ShieldPRO 10.2 Upgrade Guide

ShieldPRO 10.2 for WordPress is a major release. This release is designed more as a bug-fixing release along with the removal of some options.This guide outlines what have been added/removed, changed, or improved and what fixes we've made.

Firstly, we're going to explain what major changes are made and which options you'd need to review.

Change 1: Add IP status to information in the traffic viewer.

The traffic table will now display many offenses or whether the IP address is blocked.

Traffic Log shows IP offenses under Details => IP Status. There are 3 different statuses

  1. Number of offenses
  2. IP blocked
  3. No Record

Status number of offenses: IP triggers the offense i.e. x2 but not blocked yet - the offense limit not exceeded. 

IP Status will show "2 offenses" for the all traffic logs associated to this particular IP.

Status Blocked: IP blocked - the offense limit exceeded. 

IP Status will show "Blocked" for the all traffic logs associated to this particular IP.

Status No Record: This means that the IP

  • not triggered the offense at all; or
  • not blocked; or
  • is removed from the block list automatically or manually.

IP Status will show "No Record" for the all traffic logs associated to this particular IP. 

For 10.2 release we added 

  • Invalid user login tracking covers empty usernames
    When tracking for bots logging in user invalid usernames (i.e. that don't exist) it'll also trigger an offense on empty usernames.

When someone tries to login without providing login username, this will trigger Shield's offense.

When tracking for bots logging in user invalid usernames (i.e. that don't exist) it'll also trigger an offense on empty usernames.

This offense can be seen in your Audit Trail Viewer:

Removed Options

For 10.2 release we removed the following option

  • Content Security Policy settings
    Due to the complexity of CSP and the superficial nature of our CSP implementation, we've decided to remove these options. We explore the issue in full detail in our blog post on this topic here.

    We kept the option to provide completely custom Content Security Policy headers. This will allow admins who understand CSP to implement their own rules.

Improvements

We've made the following improvements: 

  • 10.2 release
    • Deleting Malware files doesn't initiate a new scan
      This addresses a reported UX issue where bulk malware deletion isn't yet available and so instead of a full re-scan, the page just reloads.

    • Malware scanners are more efficient
      Malware scanning is involved - every PHP file has to be read and then searched using a large set of patterns. So it takes time. Hopefully these tweaks will optimise this process a little and lead to faster scans.
    • Upgrade Bootstrap Library to latest 4.6.0
      Asset enqueuing has been refactored and optimised and also now loading Bootstrap assets from CDNJS.
    • Significant code cleanup
    • Added cleanup code to remove stale entries in the WP Options table
    • Added detection of server clock inconsistencies which break Google Authenticator.

Fixes

We've made the following fixes: 

  • 10.2 release
    • U2F/Yubikey Removal Bug
      A javascript issue prevented removal of U2F keys from user profiles.
    • FileLocker would fail to load file contents if it exceeded 64KB.
      We upgraded the database table definition to allow for much larger files.
  • 10.2.1 release
    • Plugin Upgrade Code wasn't always running
      Code designed to automatically run when the plugin is upgraded between version wasn't always running.
  • 10.2.2 release 
    • Fatal error in some cases 
  • 10.2.3 release 
    • Certain admin JS and CSS assets were loading on the frontend.
  • 10.2.4 release
    • Shield would report the server time was out-of-sync when it wasn't.
  • 10.2.6 release 
    • Replaced corrupted Javascript library (base64.min.js)
    • Link Cheese shouldn't run if there's an actual robots.txt file present

For more information about 10.2 release, read the announcement blog post here.