Comment on Shield – A Powerful WordPress Security Plugin by Paul G..
Hi AnnaBella,
Thanks for the comment and the questions.
The plugin is not configured to send out email when logging attempts are blocked. There has been no need to program such a feature. The logging system will show these, as you’ve seen. If such a feature was enabled and you get a huge hit on your wp-login, you’ll get a massive surge in emails. I’m inclined to not provide such a feature when the logging system displays these quite clearly already.
Also, the limit login attempts doesn’t stop people from actually going to your wp-login page and trying to login. What it does is prevent any WordPress processing of the login attempt. There’s no way to actually prevent access or submission to your wp-login.php, so we block all processing on the backend, during the cooldown period.
I hope that helps to explain this all a little better.
Thanks!
Paul.
Paul G. Also Commented
Shield – A Powerful WordPress Security Plugin
Please use the technique outlined here to disable the plugin and enter a new admin access key:
https://icontrolwp.freshdesk.com/support/solutions/articles/3000000959
Thanks
Shield – A Powerful WordPress Security Plugin
Hi Roger,
I haven’t heard reports of this until now, but I’ll check the code as the only thing I can think of here is that there’s a potential bug in the automatic cleanup code I put into the last release – it might be actually cleaning out valid authentications as well.
As you say, not the worst thing in the world and if anything makes it all the mores resilient as it forces re-authentication, but yes, a bit of a pain to say the least. I’ll look into the code and get back to you…
Thanks for raising this.
Paul.
Shield – A Powerful WordPress Security Plugin
Hi Russell,
Thanks for the suggestion. The reason we don’t turn it on by default is performance as we intend to eventually add more features (as we have done just this week with Login Protection).
What we could do is add a notice to say that the plugin is activated, but the Firewall is not turned on yet. I’ll look at doing this for a release very soon.
Thanks!
Paul.
Recent Comments by Paul G.
Security: Hide The WordPress Login and Admin Pages (wp-login.php)
Hey Rob,
Brilliant news… Glad it’s working so well for you!
Part 5: Ultimate Comment SPAM Killer – Shield WordPress Security Plugin
Why does WordPress need to do that? I’ve no idea… that’s the way the author of this particular code decided to implement this. 🙂
My approach is to take each “spam” word/pattern and I use “stripos()” on each item of the comment that needs to be checked.
The truth is that efficiency isn’t hugely important in this area because it’s only run when a comment is posted. I could probably optimize my approach too, but again, it’s not critical.
Further reading: http://lzone.de/articles/php-string-search.htm
Part 4: Login Protection – Shield WordPress Security Plugin
There’s nothing you can do about that unfortunately if the bots are cracking away at your page. Most bots would get blocked by the automatic blacklist if they’re repeatedly hitting you with this.
As to XML-RPC, we have a couple of options ranging from by-passing the login/user sessions systems to completely disabling it:
https://www.icontrolwp.com/2015/10/automatically-block-brute-force-amplification-attacks-against-wordpress-xmlrpc/
Further WordPress Admin Access Lockdown
Eileen, Lynn,
The automatic updates system is WordPress-controlled and run on a WordPress cron. The Security admin access shouldn’t affect this. If you have enabled automatic updates, but restricted the system using the admin access and you find it’s not working as it should, please let me know in the support forums.
To your first question, if you enable this Security Admin system and lock-down any features, then you must, as an administrator or not, authenticate with the Security Admin system before you can make changes to the zones that have been restricted.
Let me know if it’s still unclear and I’ll elaborate further on areas you need.
Thanks!
Part 5: Ultimate Comment SPAM Killer – Shield WordPress Security Plugin
This is something that you’ll have to test with your particular installation(s) and configuration. Aggressive page caching will probably affect this functionality, but that is the double-edged sword that is “caching”.
I’d be interested to hear what you find with your tests.
Thanks!
