In this walk-through guide, we are going to explain what the next steps you should take upon upgrading to Pro. 


Step 1: Activate Pro features (if not already)

If you have Shield v6.6+ running on that site, you wont need a license key for the Pro features activation.


You simply log into the site associated to that license, and then:

  1. Open the Shield Pro section
  2. Be sure to have first activated your site URL (the URL of the site you want to license inside your One Dollar Plugin account) by clicking the "Keyless Activation control panel" link. 
  3. Hit the "Check License" button and all the Pro features will be automatically licensed on the site within 30 seconds.

Read more here.


Important: If you have any trouble with activation, just click a little "Debug" link beneath the "Check License" button and send us an error you see. We will investigate the problem for you.

To learn more about Keyless Activation, read the release article here.


Step 2: Enable General Pro features

General section contains the following Pro features:

  • Import/Export
  • Google reCAPTCHA Style


Import/Export feature

Helps you to automatically import options and deploy configurations across your entire security network. You can easily setup the Shield Security plugin on 1 site and have all options replicated to your other sites automatically.


To activate this feature, go to Shield => General section => Import/Export => ensure that the Allow Import/Export option is enabled, and then follow the guide outlined in the article here.


Note: You can also activate this feature directly from within Shield Security Dashboard, under the Import/Export tab. You can

  • Import options from file; or
  • from site.

Google reCAPTCHA Style

Before you use this feature, please ensure that Google reCAPTCHA is enabled. (See here)


With Google reCAPTCHA Style feature, you have the ability to choose your own reCAPTCHA style:

  • "light" theme
  • "dark" theme
  • "invisible recaptcha"

To learn more about Google reCAPTCHA Style feature, read the article here.


Note: This feature is also available within the following modules:

Important: If you set "default" theme for all reCAPTCHA features, it will fallback to the General section settings - i.e. if you want "dark theme" throughout the plugin, choose "Dark Theme" within General section and set "Default" for Login Guard and Comments SPAM. 


Step 3: Enable Security Admin Pro features

Security Admin module contains the following Pro features:

  • Persistent Security Admins
  • White Label


Persistent Security Admins 

You can use this feature to specify usernames for Security Admin role. 


This means that these admins will not need to provide security admin access key - they'll become security admins automatically.


To learn more about Persistent Security Admins feature, read the article here.

 

White Label

It gives you the opportunity to rename and re-brand the Shield plugin for your client site installations. With White Label, you can own your own brand.


The following changes will take place when you setup your White Label:

  • The WP admin menu for the plugin will be renamed and the icon displayed in the menu will be updated to use your icon.
  • The plugin name displayed on the plugins page will be renamed
  • The ‘details’ link in the plugins page will be updated to your link
  • The option to edit the plugin files directly from Plugin Editor screen (if you haven’t disabled editing) will be removed
  • If you enable the option, non-Security Admin users will not see available updates listed in the plugins/updates pages
  • Any emails sent out to users will display your custom plugin name in place of “Shield Security”

You can also chose your own logo to display on the Two-Factor Authentication login page. 


To activate White Label, please follow these steps:

  1. Ensure that Security Admin system is enabled
  2. Activate your White Label settings (see the screenshot below)
  3. Activate options you want (i.e. Change the plugin name... ). Options explanations along with the screenshots can be found here.

To learn more about While Label for Shield Security, read the article here.


Step 4: Enable Block Bad IPs/Visitors Pro features

Block Bad IPs/Visitors contains the following Pro features:

  • User Auto Unblock 
  • Detect & Capture Login Bots 
  • Detect & Capture Probing Bots
  • Detect Behaviours Common To Bots 
  • Manual IP Blacklisting


User Auto Unblock

This feature helps you to allow your site visitors to automatically unblock themselves from Shield. You can configure this feature to

  1. Disable - do not allow visitors to unblock themselves
  2. With Shield Bot Protection - allow visitors to unblock themselves with bot protection

When this feature is activated, your site visitors/users will just need to check the bot protection checkbox and click the "Unblock My IP Address" button: 

Important: A visitor will only be able to remove themselves from the block list once in a 24 hour period


To learn more about User Auto Unblock feature, read the article here.


