In this walk-through guide, we are going to explain what the next steps you should take upon upgrading to Pro. 


The first step to take is activation of the Pro features on your site. To do this, you wont need your license key. Activation is keyless


You simply log into the site associated to that license, and then:

  1. Open the Shield Pro section
  2. Be sure to have first activated your site URL (the URL of the site you want to license inside your One Dollar Plugin account) by clicking the "Keyless Activation control panel" link. 
  3. Hit the "Check License" button and all the Pro features will be automatically licensed on the site within 30 seconds.

Read more here.


Important: If you have any trouble with keyless activation, just click a little "Debug" link beneath the "Check License" button and send us an error you see. We will investigate the problem for you.

To learn more about Keyless Activation, read the release article here.


Then, you can review the all Pro features and enable the ones you want. 


Each Shield module contains Pro features you may want to use. This is the complete list of the Pro features, what they are used for and how to enable them.


Please note that enabling/using of any of the ShieldPRO features listed below depends on your personal requirements.


Shield ModulePro FeatureDescriptionSscreenshots
General Settings
Allow WP-CLIWith WP-CLI you can perform many common actions of the ShieldPRO plugin just as you would with the point-and-click UI.
More Info

Common WP-CLI commands for all modules can be found here.
General SettingsCAPTCHA Style 

Choose your own CAPTCHA style:

  • "light" theme
  • "dark" theme
  • "invisible captcha"

Before you use this feature, please ensure that Google reCAPTCHA or hCaptcha is enabled.


This feature is available within the following modules:

  • Shield General (go to CAPTCHA => CAPTCHA style)
  • Login Guard (go to CAPTCHA => CAPTCHA style)
  • Comments SPAM (go to Bot SPAM => CAPTCHA style)

More Info

General SettingsImport/ExportAutomatically import options and deploy configurations across your entire security network. You can easily setup the Shield Security plugin on 1 site and have all options replicated to your other sites automatically.

You can also exclude options you don't want to be imported.
More Info
Security AdminPersistent Security AdminsSpecify usernames for Security Admin role.

Admin users provided will be security admins automatically, without needing the security PIN. 


Enter admin username, email or ID. 1 entry per-line.

More Info

Security Admin

White Label 

Rename and re-brand the Shield plugin for your client site installations and own your own brand.


You can also chose your own logo to display on the Two-Factor Authentication login page. The all White Label options are best explained here.


To activate While Label, make sure that Security Admin system is enabled

More Info

Block Bad IPs/VisitorsUser Auto Unblock 

Allow your site visitors to automatically unblock themselves from Shield. 


When this feature is activated, your site visitors/users will just need to check the bot protection checkbox and click the "Unblock My IP Address" button. They will automatically get unblocked, and their IP will be removed from the blacklist.


A visitor will only be able to remove themselves from the block list once in a 24 hour period.

More Info

Block Bad IPs/VisitorsRequest Path Whitelist 

Prevent requests to particular paths on your site from triggering the IP blacklisting system.


That is to say, if you specify whitelisted path 

/my-whitelisted-path/ 

and a visitor makes a request to your site to this URL and triggers the Shield Security system to blacklist or blackmark the visitor IP address, this trigger will be ignored.

More Info

Block Bad IPs/VisitorsLogin BotsOption
  • Invalid Usernames

Identify and capture Bot when it tries to login with a non-existent username. This includes the default 'admin' if you've removed that account.


This may indicate a bot’s attempt to login. Since it used a non-existent username, chances are higher that it’s a bot.


You can also decide how you want Shield to respond:

  • Audit Log Only
  • Increment Offense
  • Double Offense
  • Immediate block

More Info

Block Bad IPs/VisitorsProbing BotsOptions
  • 404 Detect - identify and capture a bot when it hits a 404
  • Link Cheese (Mouse Trap) - tempt and capture a bot with a fake link to follow
  • XML-RPC Access - Identify and capture a bot when it accesses XML-RPC

You can also decide how you want Shield to respond:

  • Audit Log Only
  • Increment Offense
  • Double Offense
  • Immediate block

More Info

Block Bad IPs/VisitorsBot BehaviorsOptions
  • Fake Web Crawler - identify and capture a bot when it presents as an official web crawler, but analysis shows it's fake
  • Empty User Agents - identify and capture a bot when the user agent is not provided

You can also decide how you want Shield to respond:

  • Audit Log Only
  • Increment Offense
  • Double Offense
  • Immediate block

More Info

Block Bad IPs/VisitorsManual IP Blacklisting 

Manually add IP you want to blacklist (if needed). 


