It's important to understand what the Shield Security's Firewall does not do.
Since this is an application level firewall, it can only deal with the data that is sent to the application - that is to say: WordPress.
First, a look at what it CAN'T do
- protect against DOS/DDOS attacks. Why? Your web server is responsible for that.
- protect against lax security practices. Why? You're responsible for that.
- protect against attacks against old out-dated software. Why? You're responsible for maintaining basic security by keeping your site up-to-date.
- protect against poor web hosting security. Why? Your host is responsible for that (or you, if you host your own server)
- protect against intrusion through any other mechanism other than WordPress itself. Why? Because this plugin, like any other security plugin only runs when WordPress itself is loaded.
Now, a look at what it doesn't do
- modify any core WordPress system files.
- modify or write to your .htaccess files.
To learn how this Firewall works, read the blog article here.