- Part 1: Why we built the Shield
- Part 2: WordPress Super Admin Protection
- Part 3: WordPress Firewall Feature
- Part 4: WordPress Login and Brute Force Hacking Protection
- Part 5: The WordPress Comment SPAM Killer
- Part 6: WordPress Automatic Updates Management
One of the most critical aspects to any WordPress security plugin is whether the plugin itself is protected against unauthorized access.
Consider what it means if it isn’t secured – anyone with administrator access to a WordPress site, regardless of whether they are supposed to have it or not, can change your WordPress security features.
For a solo-admin site, this probably isn’t too much of an issue. But for sites with multiple administrators having different roles, this can be a problem.
In this article I’ll outline what the Security Admin feature is, how it works, and why you absolutely must use it.
What is the Security Admin feature?
Simply put, when the Security Admin feature is turned on, you limit access to whole Shield plugin. Only administrators that know the authentication key will have access.
When it’s active, until you authenticate you will not be able to:
- view any Shield plugin settings,
- change any plugin settings,
- deactivate the plugin, or
- uninstall the plugin
This restriction in no-way interferes with the normal operations of the plugin itself… it’ll continue in the background performing its checks and any other settings you’ve put in place.
What options are available for Security Admin?
Keeping in-line with the principles of the plugin itself, security admin is easy to setup.
Currently it is accessible from within the Security Admin section of the Shield menu (see screenshot below)
The options are as follows:
- Enable/Disable module – This will completely turn on, or turn off, the security admin feature. You will only be able to turn it on or off if you have access. When the plugin is first installed, this will be disabled and no authentication password will be set.
- Security Admin Timeout – This is the duration of the administrator access and is set using a cookie. When you authenticate (see below) you will be permitted access to the plugin for this length of time (in minutes). Changing this setting while authenticated will only change the setting for the next session and will not affect the current access period.
- The 3rd option is the Security Admin Access Key. If you leave this empty, no changes will be made to the key, but if you put anything in this option, it will be saved as the authentication key and will be used for future Security Admin session.
The Security Admin feature can’t be enabled with an empty authentication key. If the authentication key is empty the option will be switched off automatically.
How does the Security Admin work?
When enabled, and the plugin detects whether you haven’t authenticated yet, and if you’re not, you’ll be presented with a screen to enter the authentication key.
This screen, as shown above, will always be shown whenever you try to access any page from the Shield menu while not authenticated.
The feature currently works by setting a flag within your cookies to indicate you’re authenticated. Future releases of the plugin make the cookie that is set more robust.
Why should you use the Security Admin?
There is no good reason not to lock down your WordPress security with another, WordPress-independent, authentication layer.
It helps to restrict both accidental and malicious changes to your security policy, and you can be confident in your change management processes that you, or only those that know the authentication key, can and could have changed your settings.
We encourage all users of Shield to turn on this feature immediately after installation. This ensures your WordPress security is locked down from the beginning.
Remember, if you forget your key you can always turn the whole plugin off using FTP.
What if you forget your Security Access Key?
If you forget your key, all is not lost. Since you’re the website administrator, you have power over the site that others do not.
You should use the process outlined here to regain access to the plugin. It will disable the plugin features without disabling the whole plugin itself.
While the features are disabled, including the admin access system, then you can open up the security admin module and set a new access key. Just save the settings and turn the plugin back on by removing the file you created earlier.
Suggestions, Ideas and Feedback
We welcome all ideas and feedback you might have for the Shield plugin… please leave a comment below and let us know your thoughts and any suggestions you might have to improve our plugin and our service.