the arrival of our AntiBot Detection Engine, we can now more easily integrate with 3rd party plugins. You can add Shield's SPAM protection to Elementor PRO Gravity Forms, Contact Form 7, Ninja Forms, and many more.
  • NEW: Charts and Stats.
    We've added a page in Shield to allow you to chart some of your favourite Shield Stats.
  • NEW: Download Audit Trail, Traffic Log and IP DB as CSV.
    A long-requested feature is the ability to download the raw database data - you can now do this with a single click.
  • NEW: Added some new filters and hooks to allow customisation.
    For example, you can override the hour at which the Shield crons run, including the scans. More Info ↗
  • NEW: Allow webmaster to specify certain web crawlers and search engines that aren't automatically whitelisted.
  • IMPROVED: Big improvements in the reliability of Shield's Database handling.
  • IMPROVED: Use CDNJS to supply important plugin Javascript/CSS assets.
    Using a CDN to deliver assets reduces the plugin footprint on your site, while also speeding up admin page loading.
  • IMPROVED: New and improved guided tour upon plugin activation.
  • IMPROVED: Link Cheese Robots additions use enhanced Robots API in WordPress 5.7.
  • FIXED: Various bug fixes and enhancements.
    WP-Config FileLocker system is more reliable with requests in the case of database problems Lots of code cleanup
  • FIXED: Gravity Form error
  • FIXED: Performance issue.
  • FIXED: PHP Warning message appears in some scenarios.


Released: Feb 11, 2021 - Release Announcement | Upgrade Guide 10.2 ↗

Patch Releases

Patch 10.2.1 (Unknown Release Date)
  • FIXED: Plugin Upgrade Code wasn't always running
    Code designed to automatically run when the plugin is upgraded between version wasn't always running.
Patch 10.2.2 (Unknown Release Date)
  • FIXED: Fatal error in some cases
Patch 10.2.3 (Unknown Release Date)
  • FIXED: Certain admin JS and CSS assets were loading on the frontend.
Patch 10.2.4 (Unknown Release Date)
  • FIXED: Shield would report the server time was out-of-sync when it wasn't.
Patch 10.2.6 (Unknown Release Date)
  • FIXED: Link Cheese shouldn't run if there's an actual robots.txt file present.

Main Release (10.2.0)

  • NEW: Removed Content Security Policy Settings
    Due to the complexity of CSP and the superficial nature of our CSP implementation, we've decided to remove these options. We explore the issue in full detail in our blog post on this topic. More Info ↗
  • NEW: Invalid user login tracking covers empty usernames.
    When tracking for bots logging in user invalid usernames (i.e. that don't exist) it'll also trigger an offense on empty usernames.
  • IMPROVED: Deleting Malware files doesn't initiate a new scan.
    This addresses a reported UX issue where bulk malware deletion isn't yet available and so instead of a full re-scan, the page just reloads.
  • IMPROVED: Malware scanners are more efficient.
    Malware scanning is involved - every PHP file has to be read and then searched using a large set of patterns. So it takes time. Hopefully these tweaks will optimise this process a little and lead to faster scans.
  • IMPROVED: Add IP status to information in the traffic viewer.
    The traffic table will now display many offenses or whether the IP address is blocked.
  • IMPROVED: Upgrade Bootstrap Library to latest 4.6.0
    Asset enqueuing has been refactored and optimised and also now loading Bootstrap assets from CDNJS.
  • IMPROVED: Significant code cleanup.
  • IMPROVED: Added cleanup code to remove stale entries in the WP Options table.
  • IMPROVED: Added detection of server clock inconsistencies which break Google Authenticator.
  • FIXED: U2F/Yubikey Removal Bug
    A javascript issue prevented removal of U2F keys from user profiles.
  • FIXED: FileLocker would fail to load file contents if it exceeded 64KB.
    We upgraded the database table definition to allow for much larger files.
  • FIXED: Plugin Upgrade Code wasn't always running
    Code designed to automatically run when the plugin is upgraded between version wasn't always running.
  • FIXED: Fatal error in some cases
  • FIXED: Certain admin JS and CSS assets were loading on the frontend.
  • FIXED: Shield would report the server time was out-of-sync when it wasn't.
  • FIXED: Replaced corrupted Javascript library (base64.min.js).
  • FIXED: Link Cheese shouldn't run if there's an actual robots.txt file present.


Released: Nov 17, 2020 - Release Announcement | Upgrade Guide 10.1 ↗

Patch Releases

Patch 10.1.1 (Unknown Release Date)
  • FIXED: iControlWP Whitelist
    Fix to ensure iControlWP is properly whitelisted.
Patch 10.1.2 (Unknown Release Date)
  • FIXED: Bug with PHP Type Error in some cases
Patch 10.1.3 (Unknown Release Date)
  • FIXED: Bug with MainWP site actions not working in all cases
Patch 10.1.4 (Unknown Release Date)
  • NEW: Add a new WordPress admin notice for when the Shield plugin version gets too old.
Patch 10.1.5 (Unknown Release Date)
  • FIXED: Stop notice showing when it's not required.
Patch 10.1.6 (Unknown Release Date)
  • FIXED: Prevent warnings and logouts when loading WordPress Site Health tool.

Main Release (10.1.0)

  • NEW: Brand New Shield Dashboard
    With the help of some feedback from clients, we've made significant enhancements to the Shield UI. A brand-new Shield dashboard centralises everything related to Shield giving you a consistent, clean launchpad to perform security tasks.
  • NEW: MainWP Integration/Extension
    You can now manage your Shield Security plugin directly from within your MainWP WordPress management control panel. The Shield Security Extension page will highlight all sites with any scan issues that need your attention. For now, the functionality is limited to installing, activating and deactivating the Shield plugin. More Info ↗
  • NEW: IP Analyse Tool Enhancements
    Based on customer feedback we've added links to the IP Analyse tool to let you quickly perform blocks or bypass on an IP. The identification of a 'known' IP address now also draws information from the IP Bypass labels.
  • IMPROVED: Enhanced Plugin Badge
    Based on customer feedback we've added the ability to customize the plugin badge based on Whitelabel settings. You'll may also use a WordPress filter to make fine adjustments to settings and styles of the badge. More Info ↗
  • IMPROVED: Huge Codebase Refactor
    With our earlier move to PHP 7.0, we're continuing with our codebase cleanup and optimisations.
  • IMPROVED: Shield Overview Styles
    With some feedback and suggestions provided by clients, we've improved our Shield Overview design.
  • FIXED: iControlWP Whitelist
    Fix to ensure iControlWP is properly whitelisted.
  • FIXED: Bug with PHP Type Error in some cases
  • FIXED: Bug with MainWP site actions not working in all cases
  • NEW: Full support for Application Passwords arriving with WordPress 5.6
    Part of the purpose of Application Passwords is to allow APIs and 3rd parties to integrate with your WP site. Shield recognises authentication via Application Passwords and doesn't apply restrictions to it, including 2FA. Of course, failed logins attempted through Application Passwords will be treated as an offense against the site, as always.
  • IMPROVED: Full support for PHP 8.0
  • FIXED: 504 Gateway Timeout error on servers with malconfigured rDNS lookups.
  • FIXED: Ensure requests from ManageWP bypass Shield protections, where possible.
  • NEW: Add a new WordPress admin notice for when the Shield plugin version gets too old.
  • FIXED: Stop notice showing when it's not required.
  • FIXED: Prevent warnings and logouts when loading WordPress Site Health tool.


Released: Oct 21, 2020 - Release Announcement | Upgrade Guide 10.0 ↗

Patch Releases

Patch 10.0.3 (Unknown Release Date)
  • FIXED: Not correctly identifying GoogleBot.
Patch 10.0.1 (Unknown Release Date)
  • FIXED: Database creation may delete existing tables
    In some cases during plugin upgrade, some table may get inadvertently deleted.
Patch 10.0.2 (Unknown Release Date)
  • FIXED: Fatal error when IP address isn't detected

Main Release (10.0.0)

  • NEW: Enhanced Dashboard Overview UI
    The new Dashboard Overview provides a simplified display of all security items on your site. You can quickly discover where your site is doing well, and what areas need immediate attention or improvements. Responsive filters let you filter by individual Shield modules and the current status of each item.
  • NEW: SureSend Email Delivery
    Most WordPress sites aren't properly configured to send emails, so sometimes they don't arrive. This is a critical issue when 2-Factor Authentication emails don't go where they should. SureSend uses the ShieldNET API to deliver 2FA emails so that you always get them. More Info ↗
  • NEW: IP Analysis Tool
    Discover all the ways an IP address is interacting with your site, in 1 place. Rather than jump around looking at different tables and filtering by IP address, you can see all information in the IP Analyse tool.
  • NEW: Force Shield Locale
    An option has been added that lets you force Shield to always display in certain locale. Setting this option will override user's profile locale for anything relating to Shield. This setting doesn't affect the locale for any other part of a WordPress site.
  • NEW: Huawei (Petal) Bot Detection
    Added support for detection of Huawei search engine bot/spider.
  • NEW: Shield plugin badge URL may be replaced using White Label settings
    The URL used in the Shield plugin badge may be replaced using the Home URL provided in White Label settings.
  • IMPROVED: PHP 7+ Only
    PHP 7.0+ is required to run Shield v10. This change in minimum requirements lets us optimise Shield code for PHP 7 and better prepare for PHP 8.
  • IMPROVED: More reliable 2FA email codes
    2FA codes generated for email 2FA are more reliable.
  • CHANGED: U2F two-factor authentication can now be standalone
    Due to the experimental nature of the U2F implementation, you needed at least one other 2FA factor active on your profile before you could enable U2F.
  • FIXED: Server Public IPv6 Detection
    Detection of your WordPress server's public IPv6 address has been fixed.
  • FIXED: HTTP loopback tests would timeout
    HTTP loopback request now has a longer timeout to be more reliable for slow sites.
  • FIXED: Link Cheese requests could be missed
    Detection of requests to link cheese is improved.
  • FIXED: Potential PHP error
    A PHP error has been fixed which would occur in some cases.
  • FIXED: Database creation may delete existing tables
    In some cases during plugin upgrade, some table may get inadvertently deleted.
  • FIXED: Fatal error when IP address isn't detected
  • FIXED: Not correctly identifying GoogleBot.


Released: Sep 3, 2020 - Release Announcement | Upgrade Guide 9.2 ↗

Patch Releases

Patch 9.2.1 (Unknown Release Date)
  • FIXED: Bug: User Sessions
    User session IDs weren’t cleared correctly.

Main Release (9.2.0)

  • NEW: Automatic Unblock For Logged-In Users
    When a user's IP address is blocked on a site, they may automatically unblock it if they're logged-in. By using a magic unblock-link, users may regain access to a site without intervention from an admin. More Info ↗
  • NEW: Auto-Delete Unnecessary WordPress Files
    Files such as wp-config-sample.php, readme.html and license.txt are replaced each time WordPress upgrades. This new option ensures that they are removed each time they are restored to your site after an upgrade. More Info ↗
  • NEW: Support for WP Members plugin
    Provide native support for protection on WP Members plugin login/registration forms.
  • IMPROVED: Defer to WordPress 5.5 Automatic Updates Changes
    Automatic updates notification email is now only sent if on WordPress < 5.5
  • IMPROVED: Integrate with WordPress 5.5 Automatic Updates Changes
    Shield's Automatic updates notification email setting also applies to plugin/theme update emails.
  • IMPROVED: Improved Integration with WP Fastest Cache
    Use WP Fastest Cache method to prevent caching of block pages. Whether it makes a difference is another thing.
  • IMPROVED: Better Mitigation of Error From Other Plugins
    Prevent spurious output from errors not relating to this plugin from affecting display of our admin pages.
  • IMPROVED: Better Detection Of forceoff File
    Detecting the forceoff file is all its many forms is improved.
  • IMPROVED: File Locker + open_basedir
    The File Locker is less likely to trigger an open_basedir warning.
  • IMPROVED: Lots Of Code Optimisation
  • CHANGED: Session Cookie Name Change
    Session cookie renamed from icwp-wpsf to wp-icwp-wpsf.
  • CHANGED: Bootstrap Library Updated
    Upgraded shipped Bootstrap libraries to latest available (v4.5.2).
  • FIXED: Increased Limit For Counting IP Offenses
    Upgraded the database to support much larger values for the IP offenses counter.
  • FIXED: MemberPress Integration Bug
    MemberPress support had a bug where certain forms weren’t checked for bots.
  • FIXED: WP-CLI Bugs
    Cleaned some WP-CLI PHP notices on certain commands.
  • FIXED: Bug: User Sessions
    User session IDs weren’t cleared correctly.