This is done through IP Lists section of the Shield Security Dashboard. You can add as many IPs as you like. You can also manually block IP address range.


Note that, if you have the automated black list system enabled, the blacklisted IP will be removed over time. The expiration time depends on your Auto Block Expiration settings.

More Info 

Audit TrailMax Trail Length

Set the maximum Audit Trail length you want to keep. 


When the number is set, any audit trail entries will be automatically removed when the given limit is exceeded.

More Info

Hack GuardMalware Scanner

Scan and monitor files for Malware infections.


This scanner monitors and detects presence of Malware signatures.


Keep this scanner turned on, at all times.


Currently files of the following types are supported: PHP

More Info

Hack GuardPlugins & Themes Scanner

Scan and monitor Plugin & Theme files for changes.


This scanner looks for new files added to plugins or themes, and also for changes to existing files.


Keep this scanner turned on, at all times.


It doesn't currently detect missing files.


You can also automatically repair files that have changes, if you want.

More Info

Hack GuardVulnerability Scanner

Regularly scan your list of the installed WordPress plugins and compare their current versions against a list of known plugin vulnerabilities.


You can also set this scanner to automatically apply updates to items with known vulnerabilities when an update becomes available.

More Info


Hack GuardFile Locker

Lock files against tampering and changes.


File Locker detects changes to the some of the most important WordPress files as they happen (in realtime). Then, lets you examine contents and revert as required.


The files covered with File Locker system are

  • WP Config
  • Root .htaccess
  • Root index.php

More Info

Hack GuardDaily Scan Frequency 

The default schedule of the automatic scans is once every 24hrs.


Improve security, increase the schedule of the automated scanners so they run more than once per day.

More Info

Hack GuardShow Re-Install Links 

When this feature is enabled, it will make 2 changes to your WordPress admin plugins page:

  1. It adds a new link your plugins allowing you to easily re-install a plugin.
  2. It adds a message to the "Activate" link letting you re-install the plugin right before activation.

Plugins & Themes scanner will ensure that the files are clean and original at the time of activation. In this way, plugin files cannot have been compromised or edited in any way.


Note that these re-install options are only available for plugins that are installed from WordPress.org.

More Info

Traffic WatchCustom Exclusions

If you want to manually customize exclusions to skip the logging of web requests you know to be legitimate, you can use Custom Exclusions system.


This reduces the size of your traffic log and also prevents your logs from filling up with information you might don't need to have logged. 

More Info

Traffic WatchMax Log Length

Set the maximum Traffic log length you want to keep. 


When the number is set, DB cleanup will delete logs to maintain this maximum number of records.



Traffic WatchTraffic Rate Limiting

Traffic rate limiting is where you restrict the number of requests a single visitor can make against your site, within a certain period of time.


Use this feature with care. You could block legitimate visitors who load too many pages in quick succession on your site.


You can set

  • Max Request Limit - the maximum number of requests that are allowed within the given request time limit

Use a larger maximum request limit to reduce the risk of blocking legitimate visitors.

  • Request Limit Time Interval - the time period within which to monitor for multiple requests that exceed the max request limit.

Use a smaller interval to reduce the risk of blocking legitimate visitors.

More Info

Login GuardAntiBot Forms

You can use AntiBot JS includes for custom 3rd party form.

Enter the selectors of the 3rd party login forms for use with AntiBot JS. The default selectors are:

  • form#ihc_login_form
  • form#createuser

Note that IDs are prefixed with "#". Classes are prefixed with ".".


IDs are preferred over classes.


This is experimental. Please contact support for further assistance.

Login Guard2FA - Allow Any User

Allow any user to turn-on Two-Factor Authentication by email.


Any user can turn on/off 2FA by email from their profile.

More Info

Login GuardHardware 2FA - Allow U2F

Allow users to register U2F devices to complete their login.


Currently only U2F keys are supported. Built-in fingerprint scanners aren't supported (yet).


Beta! This may only be used when at least 1 other 2FA option is enabled on a user account.


