ShieldPRO 15.0 Upgrade Guide

ShieldPRO 15.0 for WordPress is a major release. 
We've taken steps to improve the Shield Security Dashboard navigation menu and the Overview section UI making it much easier to secure your WordPress site by quickly identifying areas of improvement. Also, the original WordPress Admin Dashboard widget was pretty basic, so we've completely revamped it with some of your latest site activity. 
This guide outlines what have been added/removed, changed, or improved and what fixes we've made.

Firstly, we're going to explain what major changes are made and which options you'd need to review.

New Added Features

For 15.0 release we added

  • Block Username Fishing option

This feature is now a Bot Signal which is recorded in the Activity Log and triggers offenses. 

You can use this option to block the ability to discover WordPress usernames based on author IDs. When enabled, any URL requests containing "author=" will be killed.

This option is accessible from within WP Lockdown module > Obscurity:

The new Security Rules Engine is the new foundation of how Shield will handle security for nearly all WordPress requests. It's accessible from within the main navigation menu > Tools section.

This article outlines what brought this about, what the Rules Engine is and does, and how it will inform future development and our approach to WordPress Security.

Changes

Change 1: All-New Security Overview page

We’ve broken up the plugin into 7 key areas and gathered configuration options and conditions of the site under each one. We give each component a weighted score and calculate an overall percentage. 

You can see your score within each area and click “Analysis” to get a clear breakdown of what constitutes that score.

Example, Site Scanning area:

Important: In the major 15.0.8 release, we adjusted how the security progress meters are displayed and switch to grades instead of percentages.

Change 2: All-New Dashboard Widget

Similar to the Security Overview we offer some visibility to the workings of the Shield plugin right on the WordPress Dashboard, using the built-in widget area.
Currently it shows your
  • security overview progress
  • recently blocked IPs
  • recent offending IPs
  • recent user sessions
  • jump links to key plugin areas

Change 3: New Template-Based Block Pages

When triggering the Shield defenses, Shield now provides a much more visitor-friendly block page that outlines exactly what’s happened. It’ll provide details of why the block occurred and what the visitor can do about it. Please see below examples of the new blocking pages.

General IP Blocking Page (non-logged in users)

General IP Blocking Page (logged in users)

Firewall Blocking Page

Username Fishing Blocking Page

Change 4: Audit Trail (now renamed to Activity Log), Traffic Log and User Sessions: Direct access to the IP analysis

In the previous plugin release, when you click an IP address from within Audit Trail or Traffic Log, you were directed to the IP Analysis page in a separate tab.

Now, you can analyse IP directly from within Audit Trail (Activity Log), Traffic Log and User Sessions sections. Please see below examples for e.g. Activity Log and Traffic Log.

From Within Audit Trail (Activity Log)

From Within Traffic Log

Change 5: Option Removed: Legacy Comment SPAM Detection

We've completely removed the older, less reliable comment spam detection using Javascript and CAPTCHAs. Please use the newer AntiBot Detection Engine

Change 6: Option Removed: Auto-Filter Scan Results
Shield will now filter unnecessary scan results automatically.

This option can now be adjusted using a WP filter. 
Change 7: Deprecated: Options For CAPTCHA and GASP Bot Checking On WordPress Login Forms
The options to use CAPTCHA and/or GASP Bot Checking for WordPress Login SPAM has been deprecated. These options are replaced with the AntiBot Detection Engine and will be completely removed in a future release. 

Change 8: Audit Trail Renamed to Activity Log

Improvements

For 15.0 release we've made the following improvements

  • Improved Plugin Navigation
    This release brings further enhancements in this area - the new dynamic page loading and smoother navigation.

  • Improved Visitor IP Source Detection
    We’ve built a Javascript utility which will determine your best visitor IP source. This should, hopefully, solve this problem of everyone going forward, even if your host is badly configured (there are many such hosts!).

  • Massive Performance Optimisations
    As part of our new approach to security with the Security Rules Engine, we’ve taken the opportunity to rip out legacy code and optimise many other areas. We’ve eliminated unnecessary MySQL queries and redesigned core components to be more efficient with how they store data.

  • New Filters: Adjust scanner notices about plugin/theme update/active status
    You can now use filters to adjust whether Shield warns about inactive plugins/themes or those with updates. 

  • A New WP Filter To Add Custom Shield Template Directory
    If you're looking to adjust some of our page templates, such as the block pages, you can now provide custom templates more easily using the new filter. 

  • Option Removed: XML-RPC bypass option, under the General settings:


    This option can now be adjusted using a WP filter. 

  • Adjusted how the security progress meters are displayed and switch to grades instead of percentages.

  • Make automatic Visitor IP Source detection quieter and run more often.

Fixes

For 15.0 release, we've made the following fixes

  • 15.0 release
    • Broken password reset links in some cases when using hidden login page
    • Help ensure forward compatibility for sites with newer TWIG libraries also installed
    • Fix for some scan results browsing errors
  • 15.0.4 release
    • File scanner alerting to Shield's own file (rules.json) on every scan.
    • Tracking Login Block events for statistical purposes wasn't always happening.
  • 15.0.5 release
    • Prevent a warning being displayed during WP login.
    • Prevent a reported fatal error.
  • 15.0.6 release
    • Fix for reCAPTCHA on login forms not properly rendering.
  • 15.0.8 release
    • Work around a horrendous Godaddy server 'protection' that was blocking access to the site entirely.
    • Prevent an error when handling user meta data.
    • Ensure Whitelabel logo is correctly displayed on dashboard widget.
  • 15.0.9 release
    • More accurate detection of crawlers such as Facebook that interchange IPv6 and IPv4 in their primary IP resolving.
  • 15.0.12 release
    • Prevent error that occurs when rendering the Firewall Block page in some cases.
    • Prevent error that can occur when assessing whether plugin version is very old.
  • 15.0.13 release
    • An sporadic error relating to Shield's User Meta.

For more information on Shield 15.0 release, read this blog article here.