Shield Security Features Round Up

Our WordPress Security plugin is gaining momentum.

It has a full 5-star rating on WordPress.org and user feedback is hugely positive, so it’s doing something right!

We’ve been strict about keeping it simple, both in terms of the code that goes into it, and the features it offers.  In this post I’d like to outline some of the latest features that are currently present in the WordPress Simple Firewall and where we plan to take it.

Top New Features of the Shield Security

1) Security Plugin Security

It’s a little circular, but oddly overlooked by every WordPress security plugin available – except one.

Imagine you setup your WordPress site security using a plugin.  But still, however, you get compromised and someone gains administrator access.  What’s to stop them turning off your security altogether, or modifying your security plugin from within, so they always have a backdoor? They could do that and you wouldn’t even know it…

The Shield Security lets you lock down the actual plugin itself with a password that you create.  When the plugin is locked-down…

• you cannot disable or uninstall the plugin from within WordPress admin
• you cannot edit any plugin files from within WordPress (you must have also disabled file editing)
• you cannot manage or modify any settings of the WordPress Simple Firewall plugin

In our view, WordPress security is only as secure as the mechanism (plugin) you use to secure it.

2) Extended Two-Factor Authentication

Since many people manage their WordPress sites from locations with frequently changing IP addresses, the previous 2-factor authentication had a limitation – it meant that as soon as you IP address changed, you had to re-authenticate.

We don’t see this as a problem – it’s adds a tight level of security to your sites.  However, it made it quite difficult to use for those site admins that shared the same admin user from different locations.

So, we added Cookie-based 2-factor authentication.  What this means is that after you authenticate your login, the security plugin with drop a unique cookie in your browser and then this is checked each time you visit the site. It means you can switch IP addresses as much as you like 🙂

And, you can use the Cookie- and IP- based authentication mechanisms together, so it locks your admin session to both your browser and your IP address.  Neat! 🙂

3) WordPress Lock Down

If someone ever gains access to your WordPress admin area, the first thing they’re probably going to do is modifying some files. By default, WordPress lets you do this as admin.

There is an option to turn this off, but we opted to use a WordPress “hook” to turn this off as with this plugin we strictly don’t modify any core WordPress files.

Turning this option on within the plugin will ensure that administrators cannot modify core files.  But, you must remember to use the first feature we discussed to ensure no-one can switch this off again! 🙂

4) WordPress Automatic Updates management

If you haven’t heard already, WordPress 3.7 added the ability to automatically update WordPress core files, plugins, themes etc… but they provided no user inteface for it.  That didn’t sit well with us, and we added a full UI to manage your automatic updates.

Note: If you use iControlWP WordPress management, you can even manage WordPress automatic updates right down to the individual plugin level. It’s pretty neat.

The future of the Shield Security plugin

Anyone with more than a few sites will testify to the pain that is managing the same plugin across multiple sites.

We plan to implement an interface to manage the WordPress Simple Firewall plugin across all your WordPress websites at once!  This means you’ll never need to go to each individual website to install the plugin, change settings etc. You do it from 1 place.

Sounds exciting!  It is… and it’s coming soon 🙂