ShieldPRO 17.0 Upgrade Guide

ShieldPRO 17.0 for WordPress is a major release packed with many changes and improvements, including UI enhancement.

Please note that, 16.1.14 release marks Shield 16.x as the final series supporting PHP 7.0 and 7.1. Shield 17.x require PHP 7.2. You may read more about this here.

Also, based on Shield telemetry data, we're pushing our minimum supported WordPress version up to 4.7. We'll continue to push this upwards as usage data suggests it make sense to do so. 

This guide outlines what have been added/removed, changed, or improved and what fixes we've made.

Firstly, we're going to explain what major changes are made and which options you'd need to review.

New Added Features

For 17.0 release we added

Restrict Content Pro form is now integrated and protected with the AntiBot Detection Engine.

Setting can be found under the Integrations module > User Forms Bot Checking.

WeForms form is now integrated and protected with the AntiBot Detection Engine.

Setting can be found under the Integrations module > SPAM Contact Form Checking.

  • Whitelist/Bypass IP are included in exports

It is now possible to share Bypass IPs from a master site to its client site using the import/export feature. Only IP addresses added after the upgrade will be included in any subsequent exports. 

  • In-plugin notices for the whitelisted and blocked IPs

We improved a notice for the whitelisted IP and added a new one for the blacklisted.

If the logged in user's IP is added to the Shield's bypass list, they'll see a notice that their IP is whitelisted on all Shield pages.

And this is the notice for the blocked/blacklisted IP:

Link to IP will open in an overlay, letting you keep your current page active while you manage IP status.

Under the Security Admin configuration page, you can now completely disable Security Admin with 1 click or end session. 

"Disable Security Admin" option will disable Security Admin feature completely."End Security Admin Session" will end Security Admin session and you'll be redirected to the Security Admin authorisation page to provide an access PIN.

We also added "End Security Admin Session" option on every Shield admin page.

Please note that this option is available only if Security Admin is enabled. 

Disabling Security Admin ("Allow Email Override" option) on the authorisation page by using a link sent by email is now under the Action Menu - gear icon.

  • Filter tables by date

The Activity Log and Traffic Log can now be filtered by date, letting you quickly find the logs you need.

Example, activity log:

Changes

Change 1: Removed options

  • Password Policies > "Minimum Password Length" option is removed.Shield has an option to enforce minimum password strengths, and also an option to enforce minimum length. There is no real need to enforce a password length, when an overall password strength meter is also applied.
  • Block Bad IPs & Visitors > "Visitor Messages" option is removed.

Change 2: Login, probing bots settings

Login Bots and Probing Bots sections are removed. Settings are now merged with the Bot Behaviors section.

Change 3: Reporting section moved to General Settings

As part of our focus on simplifying the Shield plugin, we've removed the separate Reporting module. You'll still get email Reports, but the options are now configured under the General Settings module > Reporting.

Change 4: Report Email option moved to the Reporting section

"Report Email" option, under the General Settings section, is moved from the Plugin Defaults to Reporting section.

Change 5: Reports section removed

Reports section (stats/charts) is removed and now Stats/Charts can be found under the Tools section.

Change 6: Integrations section removed

Integrations section is removed and now can be found under the main Config menu.

Change 7: User Login Security (MFA) page renamed/moved

This page is renamed from "My Login Security" to "Login Security". It's also removed from the Shield's menu and now can be found under the user Profile page.

Change 8: Scans configuration and run scan options 

These options are removed from the Config > Scans section. They are now under the Action Menu - gear icon.

Change 9: Import/Export section

This is redesigned. Import/Export from file are now under the separated tabs.Also, you can now access Import/Export configuration page under the Action Menu - gear icon.

Change 10: Configuration pages

Configuration pages for the following sections

  • IP Rules
  • Scans
  • Activity Log
  • Traffic Log
  • Users

... are now under the Action Menu - gear icon.

Example, Activity Log configuration:

Change 11: IP Rules section - manual adding IPs to the whitelist/blacklist

Option for manual adding IP to the bypass or block list is now under the Action Menu - gear icon.