Requires PHP 7.0 or later.

More Info

Login GuardYubikey multiple keys

If you’re using Yubikeys on your WordPress sites – losing your Yubikey could cause some major headaches.


So with Shield, users can add as many Yubikey devices to their accounts as they’d like.

More Info

Login GuardMulti-Factor By-Pass (Remember Me)

A user can by-pass Multi-Factor Authentication (MFA) for the set number of days.


Enter the number of days a user can by-pass future MFA after a successful MFA-login. 0 to disable.

More Info


Login GuardAllow Backup CodesAllow users to generate a backup code that can be used to login if MFA factors are unavailable.
More Info


User ManagementUser RegistrationOptions
  • Validate Email Addresses - validate email addresses when user attempts to register.

    To validate an email your site sends a request to the WPHashes API and may cause a small delay during the user registration request.

  • Email Validation Checks - select the properties that should be tested during email address validation.

More Info

User ManagementPassword Policies

Have full control over passwords used by users on the site.


Once you have Password Policies feature turned on and the password quality requirements set, all users roles (including Security Admin) must meet those requirements - there's no exceptions whatsoever. Otherwise, they will not be able to login. 

More Info


User ManagementUser SuspensionOptions
  • Allow Manual User Suspension - users may be manually suspended by admins to prevent future login. 
  • Auto-Suspend Expired Passwords - automatically suspends login by users and requires password reset to unsuspend.

    Requires password expiration policy to be set.

  • Auto-Suspend Idle Users - automatically suspends login for idle accounts and requires password reset to unsuspend.

    Specify the number of days since last login to consider a user as idle.

  • Auto-Suspend Idle User Roles - automatic suspension for idle accounts applies only to the roles you specify.

    Take a new line for each user role.

More Info

User ManagementUser Login Notification Email

When this feature is enabled, a notification is sent to each user when a successful login occurs for their account.

More Info

User Management

Login Notification Email for Admins



Supply multiple email addresses for Administrator login notifications.
More Info
Comments SPAMTrusted User Roles

Protect against comments SPAM by registered users.


Shield doesn't normally scan comments from logged-in or registered users.


Specify user roles here that shouldn't be scanned.


Take a new line for each user role.

More Info

Automatic UpdatesUpdate Delay

Protect your WordPress site against auto-update disasters. 


This feature forces any automatic upgrade to be delayed for a set number of days. This allows time for killer bugs to be discovered and patched before your site automatically updates.


So, Shield will delay upgrades until the new update has been available for the set number of days. This helps ensure updates are more stable before they're automatically applied to your site.

More Info

HTTP HeadersManual CSP Rules

You can add manual CSP rules which are not covered by the rules listed under the CSP Headers section.


You should test them on your site thoroughly first.

Take a new line per rule.

More Info

Other3rd-Party Support

The 3rd-Party Support feature is a part of the Login Guard module. It works with 3rd party platforms such as WooCommerce, BuddyPress, and Easy Digital Downloads. 


It provides the following:

  • User Registration & Login Bot Protection
  • 2-Factor Authentication for users and customers
  • Support Woocommerce social logins


The 3rd-Party Support feature is enabled by default on Pro sites.


The full list of the compatible WordPress membership plugins can be found here.


Note: There's also "AntiBot Forms" option you may use to enter the selectors of the 3rd party login forms for use with AntiBot JS. 


OtherCustomised User Messages

You have the ability to customize messages displayed to the user. 


If you want to communicate to the users in a particular manner and add your own custom messages, you can do that by using the following options:

  • Firewall Block Message
  • GASP Checkbox Text
  • GASP Alert Text
  • Login Failed
  • Remaining Offenses

Customised messages are available under the

  • Block Bad IPs/Visitors module => Messages
  • Firewall module => Messages
  • Login Guard module => Messages
  • Comments SPAM module => Messages

More Info

OtherCustomise 2FA Email Content

You can change the content shown to users through the use of custom templates.


At this moment, you can customise Two-Factor Authentication Code email.

More Info

Need Help?

ShieldPRO support has worked very hard putting together comprehensive guides to troubleshooting. We’ve identified the most common customer questions, and have outlined solutions in many articles in our Help Center here.


If you can't find the answer to your question in the Help Center, get in touch any time so we can help.