Jelena

Hi,

Sorry to hear that.

Under the main Config menu > Lockdown section, have you tried to disable the following options?:

• Disable XML-RPC
• Anonymous Rest API

If that doesn’t help, can you check your site admin email inbox and send us the error details, please? When a critical error occurs, WordPress sends email with error details. Email subject is “Your Site is Experiencing a Technical Issue”.

If you haven’t received it, please reproduce the error and then open up and review the web Console and/or Network tab (for AJAX/XHR requests). You may see errors there. This suggests something is going wrong with the request and there are errors being generated for some reason. The console will help highlight why this is happening, but then it may need investigation of PHP error logs to see what’s going wrong. Please check your PHP/Apache error logs. Once you can see the errors, we can probably point to the source of the issue quickly.

Let us know what you find especially if you see error logs and entries around the time the problem occurred and we’ll help however we can.

Thanks.

Thanks for the update. Happy to hear that you managed to sort it out.

The truth is, we get many support requests from site admins because a Shield feature isn’t working properly or site is acting strange and 9 times out of 10 it’s because of some sort of WordPress auto-optimisation – caching.

We have a list of rules here you can implement for your site optimisation.

If you decide using cache, ensure the site works as expected without caching. Then add caching last. If it breaks, try another caching solution. Caching should be the last thing enabled, and the first thing turned-off when there are problems.

Hi,

Can you reproduce the problem and then immediately check your activity log, please? If Shield is causing the block, hopefully the activity log will tell us the type of the block and based on that, you can tweak the related settings. You may use this glossary here.

If there’s nothing in there, the next thing to check is page cache. If you use page cache plugin or server-level cache, please disable it and retry to see if the problem is solved.

Let us know what you find sure.

Thanks.

Hi,

Shield has special handling in there for all major search engines so that if they ever try to access your site in any way, Shield will never stop them – they’re basically whitelisted.

Shield doesn’t issue 403 errors. It’s possible it might interfere, somehow, so we never rule it out, but it doesn’t sound like.

Have you checked for changes to your .htaccess and robots.txt?

If you disable Shield, does the google fetch work?

Thanks.

Hi,

Thanks for your questions.

Shield Security provides solid login security protection for WordPress sites. It effectively thwarts brute force login attempts through simple, non-intrusive methods while ensuring the verification of all logged-in users. Many of Shield’s features are available for free. However, some advanced ones are reserved for the Pro version, as these help support the ongoing development of Shield.

Regarding email-based 2FA, you can’t disable it for your user profile because, based on your settings, you are enforced to use it.

If you don’t want to use it, you want to disable it for your profile completely, you’ll need to remove “administrator” user role from the 2FA settings. If you’d like to have the ability to choose to use it or not, you’ll need Pro option. So,

1. Enforce for Specific User Roles: This is based on user roles. You can require certain user roles to use 2FA by email. Users with the roles specified on the list in settings won’t have the option to disable it from their profile. They must use it for their login.

2. 2FA-Allow Any User (Pro): Based on user account (username).
Users with roles not specified in the first option can choose to use 2FA by email or not. These users will not be enforced to use it. They can disable or enable it on their user profile, whatever they prefer.

Google Auth is based on user account (username) and it’s optional option.
It is separate option and not connected to the 2FA by email in any way.
User can’t be enforced to use it for their login thought this is on our feature roadmap for future releases. When you turn on Google Auth system in settings, the all users regardless of their roles can decide if they want to use it or not. The configuration settings will be available on their user Profile.

Since you’re running Shield Free, you can

1. 2FA by email: Choose user roles you want to must-use this option. List those roles on the?Enforce-Email Authentication list.
2. The user roles that are not on the list will have 2FA by email disabled – not available on their user Profile at all. They will not be required to verify their login with 2FA by email and can use Google Auth only instead. But, you can’t enforce them to use Google Auth, it’s optional.

Users (user roles) that are enforced for 2FA by email, can also add an extra Google Auth layer.

Hope this helps…

Regards,

Jelena

Hi,

Just would like to share an update with you:
We’ve tested possible 2FA conflict with Wordfence, and we can’t reproduce 502 bad gateway error or see any other type of error…

Perhaps it’s something else on your site that’s causing this, or something particular to your hosting. Worth of investigating to see if that’s the case.

Thanks for reporting this.

