ShieldPRO 13.0 Upgrade Guide

The ShieldPRO 13.0 release brings major improvements to Shield’s scanning architecture, making the Shield scans better than ever before.
Important: Since we've made significant changes for scans, once you upgrade to v13.0, please re-run scans manually to reflect the old scan results.

As with each major release there are always improvements made in the background to enhance performance and fix bugs and inconsistencies. 

This guide outlines what have been added/removed, changed, or improved and what fixes we've made.
Firstly, we're going to explain what major changes are made and which options you'd need to review.

Change 1: Scans - A Single Filesystem Scanner Created

We’ve created a single filesystem scanner, which is a combination of the 4 scanners:
  • WordPress Core File Scan
  • Unrecognised Core File Scan
  • Plugin/Theme Guard Scan
  • Malware Scan
It’s now simply called the “WordPress File Scan” and when this runs, it’ll run all the available scanners together in 1 single pass, including any extras we add further down the line.
The scanner also tightly integrates with our ShieldNET Hashes API, meaning results are far more accurate, especially for premium plugins and themes.

Scanning Simplification

We’ve changed the file scanning configuration options significantly, removing several options altogether and replace them with a single, unified option to enable or disable automatic file scanning.
We’ve also removed the old option to automatically ignore certain unrecognised files. This option has been replaced with the newer “Scan Exclusions” option that is more versatile. You may need to update this to reflect any changes you’ve made in the past.
These are the detailed scans changes:
  • File Scans and Malware section

    WordPress Core Files setting is removed
    - Malware setting is removed
    - Plugin & Themes setting is removed

Old settings

The old settings are under the Automatic WordPress File Scanner setting now

  • Unrecognised Files section

     - This section is removed entirely.

    - Unrecognised Files Scanner setting is under the File Scans and Malware section > Automatic WordPress File Scanner.

    - Scan Uploads and File Exclusions options are removed from the plugin entirely. 

Old settings

  • Scan Options section

    - Auto Filter Results and Scan Exclusions options are removed from this section. They are now under the File Scans and Malware section.

Old settings

New settings

More Scanning Improvements

Here are some of the specifics of the improvements we’ve added.
  • File Diffs To See What’s Changed
Wherever possible, Shield can now display a fully details file diff to show you exactly what’s changed throughout the file.

  • File History To See How Results Have Been Managed Over Time
You’ll now be able to view a history of a particular file result, and see how it has changed or been repaired over time.

For more information on this, please watch the video in the 13.0 release blog post here.

Change 2: Scans - Run Scan Page Changed

Since we’ve created a single filesystem scanner, which is a combination of the 4 scanners (please see change #1 above), this reflects Run Scan page too. 
Old Run Scan page

New Run Scan page 

Change 3: Scans - Remove Notification Suppression option

We removed this option from the Run Scans page entirely.
Old page (option available)

New page (option unavailable)

Change 4: Scans - Vulnerable Plugins New Look & Info

The vulnerable plugins were highlighted on the plugins listing page on the WordPress admin with the all vulnerabilities listed. 

We decided to make this look much better by adding "More Info" link instead. When you click on it, you'll be directed to the separate vulnerabilities details page.

Old look

New look

Vulnerabilities details page (example)

Other Scanning Improvements

  • Performance

    We’ve completely scrapped the older data model and built brand new database tables to hold all the data required. The new database tables are far more flexible and by scrapping the 4 separate file scanners, we can more efficiently store results data without duplication.

    We’ve also adjusted our SQL queries so they’re more granular and fewer queries are required overall.
  • Background Processing With WP-CLI

    With our enhancements to the ShieldPRO scanning system, we can now more easily integrate with WP-CLI. In fact, you can now trigger new, on-demand scans directly from WP-CLI itself.

    Also, if you’ve disabled your built-in WP Cron and prefer to run it using WP-CLI, Shield will detect this and take advantage of it in order to run the scans in a single go without chunking.

Other plugin changes & improvements

Apart from the all above, we've also made the following plugin improvements: 

  • 13.0 release
    • AWP-CLI Traffic Log Capture
      If you use WP-CLI to control and manage your WordPress, you may want to be able to see what the full WP-CLI request was in the audit trail. This is similar to seeing what the web request was. This is now available in ShieldPRO 13.0.
    • The IP Analyse tool is now more performant, making the IP Select/Search tool 100% dynamic.
  • 13.0.5 release
    • Options to provide custom roles for Email 2FA enforcement is now free-form.
    • Multi-factor authentication settings are available even when your IP is on the bypass lists.
    • ShieldPRO license lookups when using separate domains for multilingual site versions.
    • FluentForms integration wasn't always loading and so SPAM submissions could still come through.
    • NotBot Javascript is improved to better handle server timeouts and work around Page Caching limitations.
  • 13.0.6 release
    • Improved handling of ClassicPress versions and file scanning for migrated WP sites.

We've also made the following changes for 13.0.6 release:

  • Anonymous REST API block

It's now possible to add custom exclusions to the anonymous REST API block. This setting can be found under the WP Lockdown module:

  • Inactive themes in scan results

Official themes that are inactive no longer display a warning in scan results tables.


We've made the following fixes

  • 13.0 release
    • Fixes for Yubikey registration
      We’ve also added some Yubikey OTP verification when adding a Yubikey device.
    • Fixes for IP Address Management
      A bug was discovered where unused IP addresses weren’t being properly removed from the database during cleanup.
  • 13.0.1 release
    • Reduce scan chunk size to improve MySQL query memory usage.
    • Automatic selection of IP addresses in IP Analyse tool after switching to AJAX source.
  • 13.0.3 release
    • Ensure database states are handled correctly.
    • MySQL requirements are checked more flexibly.
    • Add a class to Google Authenticator QR image.
  • 13.0.4 release
    • Error with MainWP loading in certain cases.
  • 13.0.5 release
    • Prevent some fatal errors when integrating with 3rd parties and their data isn't as expected.
  • 13.0.6 release
    • [Minor Security Vulnerability] An authenticated (administrator+) Persistent XSS.

For more information about the 13.0 release, read the blog article here.