Detect & Capture Login Bots

Certain bots are designed to test your logins and this feature lets you decide how to handle them. 


You can use this feature to:

  1. Detect failed login attempts using valid usernames
    Penalise a visitor when they try to login using a valid username, but it fails.
  2. Detect attempted logins with usernames that don't exist
    Identify a Bot when it tries to login with a non-existent username. This includes the default 'admin' if you've removed that account.

Important: Legitimate users may get their password wrong, so take care not to block this.


You’ll have 4 options to choose from:

  • Audit Log Only. This option lets you see the activity of these bots on the audit trail before applying any transgressions or blocks to offenders. It’ll let you test-drive the signal before making it take effect.
  • Increment Transgression (by 1). This option puts another black mark against an IP. As always with the transgression system, once the limit is reached for an IP address, it is blocked from accessing the site.
  • Double Transgression (by 2). We’ve added the ability to give weight to certain behaviours. By allowing the transgression counter to increment by 2, the IP will reach the limit more quickly, and be blocked sooner.
  • Immediate block. If you decide that a particular signal on your site is severe enough, you can have Shield immediately mark that IP as blocked.

To learn more about the Detect & Capture Login Bots feature, read the article here.


Detect & Capture Probing Bots

Bots are designed to probe and this feature is dedicated to detecting probing bots.


You can use this feature to

  • Identify a bot when it hits a 404
    Detect when a visitor tries to load a non-existent page.
  • Tempt a bot with a fake link to follow (Mouse Trap)
    Detect a bot when it follows a fake 'no-follow' link. This works because legitimate web crawlers respect 'robots.txt' and 'nofollow' directives.
    Read more about the Mouse Trap here.
  • Identify a bot when it accesses XML-RPC 
    Note: If you don't use XML-RPC, there's no reason anything should be accessing it.
    Be careful the ensure you don't block legitimate XML-RPC traffic if your site needs it.
    We recommend transgressions here in-case of blocking valid request unless you're sure. 

You’ll have 4 options to choose from:

  • Audit Log Only. This option lets you see the activity of these bots on the audit trail before applying any transgressions or blocks to offenders. It’ll let you test-drive the signal before making it take effect.
  • Increment Transgression (by 1). This option puts another black mark against an IP. As always with the transgression system, once the limit is reached for an IP address, it is blocked from accessing the site.
  • Double Transgression (by 2). We’ve added the ability to give weight to certain behaviours. By allowing the transgression counter to increment by 2, the IP will reach the limit more quickly, and be blocked sooner.
  • Immediate block. If you decide that a particular signal on your site is severe enough, you can have Shield immediately mark that IP as blocked.

To learn more about the Detect & Capture Probing Bots feature, read the article here


Detect Behaviours Common To Bots 

This feature helps you to detect characteristics and behavior commonly associated with illegitimate bots.


You can use this feature to

  • Identify a Bot when it presents as an official web crawler, but analysis shows it's fake.
  • Identify a bot when the user agent is not provided. 

You’ll have 4 options to choose from:

  • Audit Log Only. This option lets you see the activity of these bots on the audit trail before applying any transgressions or blocks to offenders. It’ll let you test-drive the signal before making it take effect.
  • Increment Transgression (by 1). This option puts another black mark against an IP. As always with the transgression system, once the limit is reached for an IP address, it is blocked from accessing the site.
  • Double Transgression (by 2). We’ve added the ability to give weight to certain behaviours. By allowing the transgression counter to increment by 2, the IP will reach the limit more quickly, and be blocked sooner.
  • Immediate block. If you decide that a particular signal on your site is severe enough, you can have Shield immediately mark that IP as blocked.

To learn more about the Detect Behaviours Common To Bots feature, read the article here.


Additionally, you can use Manual IP Blacklisting feature to manually add IP you want to blacklist. 