9.1 Series

Released: 23rd April 2020 - Release Announcement

Please review the full Shield 9.1 Upgrade Guide here.
  • (.0) NEW: [PRO] WP-CLI Support for WP-CLI (beta).
  • (.0) NEW: [PRO] U2F Login - Support for registration and use of U2F keys for 2-factor authentication.
  • (.0) NEW: [PRO] Custom Email Templates - Support for custom email templates, starting with 2FA.
  • (.0) NEW: [PRO] Affiliate Rewards - We now offer affiliate rewards with ShieldPRO.
  • (.0) IMPROVED: WP-Config File Locker protection now correctly display the file diff for empty lines.
  • (.0) IMPROVED: 2-Factor Authentication "Remember Me" now uses the visitor IP address as a factor.
  • (.0) IMPROVED: Restored the option search but turned it into a modal dialog.
  • (.0) IMPROVED: Plugin upgrade handling.
  • (.0) CHANGED: To avoid confusion, "Security Admin Key" has been renamed to "Security Admin PIN" throughout.
  • (.0) FIXED: Adding IPv6 address ranges didn't work in all cases.
  • (.0) FIXED: Errors while trying to access an uninitialised database.
  • (.0) FIXED: Upgrade Carbon PHP library to latest available (v1.39).

9.0 Series

Released: 5th April 2020 - Release Announcement

Please review the full Shield 9.0 Upgrade Guide here.
  • (.4) FIX: Timing error in some cases attempting to access database table when it hasn't been created.
  • (.3) IMPROVED: Scanning for SPAM email registrations is improved with more signals.
  • (.3) IMPROVED: Better recovery from errors during certain scans.
  • (.3) IMPROVED: WPHashes Token Retrieval.
  • (.3) FIX: Plugins were sometimes disabled when updates applied via Scan UI.
  • (.3) FIX: Audit Trail more correctly reflects "repair/delete" activity from the Unrecognised File Scanner.
  • (.3) FIX: Yubikeys weren't always registered correctly.
  • (.3) FIX: Support MemberPress Password Reset that has an Auto-Login.
  • (.2) IMPROVED: Plugin/Theme Guard only scans certain types of files based on their extension. I.e. ignoring readme.txt, for example.
  • (.2) IMPROVED: Some minor improvements to encoding special characters in the email subject/from name.
  • (.2) IMPROVED: API token update is more reliable.
  • (.2) FIXED: Applying a plugin update from within the Vulnerabilities scanner no longer disables that plugin.
  • (.1) FIXED: Javascript for Anti-Bot Login Protection not loading in all cases.
  • (.1) FIXED: MemberPress Registration PHP error.
  • (.0) NEW: [PRO] Critical File Locker to protect wp-config.php files.
  • (.0) NEW: [PRO] Selective Sync - Support for excluding individual options from import and export.
  • (.0) NEW: Support for hCaptcha in-place of Google reCAPTCHA.
  • (.0) NEW: Reporting Module - streamline notifications and alerts and provide regular statistics updates.
  • (.0) NEW: Integrated Help desk widget for searching documentation.
  • (.0) NEW: Debug page to show summary and important information for debugging.
  • (.0) IMPROVED: Hourly and Daily crons set to specific run times.
  • (.0) IMPROVED: Automatic file repair for WordPress, plugins, and themes is much more reliable.
  • (.0) IMPROVED: Major refactoring and improvements to Bot protection on login, register and lost password forms.
  • (.0) IMPROVED: Simplification of many options and plugin configuration.
  • (.0) IMPROVED: Where an IP address gets repeatedly blocked - consolidates Audit Trail entries over a 24hr period.
  • (.0) IMPROVED: Tweaks and changes to UI.
  • (.0) FIXED: Minor issues with the MFA page.
  • (.0) FIXED: Older Twig Library compatibility with PHP 7.4.
  • (.0) REMOVED: Several unused/useless options, including "Mask WordPress Version".

8.7 Series

Released: 16th March 2020 - Release Announcement

  • (.0) NEW: [PRO] Traffic Rate Limiting Feature.
  • (.0) ADDED: Support for registration forms in plugins: Profile Builder and Paid Member Subscriptions
  • (.0) IMPROVED: Tweaks and changes to UI.
  • (.0) FIXED: Minor issues with the MFA page.

= 8.6 - Series = Released: 19th February, 2020 - Release Notes

  • (.3) IMPROVED: AJAX handling and general plugin requests have been refined to be less prone to errors.
  • (.3) IMPROVED: The Traffic Log Viewer will now be displayed even if it's disabled.
  • (.3) REMOVED: 2 options from the Automatic Updates module have been removed, that influenced translations and version control.
  • (.3) IMPROVED: Some minor improvements and optimisations.
  • (.3) IMPROVED: Adjusted how Shield stores temporary WP options to prevent duplicates.
  • (.3) FIXED: Login backup-code wasn't always reset after it was used.
  • (.3) FIXED: IP address wasn't blocked even after committing an offense in 1 particular scenario.
  • (.1) NEW: [PRO] Deep scanning for valid email addresses when user registers with site.
  • (.1) ADDED: [PRO] New option allows users to turn on email-based two-factor authentication from their profile.
  • (.1) ADDED: Support for manually blocking IP Ranges (not just single IPs).
  • (.1) IMPROVED: Two-Factor Authentication system has been rewritten and improved.
  • (.1) IMPROVED: Table ordering and descriptions for the IP Black List.

= 8.5 - Series = Released: 8th January, 2020 - Release Notes

  • (.7) ADDED: New admin notice to indicate that the plugin is currently disabled.
  • (.7) IMPROVED: Optimised loading of libraries that run for certain options, if they aren't enabled.
  • (.7) IMPROVED: Prevent a rare fatal error on activation.
  • (.6) FIXED: Locking session to IP address was not handling all IP addresses correctly.
  • (.5) FIXED: Further protection against errors if IP address is of a private network.
  • (.5) FIXED: Can't activate plugins in a particular scenario.
  • (.5) FIXED: Traffic Logger wasn't capturing traffic in some cases.
  • (.3) FIXED: Prevent MySQL error when Shield is running on private network or local machine.
  • (.3) FIXED: Prevent duplicate emails being sent when removing Security Admin key.
  • (.2) ADDED: Introductory tour of plugin, on activation.
  • (.2) IMPROVED: Enhanced IP detection of service providers for exclusion from traffic log.
  • (.2) IMPROVED: Plugin/Theme Hack Guard Snapshot building is optimised to reduce disruption is some cases.
  • (.2) IMPROVED: Visitor IP detection processing.
  • (.2) IMPROVED: Improved cache-prevention of Login Two-Factor Authentication portal.
  • (.2) FIXED: Firewall email alert was not sent when using certain dedicated email plugins.
  • (.2) FIXED: Firewall 404 setting was redirecting instead of responding with 404.
  • (.2) ADDED: Added support for NodePing filtering in the traffic logger.
  • (.1) FIXED: Fix for page loading issue/slowdown in some cases.
  • (.0) NEW: Initial support for checksum scanning of premium plugins and themes.
  • (.0) NEW: Ability to switch-off Security Admin with an email confirmation if key is lost/forgotten.
  • (.0) NEW: Ability to auto-repair theme files.
  • (.0) ADDED: Ability to whitelist requests so that they are never blacklisted.
  • (.0) ADDED: Ability to filter the IP White/Black list tables for a specific IP address.
  • (.0) ADDED: Support for repeated audit trail entries - so the logs don't get filled with repeated messages.
  • (.0) ADDED: [PRO] Option to provide complete, custom Content Security Policy headers.
  • (.0) IMPROVED: Protection against a certain type of broken plugin installation if WordPress doesn't properly copy files.
  • (.0) IMPROVED: Redesigned Table UI for scan results.
  • (.0) IMPROVED: Redesigned Plugin/Theme File Guard.
  • (.0) IMPROVED: Completely re-written much of the scanners code.
  • (.0) IMPROVED: Better detection of the hosting server's IP addresses - i.e. support for IPv6 alongside IPv4.
  • (.0) FIXED: Two-Factor Authentication (2FA) login screen redirection bug.
  • (.0) FIXED: It was possible to temporarily by-pass the 2FA screen to gain access to WP Admin after logging-in.
  • (.0) CLEANED: Code cleaning.
  • (.0) UPDATED: Twitter Bootstrap library.

= 8.4 - Series = Released: 29th November, 2019 - Release Notes

  • (.4) IMPROVED: Discovered serious conflict with SiteGround Optimizer plugin. Provided admin notice and automatic fixing.
  • (.4) FIXED: Protected against spurious error log notices when comparing hashes with "nothing".
  • (.3) FIXED: Reduce chances of fatal error occurring during upgrade.
  • (.0) ADDED: Charts of important events on Overview page highlight effectiveness of Shield.
  • (.0) ADDED: Support for whitelisting IPv6 ranges.
  • (.0) ADDED: Allow Audit Trail logging for Shield's Bot Detection features for all free installations.
  • (.0) IMPROVED: Malware scanner false-positive lookups now use further intelligence from API.
  • (.0) IMPROVED: Refactor Comment SPAM implementation away from inline-Javascript.
  • (.0) IMPROVED: Consolidate Events/Statistics database table to significantly reduce DB size.
  • (.0) CLEANED: Significant clean-out of old, deprecated, retired code.

= 8.3 - Series = Released: 18th November, 2019 - Release Notes

  • (.0) IMPROVED: Improvements to Malware scanner to now track malware results by specific lines, not just by file.
  • (.0) IMPROVED: Support colons (:) in IP addresses during visitor IP address detection.
  • (.0) IMPROVED: Ensure license lookups use the correct site URL.
  • (.0) IMPROVED: Attempt to ensure that if there is an interruption in the API, malware patterns are available for scanning.
  • (.0) IMPROVED: Added default firewall whitelist parameter for AffiliateWP requests.
  • (.0) IMPROVED: Spanish, French, Japanese translations.

= 8.2 - Series = Released: 1st October, 2019 - Release Notes

  • (.3) FIXED: Fix for reported RXSS vulnerability - more info.
  • (.3) FIXED: Fix for Rest API detection.
  • (.3) FIXED: Fix for translation of some strings.
  • (.2) FIXED: Fixes for scans running under Windows/IIS.
  • (.2) IMPROVED: Adds a check that a site can send an HTTP request to itself before allowing scans to run.
  • (.2) IMPROVED: Scans clean up after themselves better, if they fail to run.
  • (.2) IMPROVED: Server's own IP address detection when site migrated to a new host.
  • (.2) UPDATED: International translations.
  • (.2) FIXED: PHP notices when data wasn't as expected.
  • (.1) IMPROVED: Further reduce Malware false positives by also using SVN trunk data when verifying files for plugins and themes.
  • (.1) ADDED: Initial support for repairing Themes that have been installed from
  • (.1) ADDED: Support for using WP for themes (already done for plugins).
  • (.1) FIXED: PHP notices in the logs.
  • (.0) IMPROVED: [PRO] Malware scanner now uses network intelligence to the gather information on malware results.
  • (.0) NEW: Traffic Watcher feature is now free for all users (no longer Pro-only).
  • (.0) IMPROVED: Scanning cron is improved and more efficient.
  • (.0) ADDED: Bulk Delete/Repair/Ignore actions now available for Malware scan results.
  • (.0) IMPROVED: Malware scan results now provide details of affected line numbers and patterns discovered.
  • (.0) IMPROVED: Malware scanner only scans wp-admin, wp-includes, wp-content folders, and files in top-level directory.
  • (.0) IMPROVED: Malware scanner now excludes wp-content/cache/ directory.
  • (.0) IMPROVED: Malware scanner performance improved with caching.
  • (.0) IMPROVED: Malware auto-repair now works more consistently.
  • (.0) IMPROVED: Updated default firewall whitelist rules.
  • (.0) IMPROVED: If the PWNED Passwords API request fails entirely, the password check is skipped.
  • (.0) ADDED: Japanese translations are at 100%.
  • (.0) IMPROVED: Dutch translations are greatly improved (a huge thank you to Fred!).
  • (.0) FIXED: Audit Trail correctly logs multiple occurrences for the same type of event on the same page request.
  • (.0) FIXED: Audit Trail now correctly logs Google reCAPTCHA failure events.
  • (.0) FIXED: PHP error when firewall was set to kill response without a user message.

