The most common questions submitted by the Shield's users

In this helpdesk article, we are going to answer some of the most common questions asked by Shield's users.

I'm not getting my 2FA code by email. Shield is broken!

Shield is not broken. Email sending for your domain name on your WP site is broken. If you're relying on emails sent from your WordPress websites, then please read the article here.

Shield uses exactly the same email system as every other email sent on your website. But the difference is you're relying on this email to login. If you don't get it, or it's delayed, you're in diffs.

Please read the article here to understand and fix the problem.

2FA: The following message displays: "One Time Password (OTP) was not valid. Please try again."

If you see this message when you try to login but there are no errors being output to the error_log files, then it's possible that the server was off for a while.  Please see here.

To learn how the Login Authentication Portal works, read the article here.

Audit Trail Viewer displays that “unidentified” user publishing and updating posts

These could be custom post types from another plugin.

If you’re finding nefarious links, you need to dig into your site and web hosting to find out what’s possibly in there doing this.

If you want to know how Audit Trail viewer works, read the article here.

Does plugin currently detect and ban cryptocurrency miners such as Coinhive?

To detect JS miners (possible malware) on a site you manage, use Shield's Hack Guard module. It runs a couple of scans that help to detect corruption or unwelcome files.

Please see here.

Does "Block Username Fishing" block all type of site visitors?

Block Username Fishing option is a part of the Lockdown module. It only blocks the URL for non-logged-in visitors. If you are logged in, the URL will work as normal.

I have selected X_Real_IP as my IP source but it reverts back to the REMOTE_ADDR

Please see here.

WooCommerce customers are unable to reset passwords

This is because WooCommerce uses their own code for these functions. We've released a Pro version of Shield that better accommodates 3rd party plugins like WooCommerce. Read more about this here.

Will one white listed IP be excluded from all security features in Shield?

Yes. For white listed IP addresses, it’s as if the whole plugin is switched off.

I have more than 1 WordPress site on the same domain, do I need to install Shield on each individual site?

If you’re running more than 1 WordPress site within the same folder, then yes, you will need to install Shield on each individual site.

My site is being 'attacked' from overseas. Do I need a country blocker?

If you have the IP Manager system enabled, it has an automatic black list system built into it which will handle bad IP addresses.

Generally, IP blocking and Geolocation blocking doesn't really help with these sorts of problems. We've written about this a bit here:

Another layer of security you may want to consider, and it's completely free, is

Do transients slow down my site?

Is it a normal behavior to have several transients from the Shield plugin, and do they slow the site down? 

Transients are completely fine and expected, and they do not slow the site down.

Is Shield interfering with 301 redirects and the .htaccess?

There are two things we would like to point out about Shield:

  1. Shield does not use or modify the .htaccess in any way. We don’t write to any core .htaccess files.
    Instead, Shield examines the data in the requests and then allows or blocks WordPress from loading depending on the rules you have chosen.
  2. Shield does not setup any sort of redirects

If you can't get a 301 .htaccess redirect to work, you can demonstrate that Shield isn't causing the redirects if you temporarily disable it. 

Important Note: As 301 redirects are normally cached by the browser, and also by caching plugins on the site, we suggest you to ensure you're factoring all of these when debugging. While you may have disabled or removed any item causing 301 redirects on your site, your browser may still be performing the redirect.

Security Dashboard: Shield indicates parent-child theme as a security threat

Security Dashboard is designed to be 1st place any site administrator will go to, in order to learn of any issues that they need to take care of.

It provides a real-time, in-depth analysis of your WordPress site to proactively identify threats to security and stability.

If Overview section displays parent-child themes as inactive and that they should be removed, please understand that:

We have code in there to account for parent-child themes and you shouldn't be seeing that. Your themes weren't setup as you thought.

We suggest you to double-check on this, and ask your site dev to make sure your parent-child theme setup is as you expect.

Note: If the parent-child theme is setup correctly, but it's a multisite setup, then there's likely nuances with multisite that affecting this. This feature isn't tested with this...

Should I allow or disallow /wp-admin/admin-ajax.php in a WordPress robot.txt file?

Shield doesn't concern itself with robots.txt as this isn't a thing that pertains to security.

Unless you have a good reason to do so, you should probably leave robots.txt allowed.

Shield admin is out of order

If you notice that Shield is out of order, e.g. Security Admin...

... in all likelihood there’s another plugin installed on your site that’s being quite aggressive in enqueuing its own CSS styles all over the WP admin.

Best way to find it is disable each plugin (or theme), 1 at a time, and reload the Shield admin. When it loads normally, you’ve found the problem plugin.

Feel free to share that with us when you find it and we can take a look… best thing though is to reach out to the problem plugin and ask them to be much more selective about which WP admin pages they’re enqueuing their CSS styles, since they don’t need to force it on every admin page.

Plugin is not showing in the WordPress dashboard

When you log into your WordPress site, you could come across the problem that plugin is not showing in the WordPress dashboard. Additionally, you notice that:

  • Shield is inactive
  • Shield is not showing in your list of installed plugins, active or inactive
  • when you try to re-install it says the folder already exists

The reason for this could be that WordPress corrupted the plugin perhaps during an update, or your disk file system corrupted and it's broken it.  

So, what you'll need to do is delete the plugin folder from your web hosting space (using FTP) and reinstall it. The settings will be saved already in your database, so that won't be a problem for you.

The folder you'll be looking for is /wp-content/plugins/wp-simple-firewall/

I have SSL but some browsers on my Android device say that my site is insecure

If you have SSL but some browsers on your Android device say that your site is insecure, you should know that this is not caused by Shield. 

Basically, 1 of your plugins and themes is not including images/JS/CSS using a secure URL.  To find the culprit, test all plugins by disabling a plugin 1 at a time (or switch theme) until the problem disappears. Then you'll know you've found the plugin(s) causing it.