To add IP to the blacklist, simply go to the Shield Security Dashboard => IP Lists => and add the IP into the IP Blacklist field. For example:

To learn more about the Manual IP Blacklisting feature, read the article here.


Step 5 : Enable Hack Guard Pro features

Hack Guard module contains the following Pro features:

  • Daily Scan Frequency 
  • Scans Notifications
  • Plugins and Themes Guard Scanner
  • Vulnerabilities Scanner


Daily Scan Frequency 

You can use this feature to increase the schedule of the automated scanners so they run more than once per day.

To learn more about Daily Scan Frequency feature, read the article here.


Scans Notifications

You can use this feature to

  • Specify how long the automated scans should wait before repeating a notification about an item.
  • Specify if scanner notification emails will include a summary list of all affected files or not.

Plugins and Themes Guard Scanner

This scanner detects any changes to active plugins and themes. For example, if you upgrade a plugin to a new version using WordPress, then this would not trigger alerts from the Guard. The Guard will detect normal changes and update its records so that it doesn't alert you unnecessarily.


Please note that this scanner requires PHP v5.4 and above.


To enable this scanner, go to Hack Guard module and:

  • enable the Guard
  • set the scan depth (i.e. 2)
  • add the file types you want to be included in the scan (optional)
  • enable "Show Re-Install Links" option

To learn more about the Plugins and Themes Guard, read the article here, or watch the explanatory video here.


Vulnerabilities Scanner

Regularly (once daily) scan your list of the installed WordPress plugins and compare their current versions against a list of known plugin vulnerabilities.


To enable this scanner, go to Hack Guard module and:

  • enable the scanner with or without email notifications
  • enable auto updates to vulnerable plugins
  • select on how you want vulnerable plugins to be displayed

To learn more about the Vulnerabilities Scanner, read the article here.


Please note that there is a Scan Indicator available for all Hack Guard scanners. This is a special type of feature that will indicate the exact time that a scan last run.


Scan Indicator for i.e. Plugins and Themes Guard scanner:

Read more about this, read the article here.


Note: You can run the scans from within Scans section of the Shield Security Dashboard:


Step 6: Enable Login Guard Pro features

Login Guard module contains the following Pro features:

  • Brute Force Protection Locations
  • Google reCAPTCHA style (see Step 2)
  • Antibot JS
  • Enforce - Email Authentication
  • Multiple Yubikeys
  • 2FA "Remember me"
  • Allow Backup Codes


Brute Force Protection Locations

This feature helps you to choose the forms for which bot protection measures will be deployed. It works with 3rd party systems such as WooCommerce.


You can choose the following forms:

  • Login form
  • Registration form
  • Lost password form
  • Checkout (WooCommerce)

Please note that, before you choose the forms, ensure that Bot Protection is enabled.


To learn more about the Protection Locations feature, read the article here.


Antibot JS

You can use AntiBot JS includes for custom 3rd party form. There's also "AntiBot Forms" option you may use to enter the selectors of the 3rd party login forms for use with AntiBot JS. 

Important: This is experimental. Please contact support for further assistance:

https://support.onedollarplugin.com/form


Enforce - Email Authentication

You can use this feature to enforce email-based authentication on all users with the selected roles.
Note: This setting only applies to Email Authentication.

To learn more about this feature, read the article here.


Multiple Yubikeys (optional)

If you use Yubikey, you can add as many Yubikey devices to your accounts as you’d like.

To learn more about Shield's Yubikey Two-Factor Authentication, read the article here.


2FA "Remember me"

This feature helps you to set the number of days that Shield will "remember" a successful 2FA login.


To enable it, simply enter the number of days a user can by-pass future MFA after a successful MFA-login (i.e. 5):

To learn more about the 2FA "Remember me" feature, read the article here.


Allow Backup Codes

You can use this feature to allow users to generate a backup code that can be used to login if MFA factors are unavailable. 

To learn more about the Allow Backup Codes feature, read the article here.


Step 7: Enable User Management Pro features

User Management module contains the following Pro features:

  • Password Policies
  • User Login Notification Email


Password Policies

This feature allows you to have full control over passwords used by all users on your site. 