= 8.1 - Series = Released: 18th September, 2019 - Release Notes

  • (.1) FIXED: Error for sites pre-5.0 that don't have function determine_locale()
  • (.0) IMPROVED: Massive improvements to asynchronous scans in performance and reliability.
  • (.0) ADDED: [PRO] Possible to supply multiple email addresses for Administrator login notifications.
  • (.0) ADDED: New firewall whitelist rule to prevent firewall blocks when activating certain plugins.
  • (.0) IMPROVED: Prevent errors caused by other plugins not passing correctly-formatted data through WP filters.
  • (.0) ADDED: Japanese translations (14%).
  • (.0) IMPROVED: Plugin locale now respects user profile locale setting.
  • (.0) IMPROVED: Audit Trail filter for specific events.
  • (.0) IMPROVED: Lots of cleanup of deprecated PHP code following the the v7-v8 upgrade.

= 8.0 - Series = Released: 27th August, 2019 - Release Notes

  • (.2) IMPROVED: Password strength metering now better aligns with WordPress library (PHP 5.6+)
  • (.2) IMPROVED: Dutch translations have been adjusted.
  • (.2) FIXED: Setting 'Month' for IP block duration wasn't being applied.
  • (.2) FIXED: Certain admin notices not displayed when they should be.
  • (.1) FIXED: Comment SPAM blocking wasn't working if set to "Detect and Reject".
  • (.1) FIXED: Shield Widget/Badge broken in some cases.
  • (.1) ADDED: You can force Shield to operate in any locale, regardless of site locale.
  • (.1) ADDED: Russian translations are now at 100% and some Dutch translations have been adjusted.
  • (.0) NEW: [PRO] New Malware Scanner with automated file repair for Plugins and Core.
  • (.0) NEW: Complete overhaul of events system to better audit and collect statistics.
  • (.0) IMPROVED: Asynchronous scans - scans run in the background and so support more restrictive hosting.
  • (.0) IMPROVED: Plugin notification system is much improved.
  • (.0) IMPROVED: [PRO] Plugin Guard uses SVN repositories for file references via WP Hashes API.
  • (.0) CHANGED: Comment SPAM system now uses WordPress Transients API instead of dedicated DB table.
  • (.0) ADDED: 100% Translation coverage for French, Spanish, German, Portuguese, Serbian, Bosnian, Dutch. (Russian on the way)
  • (.0) CHANGED: Major code cleaning/refactoring for much of the plugin. More to come.

= 7.4 - Series = Released: 13th May, 2019 - Release Notes

  • (.2) NEW: Options finder/jumper menu lets you find and jump to any option in the plugin instantly.
  • (.2) NEW: Help/explainer videos for a few sections - more to come.
  • (.2) FIXES: Fixes for a few problems introduced with the recent UI changes.
  • (.2) FIXED: Welcome wizard launching was broken.
  • (.1) NEW: Adjustments and redesign of Shield options pages.
  • (.1) IMPROVED: Further prep for better internationalization.
  • (.0) NEW: [PRO] Manual/Automatic User Suspension
  • (.0) NEW: Comment SPAM - Increase minimum number of approved comments before scanning is skipped
  • (.0) NEW: [PRO] Comment SPAM - Trusted user roles where comments scanning is skipped
  • (.0) IMPROVED: AntiBot JS was improperly included when not required.
  • (.0) IMPROVED: Added a GeoIP caching table and removed bundled GeoIP database - greatly reduces download size.
  • (.0) FIXED: Inconsistent behaviour when PWA plugin is active and it infinitely reloads pages.
  • (.0) FIXED: Inconsistent behaviour with Anonymous API blocking.
  • (.0) IMPROVED: Code improvements and refactoring.
  • (.0) ADDED: Prep for upcoming malware scanner.

= 7.3 - Series = Released: 15th April, 2019 - Release Notes

  • (.2) IMPROVED: Provided inline links for new Bot Signals options.
  • (.2) CHANGED: Added a workaround for WPML plugin using old, buggy version of TWIG library.
  • (.1) FIX: Protection against 404 tracking blocking visitors in some cases.
  • (.0) NEW: [PRO] 7x New Bot Signals - rules to catch and block bad bots.
  • (.0) ADDED: Date picker for filtering Audit Log entries.
  • (.0) IMPROVED: Audit Log viewer now combines entries from the same request into 1 for better readability.
  • (.0) CHANGED: Use a more refined clearing of WP Fastest Cache.
  • (.0) FIX: Error displayed when deleting plugins in some cases.
  • (.0) UPDATED: Translations for Chinese, Finnish, Turkish, Dutch, Italian, and German.

= 7.2 - Series = Released: 7th March, 2019 - Release Notes

  • (.2) SKIPPED: with error.
  • (.1) NEW: Provisional support for WP-CLI - no longer blocks Security Admin protected operations
  • (.1) FIX: Fix PHP warning notice on login page.
  • (.1) FIX: Unrecognised file scanning not operating as expected on Windows hosts.
  • (.0) NEW: Scanner to detect and alert to presence of abandoned plugins.
  • (.0) FIX: Fix bug with Security Admin passwords.
  • (.0) FIX: Fix bug with vulnerability scanner not correctly comparing versions.

= 7.1 - Series = Released: 21st February, 2019 - Release Notes

  • (.2) IMPROVED: Firewall email notification content now better reflect the information in the audit trail.
  • (.2) FIX: Firewall email notification was breaking in some instances.
  • (.1) FIX: IP retrieval.
  • (.0) NEW: Moved Import/Export UI from Wizard to main Shield Dashboard.
  • (.0) NEW: [PRO] Option to import/export settings using file downloads/uploads
  • (.0) NEW: [PRO] Option to allow visitors to automatically unblock themselves (once in 24hrs)
  • (.0) NEW: Integrated changelog directly into plugin admin for easy updates (between releases)
  • (.0) FIXED: WP Core files scanner now correctly ignores certain files as it used to do, pre-v7. e.g. wp-config-sample.php
  • (.0) FIXED: Shield was indicating plugin/theme file editing was possible, when it in-fact was disabled.
  • (.0) IMPROVED: Consolidate crons into fewer crons. e.g. all scans run under the same cron.

= 7.0 - Series = Released: 28th January, 2019 - Release Notes

  • (.4) IMPROVED: Refactored IP address blocking with improved audit trail messages.
  • (.4) CHANGED: Expanded anonymous REST API whitelist to include 'wpstatistics' namespace.
  • (.4) IMPROVED: Access protection for shield temp/caching dir.
  • (.4) IMPROVED: Clarification on reCAPTCHA - v3 is not supported.
  • (.4) IMPROVED: Clarification on user sessions timeout - Shield sets an absolutely session maximum.
  • (.4) IMPROVED: Options form submission is adjusted to work around poorly restrictive webhosts.
  • (.4) FIX: Various tweaks and fixes across the plugin.
  • (.4) FIX: Error with ClassicPress.
  • (.3) NEW: Automatically whitelist anonymous REST API Access for 3 plugins: Contact Form 7, WooCommerce, JetPack.
  • (.3) IMPROVED: Security admin login failure messages are clearer.
  • (.3) IMPROVED: Admin notification for email sending 2FA verification easily lets you resend email.
  • (.3) IMPROVED: File download code for WordPress Core file scanner repairs.
  • (.3) IMPROVED: Attempt to also capture B/CC email addresses included in outgoing emails in Audit logs.
  • (.3) FIX: Allow use of IPv4 ranges in whitelist again.
  • (.3) CHANGED: Numerous code refactoring and improvements building upon the major v7 release and prepping for v7.1.
  • (.1-2) FIXED: Some JS fixes.
  • (.0) NEW: New primary UI for Shield site security management. Easy access to scans, audit trail, user sessions etc.
  • (.0) NEW: Supports only PHP 5.4 or higher
  • (.0) NEW: Rebuilt scans architecture and UI
  • (.0) NEW: A huge amount of code cleaning and refactoring
  • (.0) CHANGED: Too many many changes and bug fixes to list -best to just take a look! 🙂

= 6.10 - Series = Released: 15th October, 2018 - Release Notes

  • (.9) FIXED: Admin notices displaying to non-admins.
  • (.7) ADDED: [PRO] New option to specify usernames for Security Admin role.
  • (.7) IMPROVED: Idle user detection.
  • (.7) IMPROVED: Support for redirect/cancel URLs in 2FA login page.
  • (.7) CHANGED: Final release before Shield v7. Small warning shown on plugins page if PHP < 5.4
  • (.6) ADDED: New option to control plugin automatic updates.
  • (.6) IMPROVED: Enhancements to the experimental bot JS.
  • (.6) IMPROVED: Support for Easy Digital Downloads forms.
  • (.5) Release skipped.
  • (.4) FIXED: Couldn't deactivate plugin.
  • (.3) ADDED: Support for Ultimate Member forms
  • (.3) ADDED: Support for LearnPress login/registration forms
  • (.3) FIXED: Security Admin now correctly honours the WordPress Options zone setting.
  • (.3) IMPROVED: Distinguish which sub-site (sub-domain) for WPMS installations on Traffic Watcher.
  • (.3) IMPROVED: Server's own IP lookup is only attempted once.
  • (.3) ADDED: Experimental feature to help with some custom 3rd party login/registration forms
  • (.2) IMPROVED: Visitor IP address detection
  • (.2) IMPROVED: Automatic whitelisting of Manage WP IP addresses
  • (.2) IMPROVED: SPAM Comments code enhanced and optimised
  • (.2) IMPROVED: IP Whitelisting code enhanced and optimised
  • (.2) IMPROVED: Code cleaning and refactoring.
  • (.1) FIXED: Googlebot PHP error notice.
  • (.0) NEW: [PRO] 2FA Login Backup Codes - all users can create a backup login code in-case their MFA factors are temporarily unavailable.
  • (.0) NEW: [PRO] White Label - you can now specify custom image for 2FA login screen.
  • (.0) ADDED: [PRO] Custom Exclusion Rules for Traffic Watcher so you can exclude certain User Agents and request paths.
  • (.0) ADDED: Detection of official spiders/bots for Google, Bing, Apple and Yandex - these visitors will never get blacklisted.
  • (.0) IMPROVED: Two-Factor Authentication system much improved (+ critical bug fix).
  • (.0) IMPROVED: Audit Trail entries for 2FA login factors.
  • (.0) IMPROVED: Fixes for Two-Factor Authentication wizard UX.
  • (.0) IMPROVED: Traffic Watcher now honours the IP Whitelist.
  • (.0) IMPROVED: Security Admin restriction for creating/editing/deleting Administrator users is much improved.
  • (.0) IMPROVED: All Shield cookies are SSL-only by default for HTTPS sites.
  • (.0) FIXED: GASP checkbox Javascript breaking in a particular scenario.
  • (.0) ADDED: Optional plugin deactivation survey.

= 6.9.0 - Series = Released: 6th September, 2018 - Release Notes

  • (.0) NEW: [PRO] Traffic Watcher - live tracking of all requests to your site.
  • (.0) NEW: [PRO] Yubikey - Allows for multiple Yubikeys on the same user profile.
  • (.0) ADDED: [PRO] Option to include listing of affected files within Hack Guard notification emails.
  • (.0) ADDED: Option to delete the Security Admin Access Key
  • (.0) ADDED: Option to add WooCommerce roles to 2FA-Email setting.
  • (.0) CHANGED: Basic Stats system now requires minimum PHP v5.4.
  • (.0) CHANGED: Password Policies now requires minimum WordPress v4.4.
  • (.0) IMPROVED: Password expiration now redirects to the 'set password' screen, instead of the user profile.
  • (.0) IMPROVED: Password capture for purposes of password policies is improved.
  • (.0) IMPROVED: You can now delete the 'forceoff' file from inside the WP Admin.
  • (.0) IMPROVED: Audit Trail entries for emails will identify the file that's calling the wp_mail function.
  • (.0) IMPROVED: Audit Trail entries for post editing will identify the post type wherever possible.
  • (.0) IMPROVED: Audit Trail entries will try to display all message text correctly.
  • (.0) IMPROVED: Login/Register/Password forms are only checked when visitor is not logged-in.
  • (.0) IMPROVED: Major database code refactoring and other code improvements.
  • (.0) IMPROVED: User sessions handling.
  • (.0) IMPROVED: Security Admin UX - ajax session checking, with admin notifications and auto-page reload.
  • (.0) IMPROVED: Security Admin password setting now requires a confirmation password entry.
  • (.0) IMPROVED: Refined Cooldown timing system.
  • (.0) IMPROVED: Refined Bot checkbox Javascript.
  • (.0) IMPROVED: Cron entry cleanup after deactivation.
  • (.0) UPDATED: Bootstrap libraries to latest release v4.1.3.
  • (.0) FIXED: Potential bug with Plugin/Themes guard scanning.
  • (.0) FIXED: PHP Warning(s).

= 6.8 Series = Released: 11th June, 2018 - Release Notes

  • (.2) FIXED: Bug with multi-factor authentication verification.
  • (.2) FIXED: Bug with chosen reCAPTCHA style not being honoured on login pages
  • (.2) FIXED: Bug with Invisible reCAPTCHA + WooCommerce
  • (.2) FIXED: Bug with Pwned passwords always being checked even if setting turned off.
  • (.1) FIXED: A couple of bugs with WooCommerce reCAPTCHA processing.
  • (.1) FIXED: A bug with user sessions cleaning
  • (.0) ADDED: [PRO] White Label - ability to re-brand the entire Shield Security plugin to your company brand.
  • (.0) ADDED: [PRO] Option for all users to receive notification email upon login to their accounts.
  • (.0) IMPROVED: Completely rebuilt the bot and reCAPTCHA login protection system.
  • (.0) IMPROVED: Import/Export system hugely improved with respect to automated push of options from Master sites.
  • (.0) IMPROVED: A different approach to sessions management that should handle sessions a bit better.
  • (.0) IMPROVED: Expired user sessions are cleaned from the DB using a cron, and on Insights Dashboard load.

= 6.7 Series = Released: 21st May, 2018 - Release Notes

  • (.2) ADDED: [PRO] Admin Notes feature - Notes can now be easily deleted (editing will not be possible).
  • (.2) UPDATED: Some translations.
  • (.2) FIXED: A few bugs with the Insights Dashboard.
  • (.2) FIXED: Removed the dependency on jQuery with Invisible reCAPTCHA.
  • (.1) FIXED: A few bugs with the Insights Dashboard
  • (.1) ADDED: [PRO] Admin Notes feature - you can now add notes to the Shield plugin in the Insights Dashboard.
  • (.0) ADDED: All-New Insights Dashboard providing a high-level overview of your site security, with recommendations.
  • (.0) ADDED: Helpful, explanatory videos directly into the Guided Welcome Wizard.
  • (.0) ADDED: A simple test cron to demonstrate whether your site crons are running.
  • (.0) ADDED: [PRO] Full support for new WordPress GDPR Privacy Policy controls for exporting and erasing data.
  • (.0) ADDED: [PRO] New GDPR guided wizard for exporting/erasing particular data based on custom search results.
  • (.0) CHANGED: Guided Wizards now load through WP admin to fix ajax problems for poorly configured SSL on some sites
  • (.0) IMPROVED: Upgraded Bootstrap library to 4.1.1.
  • (.0) IMPROVED: Compatibility with AIO Events Cal - they like to force their old Twig libraries on everyone else.

= 6.6 Series = Released: 19th March, 2018 - Release Notes

  • (.7) IMPROVED: reCAPTCHA JS is only included on pages where it's actually used by Shield.
  • (.7) IMPROVED: Upgrade Bootstrap library to 4.1.0.
  • (.7) IMPROVED: Include jQuery for the plugin badge as required
  • (.6) ADDED: Small exclusion in the firewall for a jetpack parameter.
  • (.6) ADDED: SVGs to the default list of files scanned by the plugin guard.
  • (.6) ADDED: Workaround for a ridiculous NGG bug.
  • (.1-4) FIXED: Various small fixes and improvements
  • (.4) FIXED: PHP Fatal Error on wp object cache.
  • (.0) NEW: [PRO] Keyless Activation of Pro licenses.
  • (.0) ADDED: WordPress Password Policies.
  • (.0) ADDED: Pwned Passwords Detection.
  • (.0) IMPROVED: Major rewrite of plugin AJAX handling.
  • (.0) IMPROVED: Notices to indicate the time of the last scans.
  • (.0) FIXED: A few bugs

= 6.5 Series = Released: 5th March, 2018 - Release Notes

  • (.0) IMPROVED: Plugin Guard better handles the case where a plugin/theme has been entirely renamed/removed.
  • (.0) IMPROVED: Attempts to access the XML-RPC system when it's disabled will now result in a transgression increment in the IP Black List
  • (.0) IMPROVED: Try to prevent black listing the server's own public IP address where visitor IP address detection is not correctly configured.
  • (.0) ADDED: [PRO] Provisional support for not processing 2FA logins for Woocommerce Social Login plugin.
  • (.0) FIXED: Plugin Guard better handles ignoring Plugins/Themes
  • (.0) FIXED: A few small bugs

= 6.4 Series = Released: 26th February, 2018 - Release Notes

= 6.3 Series = Released: 12th February, 2018 - Release Notes

= 6.2 Series = Released: 31st January, 2018 - Release Notes

  • (.2) FIXED: Fix for IP Manager PHP error.
  • (.2) IMPROVED: Two-factor verification email.
  • (.1) FIXED: Bug where administrator login email notification setting is not being honoured.
  • (.1) IMPROVED: If a site is having trouble with database creation, User Sessions wont lock you out.
  • (.0) IMPROVED: Major overhaul of the Shield User Sessions system.
  • (.0) IMPROVED: Link the Security Admin authentication with the new Sessions system.
  • (.0) IMPROVED: Major overhaul to plugin's user meta data storage, limiting to a single DB entry for all data.
  • (.0) ADDED: [PRO] Ability to increase frequency of file system scans up to once every hour.
  • (.0) ADDED: [PRO] Add a "remember me" option, to allow users to skip Multi-factor authentication for a set number of days.

= 6.1 Series = Released: 15th January, 2018 - Release Notes

  • (.1) FIXED: Verify link missing from the two-factor authentication verification email.
  • (.0) ADDED: 3x more Shield Wizards: Multi-factor Authentication, Core File Scanning, Unrecognised File Scanning.
  • (.0) ADDED: You can now use regular expressions for file exclusions in the 'Unrecognised File Scanner'.
  • (.0) CHANGED: File Scanner email notifications now link to the appropriate scanner wizard directly.
  • (.0) IMPROVED: Plugin options pages restyling.
  • (.0) IMPROVED: Plugin refactoring and improvements.

= 6.0 Series = Released: 18th December, 2017

  • (.0) ADDED: All-new Shield Welcome and Setup Wizard - more helpful guided wizards to come.
  • (.0) ADDED: [PRO] Shield options import and export
  • (.0) ADDED: [PRO] In conjunction with import/export - Shield Security Network: automated options syncing.
  • (.0) CHANGED: Going forward, new features and options will support only PHP 5.4+. Existing features will remain unaffected.

= 5.20 Series = Released: 11th December, 2017

  • (.0) IMPROVED: [PRO] Audit Trail length are configurable. Length for free is 50 entries (the original unpaginated limit)
  • (.0) IMPROVED: Large redesign of options sections to be more intuitive and cleaner
  • (.0) IMPROVED: Added dedicated help section for each module.
  • (.0) IMPROVED: Certain modules have an new Actions centre, such a Audit Trail viewer and User Sessions manager
  • (.0) IMPROVED: Audit Trails are now ajax-paginated. You can browse through all your audit trail entries
  • (.0) IMPROVED: User session tables are also ajax-paginated.

= 5.19 Series = Released: 4th December, 2017

  • (.1) FIXED: Plugin Vulnerabilities scan for premium plugins.
  • (.0) ADDED: [PRO] Automated WordPress plugins vulnerability scanner with auto updates email notifications
  • (.0) ADDED: Added Google reCAPTCHA support for register/forget password pages.
  • (.0) ADDED: [PRO] Support for Multi-Factor Authentication for WooCommerce and other 3rd party plugins.
  • (.0) ADDED: [PRO] Bot-protection/Google reCAPTCHA support for BuddyPress register pages.

= 5.18 Series = Released: 27th November, 2017

  • (.0) ADDED: [PRO] Invisible Google reCAPTCHA option.
  • (.0) ADDED: [PRO] Support for Google reCAPTCHA themes - light and dark.
  • (.0) IMPROVEMENT: Google reCAPTCHA is more reliable and configurable.

= 5.17 Series = Released: 23rd November, 2017

  • (.0) ADDED: Shield Security goes Pro! Added new options and extras to premium clients.
  • (.0) IMPROVEMENT: Fix and improvement to Google reCAPTCHA.
  • (.0) ADDED: [PRO] Support for Woocommerce and Easy Digital Downloads login/registration form protection.
  • (.0) ADDED: [PRO] Ability to customise most user-facing texts.
  • (.0) ADDED: [PRO] Extra IP Transgression signal.

= 5.16 Series = Released: 16th October, 2017

With this release, we fixed a clash of options for Google reCAPTCHA. Every attempt was made to ensure no interruption to your existing settings, but please check to ensure your reCAPTCHA settings are as you expect them to be.

  • (.4) FIX: Error with incorrect/unprefixed database table name used in SQL query.
  • (.3) IMPROVEMENT: Tweak to the Visitor IP Auto-detection to better ensure CloudFlare IP addresses are ignored.
  • (.3) IMPROVEMENT: Plugin Badge will now stay closed when a visitor closes it.
  • (.2) FIX: Removed some namespace parsing that broke on sites with PHP 5.2.
  • (.1) FIX: 404 page displayed for password reset request when Login URL is renamed.
  • (.0) IMPROVEMENT: Much better auto-detection of valid request/visitor IP addresses.
  • (.0) FIX: Clashing of reCAPTCHA options for Comments and Login Protection.
  • (.0) IMPROVEMENT: Statistic Reporting database management and pruning.
  • (.0) FIX: Various system fixes and improvements.

= 5.15 Series = Released: 21st September, 2017

  • (.1) FIX: Processing AJAX requests from the Network Admin side of WordPress.
  • (.1) IMPROVEMENTS: Better handling of file exclusions in the Hack Guard module.
  • (.1) IMPROVEMENTS: Better handling of fatal errors in loading Shield where some core files are missing.
  • (.0) ADDED: New HTTP Security Header: Referrer Policy.
  • (.0) ADDED: Supports paths for file exclusions in the Unrecognised File Scanner.
  • (.0) IMPROVEMENTS: Better interception of unintentional redirects to the hidden Login URL (e.g. /wp-admin/customize.php).
  • (.0) IMPROVEMENTS: Better handling of email sending entries in the Audit Trail.
  • (.0) IMPROVEMENTS: Improved (tabbed) display of Audit Trail.
  • (.0) IMPROVEMENTS: Better generation & handling of the One Time Password for email-based two-factor authentication.
  • (.0) IMPROVEMENTS: Some code clean up and refactoring.

= 5.14 Series = Released: 9th September, 2017

  • (.0) ADDED: Option for administrators to manually override and set the source of the visitor IP address.
  • (.0) UPDATED: In-plugin documentation links to updated and revised helpdesk articles/blogs.
  • (.0) IMPROVEMENTS: Strip out any non-alphanumeric characters uses in the generation of Google Authenticator URLs.
  • (.0) FIX: Shield now ignores any requests sent to Rest API URIs with respect to Shield user sessions.

= 5.13 Series = Released: 15th August, 2017

  • (.2) IMPROVEMENTS: Small adjustment to handling of Shield User sessions in conjunction with WordPress sessions.
  • (.2) FIX: Restore display of help links for options.
  • (.1) FIX: PHP 5.2 incompatibility.
  • (.0) ADDED: New option for Unrecognised File Scanner to scan the Uploads folder for JS and PHP files.
  • (.0) ADDED: Option to provide custom list of files to be excluded from the Unrecognised File Scanner.

= 5.12 Series = Released: 3rd August, 2017

  • (.2) IMPROVEMENTS: Improved support for Windows IIS hosting for Unrecognised File Scanner
  • (.2) CHANGED: Removed the email-based 2FA automatic login link.
  • (.2) FIX: Potential bug with Shield not recognising plugin configuration updates and not rebuilding options accordingly.
  • (.1) ADDED: A few more exclusions for the Unrecognised File Scanner
  • (.1) FIX: Fix for Fatal error.
  • (.0) ADDED: Unrecognised File Scanner release. Automatically detect and delete any files present in core WordPress directories that aren't part of your core installation.
  • (.0) ADDED: Updated Firewall rules for SQL under the 'Aggressive' rule set.

= 5.11 Series = Released: 26th July, 2017

  • (.1) FIX: JSON syntax
  • (.0) IMPROVEMENTS: Final preparation for Shield Central release.

= 5.10 Series = Released: 19th June, 2017

  • (.2) FIXED: Fatal error with GASP + Password Reset.
  • (.2) FIXED: Fatal error with failing reCAPTCHA HTTP requests.
  • (.1) IMPROVEMENTS: Further preparation for Shield Central release.
  • (.0) ADDED: More in-depth reporting and statistics gathering - options for reports will be made available in a later release.

= 5.9 Series = Released: 31st May, 2017

  • (.0) ADDED: Help Videos for 1 or 2 modules. More to come and just testing format and uptake.
  • (.0) ADDED: Special handling for WP Fastest Cache.
  • (.0) CHANGE: Configuration for automatic self-update for the Shield plugin has been removed.
  • (.0) CHANGE: No longer remove an existing user session when accessed from another IP address. Just redirect. Protects existing, legitimate sessions from being forcefully expired.
  • (.0) FIXED: Danish string translation.

= 5.8 Series = Released: 7th April, 2017

  • (.2) IMPROVEMENTS: The core file scanner now works more reliably for international WordPress installations.
  • (.2) CHANGE: Login Cooldown now uses only the flag file as an indicator of login times.
  • (.2) CHANGE: Filter to allow for changing the two factor timeout period, from 5 (minutes). Filter: icwp-wpsf-login_intent_timeout
  • (.2) CHANGE: Changed timeout for two-factor authentication email to 5 minutes to account for slower email-sending providers.
  • (.2) CHANGE: Added further clarification to the Login Notification email indicating that two-factor authentication was pending.
  • (.1) FIXED: Fixed a couple of bugs with the Login Authentication Portal, for certain edge cases.
  • (.0) CHANGE: Major overhaul of Two-Factor / Multi-Factor Login Authentication.
  • (.0) CHANGE: Introduction of Login Authentication Portal for improved Multi-Factor Authentication.
  • (.0) ADDED: Option to choose between two-factor or multi-factor login authentication.
  • (.0) ADDED: Administrators can remove Google Authenticator from another user's profile.
  • (.0) ADDED: When Security Admin is active, only Security Admins may remove Google Authenticator from other admins.
  • (.0) CHANGE: Yubikey login authentication is now managed directly from the User Profile screen, as with Google Authenticator.
  • (.0) CHANGE: Email-based login authentication no longer uses a separate database table.
  • (.0) FIXED: Core file scanning now adequately handles Windows/Unix new lines during scan.
  • (.0) FIXED: Certain crons weren't setup correctly.
  • (.0) IMPROVEMENTS: Further preparation for Shield Central release.

= 5.7 Series =

  • (.3) FIXED: Attempt to improve the Google Authenticator flow for more reliable activation.
  • (.2) IMPROVEMENTS: More admin notices when saving Google Authenticator settings.
  • (.2) IMPROVEMENTS: Further preparation for Shield Central release.
  • (.1) Skipped
  • (.0) ADDED: Shortcode for displaying plugin badge in pages/posts.
  • (.0) CHANGE: Enabled JS eval() for the Content Security Policy by default.
  • (.0) IMPROVEMENTS: Replace YAML configuration files with JSON.
  • (.0) IMPROVEMENTS: Preparation for Shield Central release.
  • (.0) IMPROVEMENTS: Security Admin notices are more refined and optimized.
  • (.0) IMPROVEMENTS: Removed unnecessary files/code.

= 5.6 Series =

  • (.2) CHANGE: Fix an instance where the hidden Login URL would be leaded.

  • (.1) CHANGE: Replaying of Yubikey one-time-passwords is no longer permitted.

  • (.1) ADDED: Filter for login form GASP fields.

  • (.1) ADDED: Filter for comment form GASP fields.

  • (.1) CHANGE: Improved compatibility of HTTP Headers with WP Super Cache.

  • (.0) ADDED: Option to disable anonymous Rest API access. WordPress v4.7+ only. Note that if another plugin or service authenticates the request it will be honoured, whether anonymous or not. = 5.5 Series =

  • (.6) IMPROVED: Fixed possible leak of the Login URL from the 'Hide WP Login URL' feature.

  • (.5) ADDED: Ability to add custom protocols to the domains (apart from http/s) to the Content Security Policy

  • (.5) FIXED: Bug where automatic update emails would contain empty plugins.

  • (.5) FIXED: Javascript scope on GASP form elements.

  • (.5) FIXED: Various fixes and code improvements.

  • (.4) FIXED: Bug with data cleaning/storage that caused stored options to balloon resulting in database timeouts. (only certain options affected)

  • (.4) IMPROVED: Sometimes "anti-virus" scanners scared normal, everyday hard-working folk by identifying a Shield file as being a virus, because they're not very clever - reduced chances of this.

  • (.3) ADDED: Fix for WordPress Multisite where the correct database prefix wasn't being used.

  • (.2) ADDED: Filter to allow modification of the email footer

  • (.2) ADDED: Block auto-updates on Shield itself if PHP < 5.3 and new version is v6.0+

  • (.2) FIXED: Missing Link

  • (.2) FIXED: Plugin Installation ID wasn't always being set

  • (.2) TRANSLATIONS: Dutch (56%)

  • (.1) ADDED: Built-in forceful protection in the form of a wp_die() against the (currently) un-patched W3 Total Cache XSS vulnerability more info

  • (.1) IMPROVED: Better XMLRPC Lockdown - prevents ANY XMLRPC command processing.

  • (.1) IMPROVED: Make certain strings translatable

  • (.1) IMPROVED: Wrap-up certain login form elements into spans/divs to allow styling etc.

  • (.1) IMPROVED: PHP Version number cleaning during stats tracking.

  • (.0) ADDED: Options and statistics tracking ability. Over time we are looking to share statistics and performance metrics of Shield.

  • (.0) IMPROVED: Performance for options loading, especially for web hosts that don't permit file writing

  • (.0) CHANGED: Numerous fixes and code improvements.

  • (.0) CHANGED: Removed query that deletes old GASP comment tokens on normal page loads.

  • (.0) CHANGED: Google reCAPTCHA is now based on the locale of the website, not auto-detected.

  • (.0) FIXED: Now URL encodes the username in the link for two-factor authentication by email.

  • (.0) FIXED: If the xmlrpc.php has been deleted, this is now ignore by the file scanner

  • (.0) TRANSLATIONS: Dutch (38%), Portuguese (32%)

= 5.4 Series =

  • (.5) CHANGED: User Management module is no-longer enabled by default on clean installations
  • (.5) CHANGED: Made the GASP checkbox for Login protection clickable by label. Thanks Aubrey!
  • (.5) CHANGED: Shield Statistics only shows for WordPress admins (instead of all users)
  • (.5) FIXED: Added a couple of guards to ensure data is of the correct format to prevent spurious errors
  • (.5) FIXED: Bug where automatic file repair links from emails we're not working.
  • (.4) SKIPPED.
  • (.3) FIXED: Various fixes and improvements
  • (.3) CHANGED: Lots of cleaning of old code.
  • (.3) REMOVED: Various old, unused options, and the force_ssl_login option as it's deprecated by WordPress Core
  • (.3) TRANSLATIONS: Dutch (36%), Swedish (35%)
  • (.3) FIXED: Various fixes and improvements
  • (.3) CHANGED: Lots of cleaning of old code.
  • (.3) REMOVED: Various old, unused options, and the force_ssl_login option as it's deprecated by WordPress Core
  • (.3) TRANSLATIONS: Dutch (36%), Swedish (35%)
  • (.2) ADDED: A guard around certain modules like, User Sessions, to ensure the DB has been initiated properly before use.
  • (.2) ADDED: Exclusion for Swedish license files that don't exist in the SVN repo.
  • (.2) ADDED: Parameter exclusion for reCAPTCHA.
  • (.2) CHANGED: HTTP Security Headers module is enabled by default on new installs.
  • (.1) FIXED: Nasty bug that caused an infinite loop bug in some configurations.
  • (.0) ADDED: Per-site plugin statistics gathering - summary display on admin dashboard.
  • (.0) ADDED: HTML class to the "I'm a human" checkbox field.
  • (.0) ADDED: Ability to change minimum user role for login notification emails with use of add_filter(). See FAQs.
  • (.0) REMOVED: Option 'Prevent Remote Login' causes more trouble with than it's worth with too many hosting configurations.
  • (.0) CHANGED: For websites that don't run WP Crons correctly, added code for automatic database cleaning.
  • (.0) CLEANED: Removed Twig render code as it was never being used.

= 5.3 Series =

  • (.2) IMPROVED: HTTP Security Headers Content Security Policy now supports specifying HTTPS for domains/hosts.
  • (.2) FIXED: Human Comment SPAM Feature didn't fire under certain circumstances.
  • (.2) FIXED: Fixed parsing of Human Comment SPAM dictionary words.
  • (.1) TRANSLATIONS: Dutch (32%)
  • (.0) ADDED: New Feature - HTTP Security Headers.
  • (.0) FIXED: Prevent renaming WP Login to "/login"

= 5.2 Series =

  • (.0) ADDED: Guard against core file scanner and automatic WordPress updates clashing.
  • (.0) CHANGED: Logic for brute force login checking is improved - they all run before username/password checking
  • (.0) FIXED: Certain older versions of PHP don't like combined IPv4 and IPv6 filter flags
  • (.0) FIXED: Google reCAPTCHA for WordPress sites that have restrictive settings for sockets etc.
  • (.0) REMOVED: Plugin vulnerabilities scanner. It's out-of-date and unsuitable.

= 5.1 Series =

  • (.0) FIXED: Improved compatibility with bbPress.
  • (.0) CHANGED: Optimizations around options and definitions (storing fewer options data)
  • (.0) CHANGED: Improved styling and responsiveness of plugin badge.
  • (.0) ADDED: Ability to programmatically export/import options - further preparation for iControlWP+Shield integration.
  • (.0) FIXED: Issue where Core automatic updates would fail, but notification email was sent anyway

= 5.0 Series =

  • (.3) FIXED: Issue with setting session cookies with PHP 7
  • (.2) FIXED: Rename WordPress Login URL bug
  • (.2) CHANGED: reCAPTCHA text usage corrected throughout plugin.
  • (.1) CHANGED: Removed the whole 'wp-content' directory from the Core File Scanner feature.
  • (.1) CHANGED: A WordPress filter to change the plugin badge text content (see FAQ)
  • (.1) CHANGED: Tweaked the plugin badge styling.
  • (.1) CHANGED: All emails sent by the plugin contain the name of the site and the current plugin version in the email footer.
  • (.1) ADDED: In-plugin links to blogs and info articles for Google ReCaptcha and Google Authenticator
  • (.0) NEW: WordPress Simple Firewall plugin has been re-branded and is called Shield
  • (.0) ADDED: NEW feature - Google ReCaptcha for Comment SPAM and Login protection.
  • (.0) ADDED: Support for this plugin is now Premium. Added Premium Support page that links to Helpdesk.
  • (.0) CHANGED: Refactor of comment spam code.
  • (.0) CHANGED: Core File Scanner now handles the odd Hungarian distribution.

= 4.17 Series = Released: 17th February, 2016

  • (.0) ADDED: NEW feature - Google Authenticator Login option.
  • (.0) ADDED: Core File Scanner now includes an automatic link to repair files (you must be logged in as admin for this link to work!).
  • (.0) ADDED: NEW - if you already have a logged-in session and you open the login screen, you'll be provided with a link to go straight to the admin area.
  • (.0) CHANGED: Email-based Two-Factor Authentication is now stateless/session-less - it will not check validity per-page load.
  • (.0) CHANGED: Changes to the email-based authentication system - now only 1 option and it no longer locks to IP or browser.
  • (.0) CHANGED: Various efficiency improvements including reduced SQL updates.
  • (.0) CHANGED: Email system is improved and now send emails from the default WordPress sender. This may be changed with filter.

