New: WordPress Security Administrator Protection

By 13th October 2015 January 14th, 2016 WordPress News and Updates
Simple Security Firewall Plugin For WordPress Banner

Early on in our Security Plugin development we identified a flaw with all existing WordPress security plugins – they lacked protection against tampering of the security plugin itself.

2 years ago we introduced the 1st version of our Admin Access system – it prevented anyone without the access key from changing the security plugin settings.

With our latest release, we’ve done 2 things:

  1. We’ve renamed the feature from “Admin Access” to “Security Admin”, and
  2. We’ve added a new option – to block the creation, editing, and deletion of any WordPress administrator users.

This short article will quickly run you through both of these.

Why did we change the name?

This is quite simple to explain. We were never happy with the name “Admin Access” since it didn’t quite say what it was.

There’s no obvious difference between “Admin Access” and an “administrator accessing” the dashboard.  It also didn’t quite flow smoothly when describing its feature sets… it always seemed to need clarification.

We’re hoping that ‘Security Admin’ will be more intuitive going forward. What are your thoughts on the change?

New Option: Block Administrator User Modification

WordPress didn’t make it easy to create restrictions on the creation, promotion, demotion, and deletion of administrator users. However, with our new security option enabled, this is what we’ve been able to achieve:

  • No user, administrator or otherwise, may create any new user with the administrator role.
  • No user, administrator or otherwise, may promote an existing user to the administrator role.
  • No user, administrator or otherwise, may demote an existing administrator user from the administrator role.
  • No user, administrator or otherwise, may delete any user that currently has an administrator role.

Exception: Any plugin code may programmatically by-pass these restrictions.

Why is this option necessary and when would you use it?

An extra layer of protection to the creation and modification of administrator users makes it more difficult for unauthorized users to gain permanent and unrestricted site access.

This can apply to a hacking attempts that gains administrator access for any sort of reason. It can also protect against malicious users who intend to remove administrator access from other site admins.

Generally, site admins are not fluid – they don’t change very often – so this option shouldn’t interfere with day-to-day operations.

You can now also grant administrator access to anyone knowing that they cannot modify your site access privileges, or that of any other admin user.

Be careful though, the ‘Security Admin’ system is limited to a single access key.  You will need to communicate with fellow site administrators on the changes you’ve made if you put this in-place – you will be restricting one of their abilities.

How to enable this option

This option is only available from Security Plugin version 4.13.0

This option is found within the ‘Security Admin’ module and is not enabled by default.

See the screenshot:

Shield Plugin: Restrict Administrator Users

Option Screenshot: Restrict Administrator Users

When this option is enabled and while you are not authenticated with the plugin’s security admin system, you will be restricted from modifying any administrator users (except yourself).

You will be presented with a notice that warns you of this restriction and an link to remove it.

To remove the restriction all you need to do is enter your Security Admin Access Key and you’re good to go.

See screenshot below:

Shield Plugin: Unlock Admin Restriction Notice

Unlock Admin Restriction Notice

Feedback and Suggestions

As always, we value your suggestions and your feedback on this feature and any others. Please do leave us comments below if you have any suggestions and ideas.

Join the discussion 2 Comments

  • Andreas Mavroulakis says:

    Moroccan hackers proved more effective than your silly “protection”. This is the message your “powerful” security plugin sent when that happened:
    “Hi !

    As requested, WordPress Security Firewall is notifying you of an administrator login to a WordPress site that you manage.
    Details for this user are below:
    – Site URL: [REMOVED]
    – Username: ouss
    – IP Address: 105.155.106.5
    Thanks.
    This email was sent from the WordPress Security Firewall plugin, provided by iControlWP – WordPress Management and Backup Protection For Professionals.
    Current Plugin Version: 4.16.2. ”

    As there was no registered user named “ouss”, I must tell you that hackers work hard on what you never give a damn to: mySQL security holes!!! Yeah! You’ ve never thought of that, have you?

    View Comment
    • Paul G. says:

      Hi Andreas,

      “Lovely” message there, but I decided to let it go live anyway. And here’s why:

      The email message you quoted there shows the plugin did the job – it alerted you to the fact that someone logged-in who shouldn’t have. They clearly went through the normal login procedure on your site, since that email could only have been received if they did.

      This therefore points to the fact that you probably don’t have two-factor authentication enabled, as this plugin provides. Our plugin is great, but you need to turn on the features for it to work.

      You say hackers are working hard on MySQL security holes… Where is the evidence that this is a result of a MySQL security hole? Further, why would you say we don’t give a damn about it? Of course we do… that’s a slightly ridiculous statement.

      There are a million ways to circumvent website security, our plugin does the job of blocking and preventing some of them… it cannot possibly do them all. That’s your responsibility. Sorry.

      There are always things to improve, but unfortunately your comment provides no constructive feedback to do so – there is no way to know how they circumvented your login procedure.

      Further, I would question what plugins and themes you have running and if they are, along with your WordPress site, ALL completely up-to-date. If you are using a plugin or theme with a security vulnerability, then this plugin probably wont help you.

      Just think, were it not for that email, you would NEVER have known that your site was compromised in the first place. Yay, go us! 😀

      Thanks for your comment.

      View Comment

Leave a Reply