Shield your site from catastrophe with Shield Security for WordPress

Wibble’s approach to WordPress security

We take website security exceptionally seriously – all sites that we design and build are placed under the Wibble Support Package and a major part of this web design and development process is the application of a security policy. Shield security plays an integral part in ensuring that all our sites are secure and online. We have been using Shield Security to manage the 1000s of WordPress sites under our control and we see it as the go-to WordPress security offering. Please note, this is not a paid endorsement or an advert, this is truly based on Wibble’s experience using this plugin.

What security means to you

You see security in many areas of life, from every risk assessment you make every day of your life, to the guy in a shop making sure loss is minimal. A security guard is probably the best metaphor for how we keep your site secure, loss to a minimum and keep the wrong people out.

Shield Security is our own personal security guard, working discreetly in the background to make sure your site and all its contents are safe. The plugin is easy to use and, as a great feature, Shield Security comes with FREE and PRO versions.

Shield Security FREE features are:

• Identify bad bots vs all your other “good” traffic (humans + good bots) without using those annoying CAPTCHAs or “I’m a human” checkboxes.
• Lock down your WordPress security with another, WordPress-independent, authentication layer.
• Smarter, automatic IP blocking technology to stop malicious visitors once for good.
• Identifies malicious bots designed to target your WordPress login, either with legitimate usernames or fake or an empty usernames.

Some key ShieldSecurity PRO features are:

• Limit the requests allowed from any single visitor and block abusive bots and hosts.
• Restricted Security Admin Access.
• Tamper Protection for critical files
• Vulnerability scanner
• Hidden ‘wp-login.php’ page from brute force attacks and hacking attempts.

One feature that brings ShieldPRO to the forefront of site security is the ability to create and manage profiles based on the needs of your site. In most cases, you can create one Master Profile that will take care of any site in your portfolio, but on occasion, you may need to disable a specific feature that a client won’t need or a plugin may need to make the use of the standard wp-admin.php and this is where you can design a profile for this specific instance.

In Wibble, as part of the managed WordPress Wibble Support Package, we have created and maintain our own Master security profile that gets applied to all WordPress sites that we look after. The Wibble Support Package is a major part of our overall web design offering and one that we spend countless hours perfecting. With the master profile in place, we can push out a security upgrade to all of our sites in a few seconds. This is key in staying ahead of vulnerabilities and avoiding security issues.

How we do this

There are two ways to manage your profiles. You can manage this centrally through iControlWP, this allows you better control over multiple sites at once, or you can manage it within the site’s admin panel.

When you have signed up and created your account, you will be able to log in via https://app.icontrolwp.com/. Once in, you navigate to “Shield central > Manage Profiles > Create From Scratch”. This allows you to create an overall profile that you can manage in one place and push changes out to multiple sites.

How you build your profile from here will be based on your site needs. Some of the key areas of interest will be:

1. Hack Guard
   • File Guard
   • Vulnerability Scanner
   • Realtime Change Detection
   • Scan Options
2. Security Admin > Security Admin Restriction Zones
   • Restrict Access To Key WordPress Posts And Pages Actions
   • Restrict Access To Create/Delete/Modify Other Admin Users
   • Restrict Access To Key WordPress Plugin Actions (Select all)
   • Restrict Access To WordPress Theme Actions Select activate only)
3. Login Guard > Brute Force Login Guard
   • AntiBot
   • Protection Locations (select all)
   • Login Cooldown Interval (We use 6 attempts but this can be less if you prefer)
   • AntiBot Forms (Enter The IDs Of The 3rd Party Login Forms For Use With AntiBot JS)
4. Login Guard > Hide WP Login Page
   • Rename The WordPress Login Page (This will hide the wp-admin.php and replace it with a term of your choice ie: openseseme)
5. Block Bad IPs/Visitors > Automatic IP Black List
   • Offense Limit (This would be a more generous limit than Login Cooldown as this will result in an IP ban)
   • Auto Block Expiration (This sets an expiration for the auto block that can be set to minute, hour, day, week, or month)
   • User Auto Unblock (Select both here as this means that a real person can unblock their IP)

There are a large number of other notable features and they are explained at each selection point to let you make an informed decision on the necessity of a feature. Only have one site so far? Don’t worry, this could be your basis for any future sites you may acquire or you can head on over to…

Your Site Admin Panel

This is option 2 of your profile management. Once your plugin is installed, you can select Shield Security on the left and you will be greeted with the dashboard. This will be your overview of features and recommendations:

On the left side, you will see your “Config” and here you can manage this sites profile in the same way you can in the iControl site. One positive of managing this here is, the information available for each profile feature. There are two available links and these are a link to their blog and an info link that opens an info box within the site with all the information you need about that specific area:

What’s the cost

At the time of writing, the costs were broken down to below.

To Conclude

Site security is something we take seriously, I have tried a number of different security plugins for WordPress and none have delivered in the same way Shield has.

Why should you add Shield to your WordPress site? If you do not have a team of web design experts looking after your site like Wibble, you need: Bot protection, hack guards, vulnerability scanners ensuring your plugins are up to date and secure, custom login links… the list is long. Other pros are a great library of information, a great onsite traffic light system for highlighting issues, a great support team, regular updates and keeping notifications to serious matters. No one likes a plugin that cries wolf.