= 4.16 Series = Released: 20th January, 2016

  • (.2) CHANGED: Further changes and improvements to the Core File Scanner.
  • (.2) CHANGED: Improvements to the automatic black list system for failed login attempts.
  • (.2) TRANSLATIONS: Turkish (100%)
  • (.1) CHANGED: Improved the contents of the Core File Scanner notification email with links to original source files.
  • (.1) CHANGED: Now also excluding the /wp-content/languages/ directory since translations may update independently.
  • (.1) CHANGED: Handles the special case of old index.php files
  • (.0) ADDED: Feature: Automatically scans WordPress Core files and detects alterations from the default WordPress Core File data
  • (.0) ADDED: Feature: to automatically attempt to repair/replace WordPress Core files that are discovered which have been altered.
  • (.0) ADDED: Option to toggle the Plugin Vulnerabilities cron.
  • (.0) ADDED: Two-Factor Authentication links now honour the WordPress 'redirect_to' parameter.

= 4.15 Series = Released: 6th January, 2016

  • (.0) ADDED: New and updated Firewall rules as well as a new 'Aggressive' option that looks for additional request data. Disabled by default, but may cause an increase in false positives.
  • (.0) CHANGED: Improved and optimized Firewall processing.
  • (.0) FIXED: Issue where automatic update notification emails are sent out without any update notices (probably due to failed updates).
  • (.0) FIXED: Small conflict with WP Login Rename and other security plugins.
  • (.0) TRANSLATIONS: Czech (91%), Finnish (98%), Turkish (98%).

= 4.14 Series = Released: 20th November, 2015

  • (.2) ADDED: User notice message displayed when the 'Theme My Login' plugin is active and you try to rename your login URL - It is not compatible.
  • (.1) ADDED: Added WordPress filter option to specify URL instead of present a 404 when Rename WP Login is active. more info
  • (.1) ADDED: Added 'Unique Plugin Installation ID' to be utilized in the future.
  • (.1) FIXED: WordPress Comments bug where some comments didn't pass through the SPAM filters in a certain scenario.
  • (.0) ADDED: Custom Automatic Update Notifications Email that runs separately to the in-built WordPress core notification email.
  • (.0) ADDED: Filter to remove the admin area IP address footer text
  • (.0) CHANGED: Added native support for PayPal return links - whitelisting "verify_sign" parameter.
  • (.0) CHANGED: Tweak patterns for matching on 'WordPress terms'.
  • (.0) TRANSLATIONS: Danish (100%), Czech (92%), Turkish (92%), Finnish (88%),
  • (.0) FIXED: Small bugs and readying for WordPress 4.4

= 4.13 Series = Released: 22nd October, 2015

  • (.0) NEW: Added option to block the modification, addition/promotion and deletion of WordPress administrators users within the 'Security Admin' module.
  • (.0) NEW: Renamed 'Admin Access' module to 'Security Admin'.
  • (.0) CHANGED: Simplified and consolidated the use of cookies for User Session - sets and removes cookies better to reduce their usage.
  • (.0) CHANGED: Simplified and consolidated the use of cookies for Two Factor Login Authentication.
  • (.0) CHANGED: Cleaned up some Comment SPAM filtering code.
  • (.0) CHANGED: Comments Filter doesn't use cookies unless a session cookie for the visitor already exists.
  • (.0) CHANGED: IP Manager Automatic Black List - default black list duration is now 1 minute & default transgressions limit is 10
  • (.0) CHANGED: Improvements to the database create queries: use MySQL Engine defaults (instead of MyISAM); use WordPress dbDelta() for updates.
  • (.0) CHANGED: Various code optimizations and cleaning.

= 4.12 Series = Released: 10th October, 2015

  • (.0) NEW: Option to completely disable the XML-RPC system. more info
  • (.0) CHANGED: Logged-in users are automatically forwarded to the WordPress admin only if they are Administrators.

= 4.11 Series = Released: 5th October, 2015

  • (.0) NEW: Ability to now completely block the update/changing of certain WordPress site options. more info
  • (.0) FIXED: Various small bugs with the IP Manager UI ajax.
  • (.0) FIXED: Uncaught PHP Exception when a site's hosting isn't properly configured to handle IPv6 addresses.
  • (.0) TRANSLATIONS: Danish - 57%, Czech - 100%, Finnish - 94%

= 4.10 Series = Released: 23rd August, 2015

  • (.4) REFACTOR: Notifications system is more reliable and most notices can be hidden/closed (at least for the current page load as some notices are persistent).

  • (.4) REMOVED: The old manual black list option has been completely removed - in favour of the automatic black list system.

  • (.4) CHANGED: Revised the order of certain hooks being created to avoid the possibility of pluggable.php not being loaded for PHP Shutdown.

  • (.4) CHANGED: The presence of IP addresses in the IP Whitelist will force the IP Manager feature to be enabled.

  • (.4) CHANGED: We now make an attempt to prevent the caching of WordPress wp_die() pages that we generate. (compatible with at least W3TC, Super Cache)

  • (.4) TRANSLATIONS: Turkish - 100%, Danish - 3%

  • (.3) FIXED: Another PHP 5.2 incompatibility.

  • (.2) ADDED: White Listing UI to the IP Manager - CIDR ranges are supported (also automatically migrates IPs, except ranges, from legacy to new)

  • (.2) ADDED: Returned the black marking of failed WP login attempts to the automatic black list system

  • (.2) ADDED: Using a 3rd party API service: - to find the server's own IP address so we can ensure it's not used in the black lists

  • (.2) CHANGED: AJAX calls are handled more robustly with actual error messages where possible.

  • (.2) FIXED: A few black list processing bugs.

  • (.1) ADDED: UI to view and remove IP address from Automatic Black List Engine.

  • (.1) FIX: Removed transgression counting on failed logins - WP data is inconsistent.

  • (.1) CHANGED: Original legacy white list now takes priority over new auto black list

  • (.1) CHANGED: Default transgressions limit is now 7

  • (.1) ADDED: Ability to reset plugin options to default using 'reset' flag file. more info

  • (.0) NEW FEATURE: 'FABLE' - Fully Automatic Black Listing Engine.

Simply put, FABLE will automatically block all malicious traffic by IP, based on their activity. This Security Plugin will track malicious behaviour and count all transgressions that visitors make against the site. Once a particular visitor exceeds the specified number transgressions, FABLE will outright block any access they have to your WordPress site.

What makes the FABLE system better?

  • Hands Free - Automatic. No more need for maintaining manual black lists.
  • Loads first before other plugins.
  • Automatic pruning. Based on expiration time you specify, older IP address will be removed.
  • Increased Performance. With automatic pruning, IP look-up tables remain small and concise so page load times for legitimate visitors is minimally affected.
  • Adaptive. It wont just block based on 1 misdemeanour - instead you may allow any given visitor grace to legitimately get things wrong (like login passwords).
  • Intelligent. With an fully integrated plugin such as this, it uses login failure attempts, spam comment attempts, login brute force attempts to capture malicious visitors.

Which actions will trigger an ABLE transgression?

  • Attempt to login with an invalid username/password combination
  • Any attempt to login while the login cooldown system is in-effect
  • Any login attempt that trips the GASP Login protection system
  • Any login attempt with a username that doesn't exist
  • Any attempt to access /wp-admin/, /login/, or wp-login.php while the Rename WP Login setting is active
  • Any comment that gets labelled as SPAM by the plugin
  • Failed attempt to authenticate with the plugin's Admin Access Protection module
  • Any trigger of a Firewall block rule

= 4.9 Series = Released: 7th July, 2015

  • (.8) CHANGED: Firewall, User Sessions and Lockdown Feature Modules are now enabled by default for new installations.
  • (.8) FIX: Some server email programs can't handle colons (:) in the email subject (because supporting all characters would be waaay too radical man).
  • (.8) ADDED: Function to better get the WordPress home URL to prevent interference from other plugins.
  • (.8) CHANGED: Updated Text For Author Scan Block feature.
  • (.7) CHANGED: How author query blocking works to be more reliable and stricter - only runs when users are not logged in, and it will DIE instead of redirect.
  • (.6) ADDED: New Option: prevent detection of usernames using the ?author=N query. (location under section: Lockdown -> Obscurity)
  • (.6) FIXED: Infinite redirect loop logic prevents redirect for rejected comment SPAM that's posted in bulk. This results in email notifications for spam comments.
  • (.5) ADDED: The plugin will load itself first before all other plugins
  • (.5) FIXED: No longer using parse_url() to determine the request URL as it's too inconsistent and unreliable.
  • (.4) FIX: Audit Trail Viewer display issue with non-escaped HTML (Thanks Chris!)
  • (.4) ADDED: An admin warning for sites with PHP version less than 5.3.2 (future versions will require this as a minimum)
  • (.4) TRANSLATIONS: Danish - 6%, Spanish - 76%
  • (.3) ADDED: Further checking for availability of certain PHP/server data before enabling the rename WordPress login feature
  • (.3) ADDED: Option to add the Plugin Badge as a Widget to your side-bar or page footer, or any other widget area.
  • (.3) TRANSLATIONS: Polish - 100%
  • (.2) ADDED: Email notifications sent out to report email address on a daily cron. more info
  • (.2) FIX: Work around a WordPress inline plugin update Javascript bug.
  • (.1) FIX: Fix syntax support for earlier versions of PHP.
  • (.0) FEATURE: Plugin Vulnerabilities Detection: If you're running plugins with known vulnerabilities you will be warned - more info

= 4.8 Series = Released: 21st June, 2015

  • (.0) FEATURE: Admin Access Restriction Areas - Restrict access to certain WordPress areas and functionality to Administrators with the Admin Access key.
  • (.0) ADDED: Admin Access Restriction Area - Plugins. You can now restrict access to certain Plugin actions - activate, install, update, delete.
  • (.0) ADDED: Admin Access Restriction Area - Themes. You can now restrict access to certain Theme actions - activate, install, update, delete.
  • (.0) ADDED: Admin Access Restriction Area - Pages/Post. You can now restrict access to certain Page/Post actions - Create/Edit, Publish, Delete.

= 4.7 Series = Released: 29th April, 2015

  • (.7) FIXED: The text used to explain why some comments were marked as spam was broken.
  • (.7) FIXED: Group sign-up form now honours your SSL setting.
  • (.7) TRANSLATIONS: Spanish - 74%, Russian - 91%, Turkish - 94%, Polish- 95%, Finnish - 100%
  • (.6) FIXED: Verifying ability to send/receive email doesn't complete if Admin Access Protection is turned on.
  • (.6) FIXED: GASP Login Protection feature breaks because certain key options aren't initialized when the feature is enabled.
  • (.6) FIXED: Some "more info" links were empty.
  • (.4) ADDED: Email Sending Verification when enabling two-factor authentication - this ensures your site can send (and you can receive) emails.
  • (.4) ADDED: Section Summaries - each option tab contains a small text summary outlining the purpose and recommendation for each.
  • (.4) CHANGED: The Admin Access Key input is now a password field.
  • (.4) CHANGED: Custom Login URL now works with or without trailing slash.
  • (.4) CHANGED: Streamlining and improvement of PHP UI templates
  • (.4) ADDED: Implemented TWIG for templates (not yet activated)
  • (.4) TRANSLATIONS: Romanian (100%), Spanish-Spain (63%)
  • (.3) ADDED: Integrated protection against 2x RevSlider vulnerabilities (Local File Include and Arbitrary File Upload)
  • (.3) CHANGED: Reverted the addition of Permalinks/Rewrite rules flushing, in case this is a problem for some.
  • (.2) UPDATED/FIX: Major fixes and improvements to the rename wp-login.php feature.
  • (.2) TRANSLATIONS: Mexican-Spanish (61%), Arabic (38%)
  • (.1) FIX: Silence warnings from filesystem touch() command.
  • (.1) TRANSLATIONS: Polish (100%), Finnish (100%), Czech (73%), Arabic (34%)
  • (.0) UPDATED: Options page user interface re-design.
  • (.0) FIX: Audit trail time now reflects the user's timezone correctly.
  • (.0) FIX: Better compatibility with BBPress.
  • (.0) UPDATED: Underlying plugin code improvements.
  • (.0) TRANSLATIONS: Russian (100%), Czech (70%), Polish (97%)

