What is the "Prevent Remote Login" option?

NOTE: This option has been removed as of version 5.3.3

Preventing Remote Login option allows you to try and prevent remote (bot) login attempts to your site.

Note: This option/feature is no longer applicable to the latest version of the Shield Security plugin and is here for reference purposes only.

The term "remote" here can be a little confusing so I'll try to explain.  Think of "remote", as any location other than your website.

WordPress Login typically runs through the wp-login.php page.  That means, a user will browse to that page on your site, fill in the form, and click to login.

When you click login, your browser will send information to say "you are trying to login from the page 'wp-login.php'".  We can try and detect this source page.  Depending on your web server, this may or may not be possible.

Automatic bots do not usually send that information!

However, we can detect (in many cases!) where that request came from... did it come from your site?, or did it come from a remote location such as say a bot program posting login details to your wp-login.php form from on another server?

Any one can HTTP POST remote login details to your wp-login.php page... they don't have to be a human sitting on your website within a web browser.

NOTE: If after enabling this option you cannot log in, it means likely that your server isn't properly populating the HTTP_REFERER variable... you need to disable the plugin and turn off this option.  You might want to contact your web host and tell them of this problem and direct them here.