A Complete Guide To The Shield's Custom Rules Builder

Shield’s Custom Security Rules Builder will let you design and build (almost) any security rule you want.

Here, we’ve put together an informative, complete guide to the Shield's Custom Rules Builder.

Important: In case you lock yourself out of your own site because of your rules, please use a forceoff method outlined here and then disable that rule.

How Does Security Rule Work?

A Security Rule is simple, it works like this:

IF {{ certain conditions are met }} THEN {{ take specific actions }}

Here are some examples of the rules that Shield already provides for you, although you normally think of them as options in the plugin…

Example 1: WP Die For Non-Logged In Users, as a Rule

Our rule will be:

IF:

• The user is logged in;

THEN:

• Kill the request

To build this rule, we'll need to fill the Rules form, under the "New" section.

Note: Each time you change something in the form, the form is validated. It's sent to the server to validate it.

Under the Conditions > Users > we select "Is Logged In Normal".

Under the Response we select "WP Die".

(WP Die is a WordPress function for killing the request with a message)

For the User Display Message, we put "The user is logged in".

We can put the same for Rule Name and Description.

We also check both points and click to create a new rule.

Important points to note

It's very important that you keep the confirmation checkboxes checked.

• Checkbox: Automatically honour Shield's existing whitelisting rules and exceptions.

  Shield will process your security rule, just like any other rule we created in the plugin.

  If this point is checked, then e.g. if forceoff is active or your IP is whitelisted or you use the configuration to disable the whole Shield plugin, the rule doesn't get applied.

  However, if you decide to uncheck this, then you're given another checkbox that you'll need to confirm:

  I understand the risks of creating a rule that doesn't honour Shield's whitelists and exceptions, and I may find it difficult to regain access if I get locked out.

• Checkbox: Creating custom rules is an advanced feature and I accept full responsibility for any problems arising from the rules I create.

  You'll need to confirm this as well.

Only when the all points on the form are green and the checkboxes are checked, you can create the rule.

So, this means that, if the condition is matched, then kill the request with a "The user is logged in" message.

In this example, since we are logged-in, the WordPress will kill the request.

If we refresh the page, we will be kicked out and get the message we gave in the rule.

But, we can forceoff and deactivate the rule easily.

Logged in user message

"Invert" option

"Invert" in this example means that:

IF the condition is matched but make the opposite.

So, if we want rule to apply to not logged-in users only, we use Invert option. Logged-in users will not be kicked out.

We also change the message to "not logged in" and update the rule.

We can do this from within the Manage section and click to edit this rule.

Once we make the changes, we click to update this rule

To demonstrate this, we open up another browser and go to any page of the site and since we are not logged-in, the request will be killed with a message.

Example 2: Browser UserAgent, as a Rule

User agent is something web browsers send to the server and say "this is what I'm using to browse this website". Sometimes bots can fake this.

Our rule will be:

IF:

• The request doesn't match the user agent; and/or
• user is not logged in;

THEN:

• Kill the request

This means:

Match exactly what's on the user agent and/or user is logged-in. Otherwise, kill the request with a WP Die message.

For this rule, we set the following:

Condition: Match Request Useragent

Match Type: Contains (case-insensitive)

Match Useragent: We add our user agent

AND: Is Logged In Normal

Then: WP Die

User Display Message: You're using Mozilla.

If the user agent contains "Mozilla" and you're not logged-in, kill the request with WP Die message created. If a user is logged-in, than rule wont apply.

To demonstrate this, we use Mozilla browser and not logged-in. The request will be killed and we'll get a message:

"OR" option

In this example, "OR" means:

If 1 of these 2 conditions are true, then the other one doesn't need to be true.

If this Match Request Useragent condition matches OR not logged-in, then WP Die.

What Should I Know About Draft Rules?

If you start building a rule but not completed it, it'll be saved as draft.

Draft rules can be found under the Manage section, for example:

These drafts and any changes that you are in the middle of making to an existing rule, will be kept for about 5 minutes. After that period of time, the system forgets it - it'll be removed.

What Should I Know About Reset Option?

The "Reset" option can be found on the rules form, under the "New" section:

Reset resets everything back to beginning. You get an empty form.

You can always set a rule back to empty rule but you'll have draft saved for empty rule.

What Is The Rules Summary Section?

This section displays the summary of the all active rules you have applied for that website, for example:

Here you can view all active rules on your site at-a-glance.

We also recommend you to read:

• What Is The Custom Rules Builder And How To Use it? (+Video)
• WordPress Security DIY With Shield’s Custom Rules Builder
• A collection of examples for building your own custom security rules (+Videos)