= 4.6 Series = Released: 10th April, 2015

  • (.3) SECURITY: Added protection against XSS vulnerability in WordPress comments. Learn More - Note: This is not a vulnerability with the Firewall plugin.
  • (.3) SECURITY: Added extra precautions to WordPress URL redirects. Learn More.
  • (.3) TRANSLATIONS: Russian (70%), Czech (67%)
  • (.2) FIX: Bug with the database table verification logic.
  • (.2) TRANSLATIONS: Russian (New- 54%), Romanian (100%), Turkish (89%), Czech (53%)
  • (.1) FIX: XMLRPC compatibility logic was preventing other non-XMLRPC related code from running.
  • (.1) UPDATED: Plugin Badge styling
  • (.1) UPDATED: Updated Czech(41%) and Spanish (60%) translations
  • (.0) ADDED: New feature that displays the last login time for all users on the users listing page (User Management feature must be enabled).
  • (.0) ADDED: Completely optional promotional Plugin Badge option - help us promote the plugin and reassure your site visitors at the same time. Learn More
  • (.0) UPDATED: Updated Czech(38%) translations

= 4.5 Series = Released: 6th March, 2015

  • (.5) CHANGED: Updated Finnish (100%), Czech (16%) translations
  • (.5) CHANGED: Change logs now more clearly display changes between versions
  • (.5) FIX: Small translation coverage
  • (.4) ADDED: New and updated language translations including Polish (100%), Finnish
  • (.4) FIX: Better string translation coverage for menus etc.
  • (.3) ADDED: New and updated language translations including Polish, Czech and German
  • (.3) CHANGED: Only set the plugin cookie if necessary
  • (.2) CHANGED: Attempt to resolve DB errors related to transient options reported on WP Engine
  • (.1) ADDED: New feature- GASP Login Protection can now be applied to lost password form - enabled by default
  • (.0) ADDED: New feature- GASP Login Protection can now be applied to user registrations - enabled by default

= 4.4 Series = Released: 21st February, 2015

  • (.2) ADDED: Romanian Translation.
  • (.2) ADDED: A plugin minimum-requirements processing system.
  • (.2) IMPROVED: The WordPress admin-UI code is simpler and cleaner.
  • (.1) ADDED: Significant performance enhancement in plugin loading times (up to 50% reduction).
  • (.0) CHANGED: The 'Prevent Remote Login' option now tries to detect web hosting server compatibility before allowing it to be enabled.
  • (.0) CHANGED: More lax in finding the 'forceOff' file when users are trying to turn off the firewall.
  • (.0) CHANGED: Parsing the URL no longer outputs warnings that might interfere with response headers.

= 4.3 Series = Released: 15th January, 2015

  • (.6) FIXES: More thorough validation of whitelisted IP addresses
  • (.5) FIXES: Some hosting environments need absolute file paths for PHP include()/require()
  • (.5) CHANGED: Streamlined the detection of whitelisting and added in-plugin notification if you are whitelisted
  • (.4) FIXES: Work around for cases where PHP can't successfully run parse_url()
  • (.2) IMPROVED: Refactoring for better code organisation
  • ADDED: New Feature - Rename WP Login Page.
  • ADDED: UI indicators on whether plugins will be automatically updated in the plugins listing.
  • CHANGED: IP Address WhiteList is now global for the whole plugin, and can be accessed under the "Dashboard" area
  • IMPROVED: Firewall processing code is simplified and more efficient.

= 4.2.1 = Released: 22th December, 2014

  • FIXED: Changes to how feature specifications are read from disk to prevent .tmp file build up.

= 4.2.0 = Released: 12th December, 2014

  • ADDED: Audit Trail Auto Cleaning - default cleans out entries older than 30 days.
  • FIXED: Various small bug fixes and code cleaning.

= 4.1.4 = Released: 24th November, 2014

  • FIXED: Fixed small logic bug which prevented deactivation of the plugin on the UI.

= 4.1.3 = Released: 19th November, 2014

  • IMPROVED: User Sessions are simplified.
  • UPDATED: a few translation files based on the latest available contributions.

= 4.1.2 =

  • ADDED: Self-correcting database table validation - if the structure of a database table isn't what is expected, it'll be re-created.

= 4.1.1 =

  • WARNING: Due to new IPv6 support, all databases tables will be rebuilt - all active user sessions will be destroyed.
  • ADDED: Preliminary support for IPv6 addresses throughout. We don't support whitelist ranges but IPv6 addresses are handled much more reliably in general.
  • ADDED: New audit trail concept added called "immutable" that represents entries that will never be deleted - such entries would usually involve actions taken on the audit trail itself.
  • FIXED: Support for audit trail events with longer names.
  • IMPROVED: Comments Filtering - It now honours the WordPress settings for previously approved comment authors and never filters such comments.
  • REMOVED: Option to enable GASP Comments Filtering for logged-in users has been completely removed - this reduces plugin options complexity. All logged-in users by-pass all comments filtering.
  • FIXED: Prevention against plugin redirect loops under certain conditions.
  • FIXED: IP whitelisting wasn't working under certain cases.

= 4.0.0 =

  • ADDED: New Feature - Audit Trail
  • ADDED: Audit Trail options include: Plugins, Themes, Email, WordPress Core, Posts/Pages, Shield plugin
  • FIXED: Full and proper cleanup of plugin options, crons, and databases upon deactivation.
  • REMOVED: Firewall Log. This is no longer an option and is instead integrated into the "Shield" Audit Trail.

= 3.5.5 =

  • ADDED: Better admin notifications for events such as options saving etc.
  • CHANGE: Some plugin styling to highlight features and options better.
  • FIXED: Small bug with options default values.

= 3.5.3 =

  • ADDED: A warning message on the WordPress admin if the "forceOff" override is active.
  • CHANGED: The 'forceOff' system is now temporary - i.e. it doesn't save the configuration, and so once this file is removed, the plugin returns to the settings specified.
  • CHANGED: The 'forceOn' option is now removed.
  • FIXED: Problems with certain hosting environments reading in files with the ".yaml" extension - support ref
  • FIXED: Small issue where when the file system paths change, some variables don't update properly.

= 3.5.0 =

  • CHANGED: Plugin features are now configured using YAML - no more in-PHP configuration.
  • REMOVED: A few options from User Sessions Management as they were unnecessary.
  • CHANGED: Database storing tables now have consistent naming.
  • FIXED: Issue with User Sessions Management where '0' was specified for session length, resulting in lock out.
  • FIXED: Firewall log gathering.
  • FIXED: Various PHP warning notices.

= 3.4.0 =

  • ADDED: Option to limit number of simultaneous sessions per WordPress user login name (User Management section)

= 3.3.0 =

  • ADDED: Option to send notification when an administrator user logs in successfully (under User Management menu).
  • CHANGED: Refactoring for how GET and POST data is retrieved

= 3.2.1 =

  • FIXED: Custom Comment Filter message problem when using more than one substitution. ref

= 3.2.0 =

  • ADDED: Options to allow by-pass XML-RPC so as to be compatible with WordPress iPhone/Android apps.
  • UPDATED: Login screen message when you're forced logged-out due to 2-factor auth failure on IP or cookie.
  • CHANGED: Tweaked method for setting admin access protection on/off
  • CHANGED: comment filtering code refactoring.
  • FIXED: Options that were "multiple selects" weren't saving correctly

= 3.1.5 =

  • FIX: Where some comments would fail GASP comment token checking.

= 3.1.4 =

  • FIX: Logout URL parameters are now generated correctly so that the correct messages are shown.
  • CHANGED: small optimizations and code refactoring.
  • UPDATED: a few translation files based on the latest available contributions.

= 3.1.3 =

  • FIX: issue with login cooldown timeouts not being updated where admin access restriction is in place.

= 3.1.2 =

  • FIX: auto-updates feature not loading
  • FIX: simplified implementation of login protection feature to reduce possibility for bugs/lock-outs
  • FIX: auto-forwarding for wp-login.php was preventing user logout

= 3.1.0 =

  • ADDED: option to check the logged-in user session only on WordPress admin pages (now the default setting)
  • ADDED: option to auto-forward to the WordPress dashboard when you go to wp-login.php and you're already logged in.
  • ADDED: message to login screen when no user session is found
  • CHANGED: does not verify session when performing AJAX request. (need to build appropriate AJAX response)
  • FIX: for wp_login action not passing second argument

= 3.0.0 =

  • FEATURE: User Management. Phase 1 - create user sessions to track current and attempted logged in users.
  • CHANGED: MASSIVE plugin refactoring for better performance and faster, more reliable future development of features
  • ADDED: Obscurity Feature - ability to remove the WP Generator meta tag.
  • ADDED: ability to change user login session length in days
  • ADDED: ability to set session idle timeout in hours
  • ADDED: ability to lock session to a particular IP address (2-factor auth by IP is separate)
  • ADDED: ability to view active user sessions
  • ADDED: ability to view last page visited for active sessions
  • ADDED: ability to view last active time for active sessions
  • ADDED: ability to view failed or attempted logins in the past 48hrs
  • ADDED: Support for GASP login using WooCommerce
  • CHANGED: Admin Access Restriction now has a separate options/feature page
  • CHANGED: Admin styling to better see some selected options
  • ADDED: Support for WP Wall shoutbox plugin (does no GASP comment checks)
  • CHANGED: Removed support for upgrading from versions prior to 2.0
  • CHANGED: Removed support for importing from Firewall 2 plugin - to import, manually install plugin v2.6.6, import settings, then upgrade.

= 2.6.6 =

  • FIX: Improved compatibility with bbPress.

= 2.6.5 =

  • FIX: Could not enable Admin Access Protection feature on new installs due to too aggressive testing on security.

= 2.6.4 =

  • ENHANCED: Dashboard now shows a more visual summary of settings and removes duplicate options settings with links to sections.
  • ENHANCED: WordPress Lock Down options now also set the corresponding WordPress defines if they're not already.

= 2.6.3 =

  • ADDED: More in-line plugin links to help/blog resources
  • ENHANCED: Admin Access Protection is further enhanced in 3 ways:
  1. More robust cookie values using MD5s
  2. Blocks plugin options updating right at the point of WordPress options update so nothing can rewrite the actual plugin options.
  3. Locks the current Admin Access session to your IP address - effectively only 1 Shield admin allowed at a time.

= 2.6.2 =

  • ENHANCED: Added option to completely reject a SPAM comment and redirect to the home page (so it doesn't fill up your database with rubbish)
  • ADDED: Plugin now has an internal stats counter for spam and other significant plugin events.

= 2.6.1 =

  • ADDED: Plugin now installs with default SPAM blacklist.
  • ADDED: Now automatically checks and updates the SPAM blacklist when it's older than 48hrs.
  • ENHANCED: Comment messages indicate where the SPAM content was found when marking human-based spam messages.

= 2.6.0 =

Major Features Release: Please review SPAM comments filtering options to determine where SPAM goes

  • FEATURE: Added Human SPAM comments filtering - replacement for Akismet that doesn't use or send any data to 3rd party services. Uses Blacklist provided and maintained by Grant Hutchinson
  • ENHANCED: Two-Factor Login now automatically logs in the user to the admin area without them having to re-login again.
  • ENHANCED: Added ability to terminate all currently (two-factor) verified logins.
  • ENHANCED: Spam filter/scanning adds an explanation to the SPAM content to show why a message was filtered.
  • FIXES: For PHP warnings while in php strict mode.
  • CLEAN: Much cleaning up of code.

= 2.5.9 =

  • FEATURE: Added option to try and exclude search engine bots from firewall checking option - OFF by default.

= 2.5.8 =

  • FEATURE: Added 'PHP Code' Firewall checking option.

= 2.5.7 =

  • IMPROVED: Handling and logic of two-factor authentication and user roles/levels

= 2.5.6 =

  • FEATURE: Added ability to specify the particular WordPress user roles that are subject to 2-factor authentication. (Default: Contributors, Authors, Editors and Administrators)

= 2.5.5 =

  • FEATURE: Added 'Lockdown' feature to force login to WordPress over SSL.
  • FEATURE: Added 'Lockdown' feature to force WordPress Admin dashboard to be delivered over SSL.
  • FIX: Admin restricted access feature wasn't disabled with the "forceOff" option.

= 2.5.4 =

  • FIX: How WordPress Automatic/Background Updates filters worked was changed with WordPress 3.8.2.