Please note that this requires PHP v5.4+ and above.


To enable this feature, go to User Management module and:

  • enable Password Policies
  • enable Prevent Pwned Passwords to prevent use of ‘pwned passwords
  • set the minimum password length
  • set the minimum password strength
  • enable "Apply To Existing Users" to apply these policies retrospectively to existing passwords forcing users to update passwords when they login again
  • set the password expiration to enforce all users to to reset their passwords after they next login

To learn more about Password Policies feature, read the article here.


User Login Notification Email

When enabled, this feature will send email notification to each user upon successful login.

To learn more about the User Login Notification Email feature, read the article here.


Step 8: Enable Automatic Updates Pro feature

Automatic Updates module contains the following Pro feature:

  • Auto-Updates Delay

This feature forces any automatic upgrade to be delayed for a set number of days. This allows time for killer bugs to be discovered and patched before your site automatically updates.


To configure this, simply enter the number of days into the Update Delay field (i.e 2):

To learn more about the Auto-Updates Delay feature, read the article here.


Step 9: Enable Auditing Pro feature

The Auditing module contains the following Pro feature:

  • Max Trail Length

This feature helps you to set the maximum Audit Trail length you want to keep. When the number is set, any audit trail entries will be automatically removed when the given limit is exceeded.


To set this lenght, simply enter the number into Max Trail Length field:

When the number is set, any audit trail entries will be automatically removed when the given limit is exceeded. 


Step 10: Customize messages displayed to the users

This feature is available within the following modules:

  • Firewall
  • Login Guard
  • Block Bad IPs/Visitors

If you want to communicate to the users in a particular manner and add your own custom messages, you can do that by using the following options:

  • Firewall module: Firewall Block Message - Customize the messages displayed to the user that trigger the firewall
  • Login Guard module: GASP Checkbox Text - Change the text displayed to the user beside the checkbox
  • Login Guard module: GASP Alert Text - Change the text displayed to the user in the alert message if they don't check the box
  • Block Bad IPs/Visitors module: Login Failed - Customize the message displayed if the visitor fails a login attempt
  • Block Bad IPs/Visitors module: Remaining Transgressions - Customize the message displayed if the visitor triggered the IP Transgression system and reports how many transgressions remain before being blocked

To learn how to customize user messages, read the article here.


Step 11: Enable Traffic Watcher

Traffic Watcher can be found within its own module. It's a window; a view into your WordPress site traffic and any requests made to your WordPress site. 


To start using Traffic Watcher, you'll need to enable it first. To do this, simply go to the Traffic Watch module of the Shield plugin => Enable/Disable Module => and click the slider to enable it.


And then, you may configure the following:

  • Traffic log exclusions - select request types that you don't want to be included in the traffic viewer.
    Read more here.
  • Custom Exclusions - manually customize exclusions to skip the logging of web requests you know to be legitimate.
    Read more here.
  • Auto expiry cleaning - enable traffic log auto expiry (optional)
  • Maximum log lenght - limit the size of the log to ensure it will be trimmed to your desired size regularly (optional)
  • Auto disable - enable this option to automatically turn off the logging after 1 week.


Once you've done this, you can start reviewing your WordPress site traffic by using the Traffic Watch viewer available in the Traffic section of the Shield Security Dashboard:

Read more about the Traffic Watch Viewer.


To learn more about the Traffic Watcher, read the article here


Step 12: Use 3rd-Party Support (optional)

This feature works with 3rd party platforms such as WooCommerce, BuddyPress, and Easy Digital Downloads. It is enabled by default on Pro sites.


You can use this feature if you need to add support for 3rd-party login, register, and password reset forms.


It provides the following:

  • User Registration & Login Bot Protection
  • 2-Factor Authentication for users and customers
  • Support WooCommerce social logins


Please note that enabling/using of any of the Shield Pro features explained in this guide depends on your personal requirements. 


If you have issues with any of the Shield features, you can contact us any time. Please see here on how to structure your support requests.