Introduction to the Login Guard module
Shield Security plugin offers extremely effective protection against WordPress login attacks, and provides tried and tested methods for verifying the identity of users active on the system.
It is composed of several parts (modules). The Login Guard is one of its modules. This module is accessible from the main menu => Configuration section:
The Login Guard module is quite large and is comprised of several components (features).
Login Guard features explanations
Login Guard features are designed to protect the WordPress login and authentication system against brute force login attacks. They also provide a user identification system in the form of t wo-factor authentication.
Brute Force Login Protection
Designed for login protection. It blocks brute force hacking attacks against your login and registration pages.
The options available are as follows:
- Antibot Detection Engine
You can use AntiBot Detection Engine to detect Bots.
AntiBot Detection Engine is ShieldPRO's exclusive bot-detection technology that removes the needs for CAPTCHA and other challenges.This feature is designed to replace the CAPTCHA and Bot Protection options.
Important - Switching on this feature will disable the CAPTCHA and Bot Protection settings.
- Protection Locations
You can choose the forms for which bot protection measures will be deployed
- Login Cooldown Period
Limits login attempts to every X seconds. WordPress will process only 1 account access attempt per number of seconds specified.
- Bot (GASP) Protection
Adds Google reCAPTCHA or hCAPTCHA to the login screen. You can: use CAPTCHA on the user account forms such as login, register, etc.
Note: You'll need to setup your CAPTCHA API Keys in 'General' settings first.
Use of any theme other than "Light Theme", requires a Pro license.
- Antibot Forms
Provide DOM selectors to attach AntiBot protection to any form.
- 3rd-Party Support
This option helps you to add support for 3rd-party login, register, and password reset forms such as Woocommerce, BuddyPress and Easy Digital Downloads. The 3rd-Party Support feature is enabled by default on Pro sites.
Email Two-Factor Authentication
The options available for this are as follows:
- Enable Email Authentication
When enabled, this option will require all users to verify their login by email-based two-factor authentication. Learn more about Two-Factor Authentication by Email here.
- Enforce - Email Authentication
Select user roles you want to be subject to Email Authentication.
- Allow Any User
Any user can turn on two-factor authentication by email from their profile. This feature is enabled by default on Pro sites.
Google Authenticator Two-factor Authentication
Allows users to use Google Authenticator. Learn more about Google Authenticator here.
Hardware 2-Factor Authentication
Allows users to register U2F devices to complete their login.
Currently only U2F keys are supported. Learn more about Hardware 2-Factor Authentication here.
Yubikey Two-factor Authentication
Verifies the identity of the users who log in to your site - i.e. they are who they say they are. Learn more about Yubikey
Its options are:
- Enable Yubikey Authentication
When combined with your Yubikey API Key details (below) it will form the basis of your Yubikey Authentication.
- Yubikey App ID
When combined with your Yubikey API Key (option 3) it will form the basis of your Yubikey Authentication.
- Yubikey API Key
When combined with your Yubikey App ID (option 2) it will form the basis of your Yubikey Authentication.
Important: Review the info link on how to get your own Yubikey App ID and API Key.
Read more about Yubikey Authentication here.
Verifies the identity of users who login to your site - i.e. they are who they say they are.
The options available are as follows:
- Enable Multi-Factor Authentication
When this option is enabled, all multi-factor authentication methods will be applied to a user login.
A user can by-pass Multi-Factor Authentication (MFA) for the set number of days.
Important: Multi-Factor By-Pass option is available with ShieldPRO only.
Read more about Multi-Factor Authentication here.
- Allow Backup Codes
Allow users to generate a backup code that can be used to login if MFA factors are unavailable.
Hide Login Page
Hides your wp-login.php page from brute force attacks and hacking attempts - if your login page cannot be found, no-one can login.
This feature helps you to customize the messages displayed to the user. Find out what custom user messages are available here.
The options are:
- GASP Checkbox Text
You can change the text displayed to the user beside the checkbox.
- GASP Alert Text
You can change the text displayed to the user in the alert message if they don't check the box.
Important: These options are available with ShieldPRO only.
To find out what the extra features for ShieldPRO are, please follow this link here.
To learn more how Login Guard module works, and what options you should enable, read our blog article here.
We also recommend you to read: