ShieldPRO 16.1.0 Upgrade Guide

ShieldPRO 16.1.0 for WordPress is a major release packed with many changes and improvements, including UI enhancement, adding integration with CrowdSec and the ability to permanently block IP any much more.

This guide outlines what have been added/removed, changed, or improved and what fixes we've made.

Firstly, we're going to explain what major changes are made and which options you'd need to review.

Please note that, 16.1.14 release marks Shield 16.x as the final series supporting PHP 7.0 and 7.1. Shield 17 will require PHP 7.2. You may read more about this here.

New Added Features

For 16.1.0 release we added

With the CrowdSec integration, your WordPress sites will have access to intelligence about malicious IP addresses before they’ve ever accessed your website. (This intelligence will have already been gathered for you by other websites.)
This reduces that “window” available to malicious bots to zero.
The settings can be found under the IP Blocking section:

There are 2 options available

  1. CrowdSec IP Blocking - how Shield should block requests from IP addresses found on CrowdSec's list of malicious IP addresses.
  2. CrowdSec Enroll ID - link site to your CrowdSec console by providing your Enroll ID.

There is now the option to log custom events to Shield's Activity Log. It's impossible that Shield can log every possibly event for every plugin and scenario, so you can now add logging for all your desired site events. This is an advanced option and will require professional software development experience to implement. 

  • Logging: App Password Creation

Shield now captures creation of new Application Passwords in the Activity Log.

  • Shield’s Super Search Box
This search box will look for almost anything you need and provide you with links directly to the item in question. 

Currently you can search for:
  • Specific configuration options
  • Tools such as Import/Export, Admin Notes, Debug
  • Logs such as Activity Logs and Traffic Logs
  • IP Rules
  • IP addresses – it’ll open a popup in-situ to review the data Shield holds on any particular IP
  • External links such as Shield’s homepage, Facebook page, helpdesk, CrowdSec etc.

The Super Search Box is accessible and visible from every page inside the plugin.

Enabling the Shield Beta Access option allows you to gain access to beta versions of the Shield Security plugin.

  • All-New Guided Setup Wizard
For this release we revamped it and provide a new guided setup wizard, helping newcomers get up-to-speed more quickly.

You can access the Guided Setup from the Super Search Box (search: “Wizard”), or from the Shield > Tools menu.

For whitelisted IP addresses, there are no restrictions for the user related with that IP whatsoever -  none of the setting will apply to that IP, including the hiding login URL. 

We added a special notice for a user with a whitelisted IP:

Changes

Change 1: Improved UI

We’ve done some work to reduce full page reloads so that you can stay “where you are” while viewing the contents of another page.
In particular we’re referring to “Options/Configuration” pages. Links to such areas will now open in an overlay, letting you keep your current page active while you review and adjust settings.
Example

Also, IP analysis dialog now opens in an overlay, for example:

Another UI enhancement is a new top title bar across every page of the plugin, letting you see more clearly where you are and with some important links to help and other resources.
Example

Change 2: Completely New IP Rules and Blocking Engine

This release, spurred on by our CrowdSec integration, sees the much-needed overhaul of our IP management system. It’s smarter and more versatile and altogether much faster.

We also made some UI enhancements on the Management & Analysis section:

  • "Manage IP" section is renamed to "IP Rules"
  • IP blocking and bypass list are merged and a new table is used now

  • IP Analysis dialog is now separated and can be loaded for each IP directly from within IP Rules, Activity Log, and Traffic Log. Example, loading from within IP Rules:

  • "Reset" option added into the IP analysis dialog

  • Manual adding IP to the block or bypass list is merged now and can be accessed from within "Add New IP" option:

  • Manually or auto blocked IP can be now permanently blocked

    You can do this by manually adding IP to the block list or directly from within IP analysis dialog

Change 3: Improved Build Custom Charts option

The Shield event(s) are now displayed in a form of list. Selecting desired events is much easier now.



Improvements

For 16.1.0 release we've made the following improvements

  • Improved and Faster Scan Results Display

    We’ve redesigned how the scan results are built so it’s faster and lighter on your browser and on the server itself.

    Eliminated errors and slow processing when displaying scan results pages for large datasets. Shield now uses highly optimised queries to request only the records required to display the current table page.
  • Improved Human SPAM Detection
    We’ve added some enhancements on how Shield will detect repeated human spam comments.

    We also squashed a bug where Shield wasn’t properly honouring the “disallowed keywords” option built into WordPress itself.
  • A change to minimum supported WordPress version: 4.7
    Based on Shield telemetry data, we're pushing our minimum supported WordPress version up to 4.7. We'll continue to push this upwards as usage data suggests it make sense to do so.

    Note: In 16.1.4 patch release, we reverted minimum WP version to 3.7 to allow for security patching.
  • Protection Against Unauthorised Deactivation
    The Security Admin feature that protects against unauthorised deactivation has been further strengthened with offenses.
  • Shield Navigation Bar
    Shield offer a much better navbar on the dashboard with built-in search, helpdesk links and updates.
Improvements for 16.1.5 release
  • Improvements to MainWP Extension
    As part of our plans to enhance our MainWP extension we've made a number of fixes and tweaks.
  • Obscure Access To Local Plugin/Theme Hashes
    It was pointed out that the storage of plugin/theme hashes locally were accessible on nginx servers. It made info publicly available about which plugins/themes were installed, for some sites. Not a security problem in itself, but not ideal either.
  • QR Code Rendered Locally.
    It was pointed out that there are other means of generating QR codes that are preferable to sending data to Google's API. QR Code images are now rendered locally on the browser using Javascript.
  • Logged-In User Won't Be Rated Limited.
    If you're logged-into a site, and you trigger the rate limiter, you won't be limited. You may still trigger the rate limiter if you issue non-authenticated requests, such a REST API requests.

Improvements for 16.1.8 release

  • Optimise the checking and building of file hashes.

  • Improvements to requirements checking for the File Locker feature.

  • Update Swedish translations file.

Improvements for 16.1.13 release

  • Attempt to eliminate CrowdSec API issues.
  • Attempt to mitigate import/export errors for certain configurations.
  • Accessibility of user 2FA setup form has been improved for screen readers.
  • Improved the data used to construct the QR codes for Google Authenticator setup.

Improvements for 16.1.14 release

  • Performance improved when loading the WordPress Users page for sites with large users counts.

Removed Options

For 16.1.0 release we removed the following options

  • Auto Block Expiration (under Config > IP Blocking section) we removed "1 minute" option.
  • Leading Schema Firewall Rule
    This rules flags too many false positives for members.
  • Option to download IP lists, activity logs and traffic logs is removed

Fixes

For 16.1.0 release we've made various fixes

  • Mitigate a fatal error caused by the latest wpForo plugin passing NULL to locale filters.
  • Bug when specifying a particular list when adding/removing an IP address using WP-CLI.
  • Shield no longer attempts to solve the issue of invalid 'from' email addresses on a WordPress site.

Fixes for 16.1.2 release

  • Bug fix unable to start scans.
  • Bug fix DB creation error on initialisation on a new website.
  • Bug fix error with Overview page when analysing the firewall grade, after removing Leading Schemas.
Fixes for 16.1.4 release
  • Security fix for reported 2FA vulnerability. More info will be released after allowing time for client upgrades.

    Note: sites are only vulnerable to this particular exploit IF it has an SQL-injection vulnerability caused by another plugin/theme. As we always say, please ensure you keep ALL your plugins, themes and WordPress core up-to-date, particularly if they have known vulnerabilities!
  • Bug: an error was generated when assessing some IP addresses.
  • Bug: API requests for certain types of options were appearing to fail (they weren't) and generating an error.

Fixes for 16.1.6 release

  • Bug Fix: for Rate Limiting Rule failing to build

Fixes for 16.1.8 release

  • Bug Fix: ensure expired crowdsec IPs are always purged.

Fixes for 16.1.9 release

  • Bug where fatal error could be caused in some hosting environments.

Fixes for 16.1.13 release

  • Minor bug fixes.

Fixes for 16.1.14 release

  • Dashboard widget showing incorrect dates for user last login if it's never been recorded.
  • Tweaks to CrowdSec Signals map.
  • Plugin/Theme file scanner bug fixes.
  • Minor bug fixes.

For more information on Shield 16.1.0 release, read this blog article here.