Change 12: Automatic IP source checking

IP source checking option is now under the Action Menu - gear icon.

Change 13: Notification emails - email address configuration link

You can now use a direct link in emails to configure receipt email address. This is added to the all emails sent, expect for the user login notification email.

Example, Firewall block alert email

Change 14: Site information email - security statistics

We improved security statistics design in this report email by changing table with numbers. You can also now get information if a particular offense is increasing or not.

Example, hourly email report:

Change 15: Search box improved and moved

We've improved the UI for searching the plugin alongside adding the ability to search for partial IP addresses.

Now, you may find it under the main Shield menu:

Change 16: Traffic Log and Activity Log renamed

"Traffic Log" and "Activity Log" in the main menu are renamed to "Traffic" and "Activity". 

Change 17: Other Shield main menu changes

  • IP & Bots renamed to IP Rules
  • Activity Log renamed to Activity
  • Traffic Log renamed to Traffic
  • View Docs renamed to Docs
  • Tools section > Import/Export is renamed to Import

Change 18: General Settings - General Plugin Options removed and merged

Under the Config > General Settings > General Plugin Options section is removed and options are merged with Plugin Defaults section.

Change 19: Improved UI

We’ve done some work to reduce full page reloads so that you can stay “where you are” while viewing the contents of another page.
In particular we’re referring to “Options/Configuration” pages. Links to such areas will open in an overlay, letting you keep your current page active while you review and adjust settings. 
Example, IP Rules section

Additional Improvements

For 17.0 release we've made the following improvements

  • UI EnhancementsWe've made huge progress forward in improving the Shield Dashboard interface making it easier to get to exactly where you need to. Shield is a big plugin, so organising all the tools and features is a challenge, but this is our best UI yet!
  • Much Improved IP Rules ManagementIP Rules management could be slow as the IP rules table grew, but we've done a lot of work to speed this up.
  • Much Improved Automatic Import/Export

    The process of automatic notification of client sites to import configurations from the master site has been much improved. 
  • NotBot JS ImprovementsFollowing some feedback and issues reported with SiteGround, we've made a few enhancement to the NotBot JS code.
  • Better Security OverviewWe've made some adjustments to how the Overview dashboard is created alongside tweaks to the scoring logic. We've also aligned the Admin dashboard widget score with the overall Shield Dashboard score.
  • Major Code OverhaulNearly all functionality of the plugin has been rewritten and improved.
  • Pwned Passwords APIWe've made our implementation of the Pwned Passwords API more forgiving of API errors. Instead of blocking passwords when there's an error with the API, we bypass the test altogether allowing the request to succeed.
  • Plugin Re-Install Feature ImprovedDepending on your particular plugin soup, the plugin reinstall feature could fail.
  • Improved File Locker & WP Config protectionThe OpenSSL encryption process has been hugely improved in order to run better on newer systems that don't support legacy encryption ciphers. 

Fixes

For 17.0 release we've made the following fixes

  • 17.0.7 release
    • Ensure Link Cheese robots.txt contains the necessary user-agent directive.
    • Fix bug with handshake API.
    • Fix bug with Reports migration upon upgrade.
  • 17.0.9 release
    • Attempt to prevent errors being thrown with conflicting Monolog libraries.
    • Prevent unnecessary logs being generated for disabled reports.
  • 17.0.11-14 releases
    • Prevent fatal errors in the event of a Monolog library conflict, but disable Activity Logging features to facilitate this.
  • 17.0.17 release
    • Improve automated import/export for sites that use server caching heavily.
    • Prevent reports resending alerts about previously notified scan results.
  • 17.0.20 release
    • Further enhancements to the automated import/export subsystem.

Security Patch

  • 17.0.18 release
    • Address an 'Unauthenticated XSS' security issue where an attacker could inject scripts via the HTTP User-Agent header. Further details to follow.
    • Address a minor 'Insufficient Authorization' security issue where arbitrary activity logs could be created via the WP plugin/theme file editor. Further details to follow.

For more information on Shield 17.0 release, read this blog article here.