ShieldPRO 16.1.0 Upgrade Guide
ShieldPRO 16.1.0 for WordPress is a major release packed with many changes and improvements, including UI enhancement, adding integration with CrowdSec and the ability to permanently block IP any much more.
Firstly, we're going to explain what major changes are made and which options you'd need to review.
Please note that, 16.1.14 release marks Shield 16.x as the final series supporting PHP 7.0 and 7.1. Shield 17 will require PHP 7.2. You may read more about this here.
New Added Features
For 16.1.0 release we added
There are 2 options available
- CrowdSec IP Blocking - how Shield should block requests from IP addresses found on CrowdSec's list of malicious IP addresses.
- CrowdSec Enroll ID - link site to your CrowdSec console by providing your Enroll ID.
There is now the option to log custom events to Shield's Activity Log. It's impossible that Shield can log every possibly event for every plugin and scenario, so you can now add logging for all your desired site events. This is an advanced option and will require professional software development experience to implement.
- Logging: App Password Creation
Shield now captures creation of new Application Passwords in the Activity Log.
- Shield’s Super Search Box
- Specific configuration options
- Tools such as Import/Export, Admin Notes, Debug
- Logs such as Activity Logs and Traffic Logs
- IP Rules
- IP addresses – it’ll open a popup in-situ to review the data Shield holds on any particular IP
- External links such as Shield’s homepage, Facebook page, helpdesk, CrowdSec etc.
The Super Search Box is accessible and visible from every page inside the plugin.
Enabling the Shield Beta Access option allows you to gain access to beta versions of the Shield Security plugin.
- All-New Guided Setup Wizard
For whitelisted IP addresses, there are no restrictions for the user related with that IP whatsoever - none of the setting will apply to that IP, including the hiding login URL.
We added a special notice for a user with a whitelisted IP:
Changes
Change 1: Improved UI
Change 2: Completely New IP Rules and Blocking Engine
This release, spurred on by our CrowdSec integration, sees the much-needed overhaul of our IP management system. It’s smarter and more versatile and altogether much faster.
We also made some UI enhancements on the Management & Analysis section:
- "Manage IP" section is renamed to "IP Rules"
- IP blocking and bypass list are merged and a new table is used now
- IP Analysis dialog is now separated and can be loaded for each IP directly from within IP Rules, Activity Log, and Traffic Log. Example, loading from within IP Rules:
- "Reset" option added into the IP analysis dialog
- Manual adding IP to the block or bypass list is merged now and can be accessed from within "Add New IP" option:
- Manually or auto blocked IP can be now permanently blocked
You can do this by manually adding IP to the block list or directly from within IP analysis dialog
Change 3: Improved Build Custom Charts option
The Shield event(s) are now displayed in a form of list. Selecting desired events is much easier now.
Improvements
For 16.1.0 release we've made the following improvements
- Improved and Faster Scan Results Display
We’ve redesigned how the scan results are built so it’s faster and lighter on your browser and on the server itself.
Eliminated errors and slow processing when displaying scan results pages for large datasets. Shield now uses highly optimised queries to request only the records required to display the current table page. - Improved Human SPAM Detection
We’ve added some enhancements on how Shield will detect repeated human spam comments.
We also squashed a bug where Shield wasn’t properly honouring the “disallowed keywords” option built into WordPress itself. - A change to minimum supported WordPress version: 4.7
Based on Shield telemetry data, we're pushing our minimum supported WordPress version up to 4.7. We'll continue to push this upwards as usage data suggests it make sense to do so.
Note: In 16.1.4 patch release, we reverted minimum WP version to 3.7 to allow for security patching. - Protection Against Unauthorised Deactivation
The Security Admin feature that protects against unauthorised deactivation has been further strengthened with offenses. -
Shield Navigation Bar
Shield offer a much better navbar on the dashboard with built-in search, helpdesk links and updates.
- Improvements to MainWP Extension
As part of our plans to enhance our MainWP extension we've made a number of fixes and tweaks. - Obscure Access To Local Plugin/Theme Hashes
It was pointed out that the storage of plugin/theme hashes locally were accessible on nginx servers. It made info publicly available about which plugins/themes were installed, for some sites. Not a security problem in itself, but not ideal either. - QR Code Rendered Locally.
It was pointed out that there are other means of generating QR codes that are preferable to sending data to Google's API. QR Code images are now rendered locally on the browser using Javascript. - Logged-In User Won't Be Rated Limited.
If you're logged-into a site, and you trigger the rate limiter, you won't be limited. You may still trigger the rate limiter if you issue non-authenticated requests, such a REST API requests.
Improvements for 16.1.8 release
-
Optimise the checking and building of file hashes.
-
Improvements to requirements checking for the File Locker feature.
-
Update Swedish translations file.
Improvements for 16.1.13 release
- Attempt to eliminate CrowdSec API issues.
-
Attempt to mitigate import/export errors for certain configurations.
-
Accessibility of user 2FA setup form has been improved for screen readers.
-
Improved the data used to construct the QR codes for Google Authenticator setup.
Improvements for 16.1.14 release
-
Performance improved when loading the WordPress Users page for sites with large users counts.
Removed Options
For 16.1.0 release we removed the following options
- Auto Block Expiration (under Config > IP Blocking section) we removed "1 minute" option.
-
Leading Schema Firewall Rule
This rules flags too many false positives for members. -
Option to download IP lists, activity logs and traffic logs is removed
Fixes
For 16.1.0 release we've made various fixes
-
Mitigate a fatal error caused by the latest wpForo plugin passing NULL to locale filters.
-
Bug when specifying a particular list when adding/removing an IP address using WP-CLI.
-
Shield no longer attempts to solve the issue of invalid 'from' email addresses on a WordPress site.
Fixes for 16.1.2 release
- Bug fix unable to start scans.
-
Bug fix DB creation error on initialisation on a new website.
-
Bug fix error with Overview page when analysing the firewall grade, after removing Leading Schemas.
-
Security fix for reported 2FA vulnerability. More info will be released after allowing time for client upgrades.
Note: sites are only vulnerable to this particular exploit IF it has an SQL-injection vulnerability caused by another plugin/theme. As we always say, please ensure you keep ALL your plugins, themes and WordPress core up-to-date, particularly if they have known vulnerabilities! -
Bug: an error was generated when assessing some IP addresses.
-
Bug: API requests for certain types of options were appearing to fail (they weren't) and generating an error.
Fixes for 16.1.6 release
- Bug Fix: for Rate Limiting Rule failing to build
Fixes for 16.1.8 release
- Bug Fix: ensure expired crowdsec IPs are always purged.
Fixes for 16.1.9 release
- Bug where fatal error could be caused in some hosting environments.
Fixes for 16.1.13 release
- Minor bug fixes.
Fixes for 16.1.14 release
-
Dashboard widget showing incorrect dates for user last login if it's never been recorded.
-
Tweaks to CrowdSec Signals map.
-
Plugin/Theme file scanner bug fixes.
-
Minor bug fixes.
For more information on Shield 16.1.0 release, read this blog article here.