ShieldPRO 9.0 Upgrade Guide

ShieldPRO 9.0 for WordPress comes packed with new security features, including the option to protect your wp-config.php, better reporting, hCaptcha, and more.

This guide outlines what have been added/removed, changed, or improved and what fixes we've made.

Firstly, we're going to explain what major changes are made and which options you'd need to review.

Change 1: General module

We added support for hCaptcha in-place of Google Recaptcha. Check if Recaptcha is selected and if your site/secret keys are correct:

Change 2: Hack Guard module

This is completely redesigned. These are the main changes we made.

  • Core File scanner settings are now under the File Scans and Malware tab, including 'Auto Repair Core' option.
  • Malware scanner settings is now under the File Scans and Malware tab, including 'Auto Repair WP Core' and 'Auto Repair Plugins'.
    • Ignore False Positives Threshold setting is removed. This is turned on automatically and working in a background.
  • Plugins and Themes Guard scanner settings is now under the File Scans and Malware tab. 
    • Auto Repair Plugins and Themes options added under the File Scans and Malware tab.
    • Show 'Re-Install Links' option is moved to Scan Options tab
    • Included File Types option is removed.
  • Abandoned Plugins scanner settings is now under the Vulnerabilities tab.
  • Vulnerabilities scanner settings is still under the Vulnerabilities tab.
    • Highlight Plugins setting is removed from the Vulnerabilities scan tab. They are highlighted automatically now.
  • Unrecognised Files scanner settings are still under the Unrecognised Files scan tab. There are no changes whatsoever.                     
  • Scan Options tab changes
    • Repeat Notifications option is removed.
    • Email Files List option is removed
  • Scan Indicator for all scans is removed. Screenshot, previous old v8.7:

Hack Guard: What should you check?

Once you upgrade to 9.0, you'll need to go to the Hack Guard module and check the all scans settings. Ensure that the new settings reflect the old (8.7) settings. Or, you can make changes with your current settings, if you want.

Next, go to the Reporting module and set 'Alert' frequency. This is a very important step, because here, you'll decide how frequent you want to receive email alerts related to the Hack Guard scans. Example settings:

Read more about Alert frequency here.

Note: It's also worth of mentioning that the Scans section is redesigned little bit. These are the changes:

  • File Scan Results tab is renamed to File Scan.
  • File Locker tab is added. It shows scan results of the files scanned with File Locker. You can check these settings under the Hack Guard module => File Locker. Example, scan results for these particular files:

New Added Features

For 9.0 release we added

  • [PRO feature] Critical File Locker to protect wp-config.php files.
    This feature can be found under the Hack Guard module:

[PRO feature] 
Selective Sync – Support for excluding individual options from import and export.

  • You can easily exclude individual options from import/export altogether by simply marking an option as “not included”. For example, exclude Google Recaptcha & keys:

Support for hCaptcha in-place of Google reCAPTCHA.

  • This can be found under the General settings of the Shield plugin:

Reporting Module – streamline notifications and alerts and provide regular statistics updates:

Integrated Help desk widget
for searching documentation:

Debug page
to show summary and important information for debugging.

  • If you go to General Settings => Disable Shield you'll see a link - Launch Debug Info Page:

Removed Options

For 9.0 release we removed the following options

  • Mask WordPress Version (under the Lockdown module => WordPress Obscurity)
  • Auto Update Translations (under the Automatic Updates module => WordPress Components)
  • Repeat Notifications (Hack Guard module => Scan Options)
  • Email Files List (Hack Guard module => Scan Options)
  • Ignore False Positives Threshold (Hack Guard => Malware Scanner).
    This is turned on automatically and working in a background.
  • Scan Indicator (Hack Guard => scans)
  • Included File Types (Hack Guard => Plugins/Themes Guard)
  • Highlight Plugins (Hack Guard => Vulnerabilities scan)
    They are highlighted automatically now.
  • Comments Cooldown and Token Expire (Comments SPAM => Bot Spam).
    These options are turned on automatically now.
    Token- the expiry timeout is set to 30 minutes by default.
  • Find Plugin Option (Security Dashboard => search box)


We've made the following improvements:

  • v9.0 release
    • Hourly and Daily crons set to specific run times.
    • Automatic file repair for WordPress, plugins, and themes is much more reliable.
    • Major refactoring and improvements to Bot protection on login, register and lost password forms.
    • Simplification of many options and plugin configuration.
    • Where an IP address gets repeatedly blocked – consolidates Audit Trail entries over a 24hr period.
    • Tweaks and changes to UI.
  • Updated 9.0.2 release
    • Plugin/Theme Guard only scans certain types of files based on their extension. I.e. ignoring readme.txt, for example.
    • Some minor improvements to encoding special characters in the email subject/from name.
    • API token update is more reliable.
  • Updated 9.0.3 release
    • Scanning for SPAM email registrations is improved with more signals.
    • Better recovery from errors during certain scans.
    • WPHashes Token Retrieval.


We've made the following fixes

  • v9.0 release
    • Minor issues with the MFA page.
    • Older Twig Library compatibility with PHP 7.4.
  • Updated v9.0.1 release
    • Javascript for Anti-Bot Login Protection not loading in all cases.
    • MemberPress Registration protection PHP error.
  • Updated v9.0.2 release
    • Applying a plugin update from within the Vulnerabilities scanner no longer disables that plugin.
  • Updated v9.0.3 release
    • Plugins were sometimes disabled when updates applied via Scan UI.
    • Audit Trail more correctly reflects “repair/delete” activity from the Unrecognised File Scanner.
    • Yubikeys weren’t always registered correctly.
    • Support MemberPress Password Reset that has an Auto-Login.
  • Updated v9.0.4 release
    • Timing error in some cases attempting to access database table when it hasn’t been created. 

For more information on Shield 9.0 release, read this blog article here.

Important: 9.0 is the final major Shield release to support PHP 5.x.

PHP 5.x is old, really very old. Maintaining a plugin the size and scope of ShieldPRO for many different PHP version is an extra load we no longer wish to carry.

Starting from ShieldPRO 10.0, we’ll no longer be support PHP 5.x, and will instead move to a minimum required version of PHP 7.0.