We’ll investigate the issue with resetting options – there may be a bug there. Could you let us know if you are deactivating from inside WP, or using FTP to remove the plugin?

Also, which settings were kept when you tried to reset, please?
Shield has some default settings so maybe it is that you’re seeing?

Can you try the “reset” feature detailed here, and see if that works for you, please?

• This reply was modified 1 year, 1 month ago by Jelena.

Thanks a bunch for this awesome review. We’re thrilled you found our Shield Security useful and had a great experience with us. If you ever need a hand, rest assured, we’ve got your back.

Stay safe and secure… ??

No problem, always happy to help! ??

Hi,

Thanks so much for keeping us updated all the time and for your feedback on 2FA. This is highly appreciated.

I’m glad to hear that you were able to narrow down the initial problem.

Using multiple WordPress security plugins may have unpredictable results. This is because 1 WordPress plugin doesn’t have inherent understanding of what another plugin does. So when 1 feature from 1 plugin doesn’t seem to work well with another related feature of another plugin, this is perfectly normal.

When it’s about temp disabling Shield, the easiest way is using the “forceoff” method outlined here. So, any time you get locked out of your own site as the result of Shield, for any reason, instead of renaming the plugin folder, you can forceoff. When?forceoff, the plugin itself will be active but none of the security/blocking options will be enforced – Shield can’t block anything. This will allow you to regain access to your site and troubleshoot.

Regarding deleting plugin settings option (under General Settings > Plugin Defaults), this will work upon plugin deactivation only. Once you enable this option, you’ll need to go to the Plugins page of your site and click to deactivate > activate Shield Security plugin. All previous settings will be deleted (cleaned out) and revert to defaults.

As for the Shield’s 2FA, there are x3 options that are available in Free version:
1) 2FA by email
2) Google Authentication
3) Yubikey
So, if you prefer using Google Authenticator app over 2FA by email, you may enable this option in Shield settings and set it up for your user account.
You also have the ability to specify pages available to users to configure 2FA on their account.

Sincerely hope that you find this helpful…

Thanks.

Jelena

Hi,

Sorry to hear that…

We have a new release 18.4.2 ready (due to out today). There are performance improvements and bug fixes in this release. This should solve the issue you’re facing.

Hi,

You’re seeing this notice because the Live Traffic option (Pro-only) isn’t enabled in settings.

The live traffic logs viewer is a trimmed-down, simplified view on the traffic log. This view is useful regardless of whether or not the live traffic option is enabled. It displays the logs in a simply, standardised format, and when the “Live Traffic” option is enabled in settings, viewer will automatically update the log display on-screen every 7 seconds. You can use it in full. However, if the option is disabled in settings, live traffic viewer is still available but you may not see many updates. You can’t use it in full.

We go into further details on this here.

Hope this helps.

Regards,

Jelena

Hi,

Sorry to hear that…

First things first… ensure the site works as expected without caching. Caching should be the last thing enabled, and the first thing turned-off when there are problems.

Always disable page caching when you’re seeing strange behaviour and test. For a bit more background on that:
https://getshieldsecurity.com/blog/5-golden-rules-wordpress-site-optimisation/

Also, just in case… please go to Shield > Config > General > IP Source and review this option.
It will list all the available sources for IP addresses and what the currently detected IP address is for that “source”. You can look up what your IP address is here:
https://getshieldsecurity.com/my-ip/
and use this to inform you for which source is required for your host. The ideal, and default, is REMOTE_ADDR, but many hosts aren’t configured correctly so Shield must try and detect the correct one.

Additionally, when your IP is blocked, Activity Log will document the full reasons behind this decision. So if you go into there and see the steps that led to it, you can then simply tweak the Shield settings to ensure it never happens again.

Hope this helps.

Hi,

Thanks so much for reporting this.

We are sorry but, despite of our willingness to find a solution for this, I’m afraid that we can’t do much… This is the same as this report here:
https://www.ads-software.com/support/topic/conflict-with-wp-rss-agregator-after-update-to-18-2-18/

Hope you find this helpful in some way…

Jelena

Hi,

Glad to know that our initial response has addressed your concerns.

Thanks so much for considering our perspective and willingness to update your rating.

Your dedication to security and your thoughtful approach to it is truly impressive. After all, we’re all in this together, working to make sure all our WordPress users stay safe and secure. If you ever need anything else or want to share more insights, please feel free to reach out.

Cheers to a safer WordPress journey!