= 2.5.3 =

  • UPDATED: Translations. And confirmed compatibility with WordPress 3.9

= 2.5.2 =

  • FEATURE: Option to Prevent Remote Posting to the WordPress Login system. Will check that the login form was submitted from the same site.

= 2.5.1 =

  • UPDATED: Translations and added some partials (Catalan, Persian)
  • FIX: for cleanup cron running on non-existent tables.

= 2.5.0 =

  • FEATURE: Two-Factor Authenticated Login using Yubikey One Time Passwords (OTP).

= 2.4.3 =

  • ADDED: Translations: Spanish, Italian, Turkish. (~15% complete)
  • UPDATED: Hebrew Translations (100%)

= 2.4.2 =

  • ADDED: Contextual help links for many options. More to come...
  • ADDED: More Portuguese (Brazil) translations (~80%)

= 2.4.1 =

  • ADDED: More strings to the translation set for better multilingual support
  • ADDED: Portuguese (Brazil) translations (~40%)
  • UPDATED: Hebrew Translations
  • FIXED: Automatic cleaning of database logs wasn't actually working as expected. Should now be fixed.

= 2.4.0 =

  • NEW: Option to enable Two-Factor Authentication based on Cookie. In this way you can tie a user session to a single browser.
  • FIX: Better WordPress Multisite (WPMS) Support.

= 2.3.4 =

  • FIX: Automatic updating of itself.

= 2.3.3 =

  • ADDED: Hebrew Translations. Thanks Ahrale!
  • ADDED: Automatic trimming of the Firewall access log to 7 days - it just grows too large otherwise.
  • FIX: The previously added automatic clean up of old comments and login protect database entries was wiping out the valid login protect entries and was forcing users to re-login every 24hrs.
  • FIX: Some small bugs, errors, and PHPDoc Comments.

= 2.3.2 =

  • ADDED: Automatic cleaning of GASP Comments Filter and Login Protection database entries (older than 24hrs) using WordPress Cron (everyday @ 6am)
  • CHANGED: Huge code refactoring to allow for more easily use with other WordPress plugins.

= 2.2.5 =

  • ADDED: Email sending options for automatic update notifications - options to change the notification email address, or turn it off completely.

= 2.2.4 =

  • FIX: Small bug fix.
  • CHANGED: When running a force automatic updates process, tries to remove influence from other plugins and uses only this plugin's automatic updates settings.
  • CHANGED: A bit of automatic updates code refactoring.

= 2.2.2 =

  • CHANGED: Changed all options to be disabled by default.
  • CHANGED: The option for admin notices will turn off all main admin notices except after you update options.

= 2.2.1 =

  • ADDED: Verified compatibility with WordPress 3.8

= 2.2.0 =

  • CHANGED: Certain filesystem calls are more compatible with restrictive hosting environments.
  • CHANGED: Plugin is now ready to integate with iControlWP automatic background updates system.
  • FIX: Login Protection Cooldown feature may not operate properly in certain scenarios.

= 2.1.5 =

  • IMPROVED: Improved logic for Firewall whitelisting for pages and parameters to ensure whitelisting rules are followed.
  • CHANGED: The whitelisting rule for posting pages/posts is only for the "content" and the firewall checking will apply to all other page parameters.

= 2.1.4 =

  • FIX: When you run the Force Automatic Background Updates, it disables the plugins. This problem is now fixed.

= 2.1.2 =

  • FIX: A bug that prevented auto-updates of this plugin.
  • FIX: Not being able to hide translations and upgrade notices.
  • ADDED: Tweaks to auto-update feature to allow interfacing with the iControlWP service to customize the auto update system.

= 2.1.0 =

  • ADDED: A button that lets you run the WordPress Automatic Updates process on-demand (so you don't have to wait for WordPress cron).
  • CHANGED: The plugin now sets more options to be turned on by default when the plugin is first activated.
  • CHANGED: A lot of optimizations and code refactoring.

= 2.0.3 =

  • FIX: Whoops, sorry, accidentally removed the option to toggle "disable file editing". It's back now.

= 2.0.2 =

  • CHANGED: WordPress filters used to programmatically update whitelists now update the Login Protection IP whitelist

= 2.0.1 =

  • ADDED: Localization capabilities. All we need now are translators! Go here to get started.
  • ADDED: Option to mask the WordPress version so the real version is never publicly visible.

= 1.9.2 =

  • CHANGED: Simplified the automatic WordPress Plugin updates into 1 filter for consistency

= 1.9.1 =

  • ADDED: Increased admin access security features - blocks the deactivation of itself if you're not authenticated fully with the plugin.
  • ADDED: If you're not authenticated with the plugin, the plugin listing view wont have 'Deactivate' or 'Edit' links.

= 1.9.0 =

  • ADDED: New WordPress Automatic Updates Configuration settings

= 1.8.2 =

  • ADDED: Notification of available plugin upgrade is now an option under the 'Dashboard'
  • CHANGED: Certain admin and upgrade notices now only appear when you're authenticated with the plugin (if this is enabled)
  • FIXED: PHP Notice with undefined index.

= 1.8.1 =

  • ADDED: Feature- Access Key Restriction more info.
  • ADDED: Feature- WordPress Lockdown. Currently only provides 1 option, but more to come.

= 1.7.3 =

  • CHANGED: Reworked a lot of the plugin to optimize for further performance.
  • FIX: Potential infinite loop in processing firewall.

= 1.7.1 =

  • ADDED: Much more efficiency yet again in the loading/saving of the plugin options.

= 1.7.0 =

  • ADDED: Preliminary WordPress Multisite (WPMS/WPMU) Support.
  • CHANGED: The Firewall now kicks in on the 'plugins_loaded' hook instead of as the actual firewall plugin is initialized (as a result of WP Multisite support).

= 1.6.2 =

  • REMOVED: Automatic upgrade option until I can ascertain what caused the plugin to auto-disable.

= 1.6.1 =

  • ADDED: Options to fully customize the text displayed by the GASP comments section.
  • ADDED: Option to include logged-in users in the GASP Comments Filter.

= 1.6.0 =

  • ADDED: A new section - 'Comments Filtering' that will form the basis for filtering comments with SPAM etc.
  • ADDED: Option to add enhanced GASP based comments filtering to prevent SPAM bots posting comments to your site.

= 1.5.6 =

  • IMPROVED: Whitelist/Blacklist IP range processing to better cater for ranges when saving, with more thorough checking.
  • IMPROVED: Whitelist/Blacklist IP range processing for 32-bit systems.
  • FIXED: A bug with Whitelist/Blacklist IP checking.

= 1.5.5 =

  • FIXED: Quite a few bugs fixed.

= 1.5.4 =

  • FIXED: Typo error.

= 1.5.3 =

  • FIXED: Some of the firewall processors were saving unnecessary data.

= 1.5.2 =

= 1.5.1 =

  • FIXED: Bug fix where IP address didn't show in email.
  • FIXED: Attempt to fix problem where update message never hides.

= 1.5.0 =

  • ADDED: A new IP whitelist on the Login Protect that lets you by-pass login protect rules for given IP addresses.
  • REMOVED: Firewall rule for wp-login.php and whitelisted IPs.

= 1.4.2 =

  • ADDED: The plugin now has an option to automatically upgrade itself when an update is detected - enabled by default.

= 1.4.1 =

  • ADDED: The plugin will now displays an admin notice when a plugin upgrade is available with a link to immediately update.
  • ADDED: Plugin collision: removes the main hook by 'All In One WordPress Security'. No need to have both plugins running.
  • ADDED: Improved Login Cooldown Feature- works more like email throttling as it now uses an extra filesystem-based level of protection.
  • FIXED: Login Cooldown Feature didn't take effect in certain circumstances.

= 1.4.0 =

  • ADDED: All-new plugin options handling making them more efficient, easier to manage/update, using far fewer WordPress database options.
  • CHANGED: Huge improvements on database calls and efficiency in loading plugin options.
  • FIXED: Nonce implementation.

= 1.3.2 =

  • FIXED: Small compatibility issue with Quick Cache menu not showing.

= 1.3.0 =

  • ADDED: Email Throttle Feature - this will prevent you getting bombarded by 1000s of emails in case you're hit by a bot.
  • ADDED: Another Firewall die() option. New option will print a message and uses the wp_die() function instead.
  • ADDED: Refactored and improved the logging system (upgrading will delete your current logs!).
  • ADDED: Option to separately log Login Protect features.
  • ADDED: Option to by-pass 2-factor authentication in the case sending the verification email fails (so you don't get locked out if your hosting doesn't support email!).
  • CHANGED: Login Protect checking now better logs out users immediately with a redirect.
  • CHANGED: We now escape the log data being printed - just in case there's any HTML/JS etc in there we don't want.
  • CHANGED: Optimized and cleaned a lot of the option caching code to improve reliability and performance (more to come).

= 1.2.7 =

  • FIX: Bug where the GASP Login protection was only working when you had 2-factor authentication enabled.

= 1.2.6 =

  • ADDED: Ability to import settings from WordPress Firewall 2 plugin options - note, doesn't import page and variables whitelisting.
  • FIX: A reported bug - parameter values could also be arrays.

= 1.2.5 =

  • ADDED: New Feature - Option to add a checkbox that blocks automated SPAM Bots trying to log into your site.
  • ADDED: Added a clear user message when they verify their 2-factor authentication.
  • FIX: A few bugfixes and logic corrections.

= 1.2.4 =

  • CHANGED: Documentation on the dashboard, and the message after installing the firewall have been updated to be clearer and more informative.
  • FIX: A few bugfixes and logic corrections.

= 1.2.3 =

  • FIX: bugfix.

= 1.2.2 =

  • FIX: Some warnings and display bugs.

= 1.2.1 =

  • ADDED: New Feature - Login Wait Interval. To reduce the effectiveness of brute force login attacks, you can add an interval by which WordPress will wait before processing any more login attempts on a site.
  • CHANGED: Optimized some settings for performance.
  • CHANGED: Cleaned up the UI when the Firewall / Login Protect features are disabled (more to come).
  • CHANGED: Further code improvements (more to come).

= 1.2.0 =

  • ADDED: New Feature - Login Protect. Added 2-Factor Login Authentication for all users and their associated IP addresses.
  • CHANGED: The method for processing the IP address lists is improved.
  • CHANGED: Improved .htaccess rules (thanks MickeyRoush)
  • CHANGED: Mailing method now uses WP_MAIL
  • CHANGED: Lot's of code improvements.

= 1.1.6 =

  • ADDED: Option to include Cookies in the firewall checking.

= 1.1.5 =

  • ADDED: Ability to whitelist particular pages and their parameters (see FAQ)
  • CHANGED: Quite a few improvements made to the reliability of the firewall processing.

= 1.1.4 =

  • FIX: Left test path in plugin.

= 1.1.3 =

  • ADDED: Option to completely ignore logged-in Administrators from the Firewall processing (they wont even trigger logging etc).
  • ADDED: Ability to (un)blacklist and (un)whitelist IP addresses directly from within the log.
  • ADDED: helpful link to IP WHOIS from within the log.

= 1.1.2 =

  • CHANGED: Logging now has its own dedicated database table.

= 1.1.1 =

  • Fix: Block notification emails weren't showing the user-friendly IP Address format.

= 1.1.0 =

  • You can now specify IP ranges in whitelists and blacklists. To do this separate the start and end address with a hyphen (-) E.g. For everything between and, you would do:
  • You can now specify which email address to send the notification emails.
  • You can now add a comment to IP addresses in the whitelist/blacklist. To do this, write your IP address then type a SPACE and write whatever you want (don't take a new line).
  • You can now set to delete ALL firewall settings when you deactivate the plugin.
  • Improved formatting of the firewall log.

= 1.0.2 =

  • First Release

== Upgrade Notice ==

= 1.1.2 =

  • CHANGED: Logging now has its own dedicated database table.
  • Fix: Block notification emails weren't showing the user-friendly IP Address format.
  • You can now specify IP ranges in whitelists and blacklists. To do this separate the start and end address with a hyphen (-) E.g. For everything between and, you would do:
  • You can now specify which email address to send the notification emails.
  • You can now add a comment to IP addresses in the whitelist/blacklist. To do this, write your IP address then type a SPACE and write whatever you want (don't take a new line).
  • You can now set to delete ALL firewall settings when you deactivate the plugin.
  • Improved formatting of the firewall log.
Click to access the login or register cheese