Introduction to the Login Security Zone

Shield Security plugin offers extremely effective protection against WordPress login attacks, and provides tried and tested methods for verifying the identity of users active on the system. 

The Login Security Zone is quite large and is comprised of several components.

It's accessible from within the main navigation menu > Security Zones > Login:

Login Security options explanations

Login Security Zone provides protection for user logins alongside session hijacking prevention.

Brute Force Login Protection

Designed for login protection. It blocks brute force hacking attacks against your login, lost password, and registration pages. 

The options available are as follows: 

Use Shield's built-in silentCAPTCHA system to identify malicious bots and block all requests to your WordPress login.

silentCAPTCHA is ShieldPRO's exclusive bot-detection technology that removes the needs for CAPTCHA and other challenges.

Limits login attempts to every X seconds. WordPress will process only 1 account access attempt per number of seconds specified.

You can choose the forms for which bot protection measures will be deployed

This option helps you to add support for 3rd-party login, register, and password reset forms such as Woocommerce, BuddyPress and Easy Digital Downloads. The 3rd-Party Support feature is enabled by default on Pro sites.

The full list of the integrated 3rd-party forms can be found under the Integrations section

Allows you to better control user sessions on your WordPress site and expire idle sessions and prevent account sharing. 

Two-Factor Authentication (2FA) General Configuration

The options available are as follows:

  • 2FA Verification Page - Choose the type of page provided to users for MFA verification.
  • 2FA Config For Users - Specify pages available to users to configure 2FA on their account.
  • Two-Factor By-Pass

A user can by-pass Two-Factor Authentication (2FA) for the set number of days.

Important: Two-Factor By-Pass option is available with ShieldPRO only.

Allow users to generate a backup code that can be used to login if 2FA factors are unavailable.

Email Two-Factor Authentication (2FA)

The options available are as follows:

  • Enable Email Authentication

When enabled, this option will require all users to verify their login by email-based two-factor authentication. Learn more about Two-Factor Authentication by Email here.

When active, 2FA emails will contain a link that will automatically login the user without the need to enter 2FA Codes.

Select user roles you want to be subject to Email Authentication. 

Any user can turn on two-factor authentication by email from their profile. This feature is enabled by default on Pro sites.

2FA One-Time Passwords (OTP)

Allows users to use Google Authenticator for their login.

Verifies the identity of the users who log in to your site - i.e. they are who they say they are. Learn more about Yubikey 

Important: Review the info link on how to get your own Yubikey App ID and API Key.

Read more about Yubikey Authentication here.

2FA with Passkeys (WebAuthn)

You can add unlimited Passkeys to your WordPress accounts to use as 2nd factors during WordPress login.

Passkey authentication provides a secure and passwordless way to access your WordPress site. It replaces traditional username and password logins with digital credentials, making login more secure and more convenient.

Users can register Passkeys & FIDO2-compatible devices to complete their WordPress login.

Read more about 2FA with Passkeys here.

Hide Login Page

Hides your wp-login.php page from brute force attacks and hacking attempts - if your login page cannot be found, no-one can login. 

Read more about Hide WP Login Page and how to use this feature.

You can also automatically redirect requests to your new created location for the hidden pages by using "WP Login & Admin Redirect" option.

To learn more about Login Security Zone, read our blog article here.

We also recommend you to read: