Title: Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning
Author: Paul
Published: 9 de Xullo, 2013
Last modified: 21 de Maio, 2026
---
Buscar plugins
# Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning
Por [Paul](https://profiles.wordpress.org/paultgoodchild/)
[Descargar](https://downloads.wordpress.org/plugin/wp-simple-firewall.22.0.5.zip)
* [Detalles](https://gl.wordpress.org/plugins/wp-simple-firewall/#description)
* [Valoracións](https://gl.wordpress.org/plugins/wp-simple-firewall/#reviews)
* [Instalación](https://gl.wordpress.org/plugins/wp-simple-firewall/#installation)
* [Desenvolvemento](https://gl.wordpress.org/plugins/wp-simple-firewall/#developers)
[Soporte](https://wordpress.org/support/plugin/wp-simple-firewall/)
## Descrición
Most security plugins hand you a dashboard full of alerts and expect you to know
what to do next. Shield works differently.
It blocks threats automatically, repairs what it can on its own, and then **shows
you exactly what still needs your attention** — ranked by impact, not volume. Less
noise. More action.
#### 🤖 Security That Runs Itself
The most powerful thing Shield does is what it handles without you:
* **Automatic IP Blocking** — every visitor is quietly scored as they interact
with your site. Failed logins, firewall blocks, silentCAPTCHA failures, and other
signals accumulate into a reputation score. When a visitor’s score crosses the
threshold, Shield blocks them — automatically, without you lifting a finger
* **Automatic File Repair** — when a file integrity scan finds a changed WordPress
core file, Shield pulls the original from WordPress.org and restores it. Detected
and fixed, without waiting for you to act
* **Automatic Bot Recognition** — Shield identifies legitimate crawlers (Google,
Bing, DuckDuckGo, Yandex, Apple) and known services (ManageWP, Pingdom, Stripe,
CloudFlare) and never blocks them. Your SEO and monitoring tools keep working
#### 🧭 Guided Security, Not Just a Dashboard
Shield organises your security into four focused areas so you always know where
to look:
* **Queue** — things that need your attention, ranked by priority. Not everything
at once — just what matters right now
* **Investigate** — dig into blocked IPs, security events, and the specific signals
that triggered each one
* **Configure** — guided setup for each protection area, with clear recommendations
matched to your site
* **Reports** — a clear view of what Shield has blocked, detected, and repaired
over time
The goal: guide you quickly towards action, not bury you in data.
#### 🛡️ Free Protection
**Bot Blocking & Firewall**
* **`silentCAPTCHA`** — blocks bad bots on login, registration, lost password,
and comment forms using passive signals invisible to real visitors. No CAPTCHA
keys. No external requests. No JavaScript that breaks your forms. Everything
runs on your server (GDPR friendly).
* Firewall rules blocking common WordPress attack patterns — SQL injection probes,
known exploit signatures, suspicious request parameters
* XML-RPC protection — disable or restrict entirely, including pingbacks and trackbacks
* REST API firewall — block unauthenticated requests
* Fake crawler detection — identifies bots spoofing legitimate search engines
**Login & Account Security**
* **Two-factor authentication (2FA)** — email codes, Google Authenticator, or YubiKey
OTP for all users
* Brute force protection with configurable login attempt limits and cooldown
* Session locking — tie sessions to a browser or IP to stop account theft after
a successful login
* User enumeration blocking — closes off `?author=` probes used to harvest usernames
before an attack
**Scanning & Integrity**
* **Core file scanning** — compares WordPress core against official checksums and
repairs changed files automatically
* Suspicious PHP detection — flags PHP files in locations where they have no business
being
* Abandoned plugin detection — identifies unmaintained plugins most likely to carry
unpatched vulnerabilities
**Visibility & Control**
* **Security Admin PIN** — lock Shield’s own settings so other administrators cannot
quietly weaken your configuration
* Security activity log — logins, user changes, plugin and theme events, post edits,
and suspicious requests: Everything in one clear view
* IP Rules — automatic & manual block and bypass rules, CIDR range support, full
per-IP request history
#### 🤝 CrowdSec Integration
Shield is the only WordPress security plugin with a native CrowdSec integration.
CrowdSec aggregates threat signals from millions of sites into a shared IP reputation
network — your site blocks known attackers before they ever probe you, using intelligence
far beyond your own traffic history.
#### ✨ ShieldPRO
* **Passkeys** — phishing-resistant, passwordless login for users
* **Backup login codes** — emergency 2FA access when a device is lost
* **AI-based malware scanner** — detects known and unknown PHP malware
* **Plugin & theme file scanning** — compares installed files against WordPress.
org originals, flagging unauthorised changes
* **Vulnerability scanning** — active checks across all installed plugins and themes
* **Broader spam protection** — WooCommerce, EDD, Contact Form 7, Ninja Forms,
Elementor, and more
* **Traffic rate limiting** — cap request rates per IP to absorb high-volume bot
floods
* **User suspension** — manual or automatic suspension of idle accounts
* **MainWP integration**
* **White Label** — rename and rebrand Shield for client sites
#### Who It’s For
Shield suits site owners, agencies, and MSPs who want protection that runs itself—
not a plugin that demands constant attention to be useful.
If you have been burned by security plugins that generate more noise than protection,
or dashboards that tell you everything is wrong without telling you what to fix,
Shield was built to be the alternative.
## Capturas
* [[
* Security overview with current site status, important recommendations, and recent
security events.
## Instalación
1. Browse to Plugins -> Add New in your WordPress admin area.
2. Search for `Shield Security`.
3. Click Install Now, then Activate.
4. Open `Shield` from the admin menu and follow the guided setup.
## Preguntas frecuentes
Please see the dedicated security [help centre](https://clk.shldscrty.com/firewallhelp)
for details on features and some FAQs.
### How does automatic IP blocking work?
Shield assigns offense points to visitors who trigger security rules — failed logins,
firewall blocks, silentCAPTCHA failures, and other signals. When a visitor’s points
reach the configured threshold, they are blocked automatically. You can review blocked
IPs, adjust thresholds, or add manual rules from the IP Rules section.
### How does silentCAPTCHA detect bots without interrupting real visitors?
It analyses passive signals — timing, form interaction behaviour, and request characteristics—
to distinguish automated requests from genuine visitors. There is no challenge to
complete, no external site keys to set up, and no JavaScript that can break your
forms. Everything stays on your server.
### My server already has a firewall. Why do I need Shield too?
Your host or network firewall protects the server perimeter. Shield works inside
WordPress, where it understands login attempts, user changes, plugin activity, file
integrity, and attack patterns specific to WordPress. The two layers solve different
problems and complement each other.
### Can Shield block comment SPAM?
Yes. `silentCAPTCHA` protects the WordPress comment form in the free plugin. ShieldPRO
extends coverage to Contact Form 7, Ninja Forms, WooCommerce, and a range of other
integrations.
### Can I use Shield alongside another security plugin?
Generally, no. Running two plugins that control the same login or request flows
leads to duplicate blocking, noisier logs, and harder troubleshooting. If you keep
another plugin active, disable the areas where they overlap.
### I’ve locked myself out of my site. What do I do?
This usually happens after adding your own IP to the block list, or enabling 2FA
when your site cannot deliver email codes.
1. Open an FTP or file manager connection to `/wp-content/plugins/
wp-simple-firewall/`.
2. Create a file in that folder called `forceoff`.
3. Load any page on your site — Shield will switch off.
Delete `forceoff` from the server once you are back in.
### I’m not receiving my 2FA email code.
Email delivery depends on your site’s mail configuration, not Shield. If it is unreliable,
set up a dedicated transactional email service or switch users to an authenticator
app instead.
### Does the IP bypass list support ranges, and does it take precedence over block rules?
Yes to both. Shield supports CIDR notation for IP ranges, and bypass entries always
take precedence over block rules.
### Is White Label available?
Yes. ShieldPRO includes White Label controls to rename and rebrand Shield for client
sites.
## Comentarios
### [I hate this expensive, complex plugin](https://wordpress.org/support/topic/i-hate-this-expensive-complex-plugin/)
[sondrasneed](https://profiles.wordpress.org/sondrasneed/) 11 de Marzo, 2026 3
respostas
I’m so tired of visitors being locked out of client sites, clients being locked
out. I have no idea how to get real support. It’s sold as a simple, robust security
plugin, but it’s by no means simple; unless you’re a security expert. I want a refund
but have no idea how to reach someone to get it. So unhappy.
### [Causes critical error](https://wordpress.org/support/topic/causes-critical-error-5/)
[exoduss](https://profiles.wordpress.org/exoduss/) 16 de Setembro, 2025
Installed it two times, and each time it completely blocked access to the Wordpress
dashboard. Had to use FTP to delete this plugin.
### [Solid Security Plugin with Some Hidden Pitfalls](https://wordpress.org/support/topic/solid-security-plugin-with-some-hidden-pitfalls/)
[Amanda](https://profiles.wordpress.org/amahend/) 9 de Xuño, 2025
I’m a web developer and I like Shield Security. It’s solid and offers strong protection.
That said, after following their advice to improve my security grade, I couldn’t
edit the WordPress Customizer for months. Support was polite but mostly suggested
generic fixes like disabling HTTP headers, which didn’t solve the problem. It took
me some digging to find the real cause. The issue was the anonymous REST API setting
blocking access. Once I disabled anonymous REST API, everything worked again. I
realize this was my fault for not researching the setting before enabling it, but
since Shield’s dashboard recommended it to improve my security score, it caught
me off guard. Shield Security is the best security plugin on the market, but it
would be helpful if they added a clearer caution about how some settings might break
parts of WordPress. It’s powerful but comes with some tricky trade-offs.
### [La versió PRO funciona perfectament](https://wordpress.org/support/topic/la-versio-pro-funciona-perfectament/)
[ibosch](https://profiles.wordpress.org/ibosch/) 20 de Maio, 2025 1 resposta
Avui dia qualsevol web amb wordpress requereix de seguretat. Això és un fet.Només
cal mirar i fer un seguiment de les peticions http de la web i veureu centenars
de bots amb males intencions, “scaners” a la rescerca de vulnerabilitats.., indexadors
de seo, crawlers.. de tot. Si hi ha una vulnerabilitat.. tard o d’hora els bots
la trobaran: ja sigui per credencials, llista d’usuaris, email, json, pluggins desfassats
o temes antics sense manteniment..Amb la protecció de Shield. en la versió PRO,
tots els problemes d’inseguretat s’acaben. Lògicament hauràs de fer un seguiment
setmanal per a controlar si la teva web reb moltes visites i hi ha tenda, ja que
passarà a ser un target per a les persones amb males intencions.La versió gratuïta
funciona de manera bàsica.., però he de dir que hi ha un salt enorme de possibilitats
amb la versió PRO. Hi ha la “prova de 15 dies”.. recomano instal·leu la versió gratuïta,
la configureu.. i després al dia següent reviseu com ha anat tot, i activeu la prova
de 15 dies, torneu a configurar segons les opcions PRO. Aquí entendreu tot lo que
comento a sobre. Si no entens massa de cada configuració.. hi ha una explicació
curta al costat abans d’activar-la i, a més, enllaços a informació del què fa cada
configuració en el blog del Paul.Suma-li, que el Paul i la Jelena responen ràpidament
qualsevol consulta via email..L’únic requisit que li falta per a ser “ideal” és
el bloqueig tipus GEO IP. Això permetria treure’s de sobre multitud de “feina i
bots” si el teu target de visites/ventes de la teva web són a països molt concrets.
Recomano.
### [good features, very good support, good price](https://wordpress.org/support/topic/good-features-very-good-support-good-price/)
[Hans](https://profiles.wordpress.org/h1a2n3s4/) 22 de Marzo, 2025
Shield Security Pro looks like a very good security plugin to me with a lot of features.
It’s UI is really nice, and I think it protects my website very well. I’ve contacted
their support a few times, and always got fast, clear and relevant answers. I also
think it’s reasonably priced.
### [Reliable and Essential Security Tool](https://wordpress.org/support/topic/reliable-and-essential-security-tool/)
[wphoderuser](https://profiles.wordpress.org/wphoderuser/) 28 de Agosto, 2024
I’ve been using Shield Security for quite some time now, and I can confidently say
that it’s one of the best security plugins out there. This tool has already saved
my website from serious hacking attempts on two separate occasions, giving me peace
of mind knowing that my site is well-protected. The plugin is straightforward to
set up, and the features are robust, offering everything I need to keep my site
secure. The support team is responsive and clearly committed to improving the product
continuously. Overall, Shield Security is an essential tool for anyone serious about
protecting their website. Highly recommended!
[ Ler todas as 1.032 opinións ](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/)
## Colaboradores e desenvolvedores
“Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning”
é un software de código aberto. As seguintes persoas colaboraron con este plugin.
Colaboradores
* [ Paul ](https://profiles.wordpress.org/paultgoodchild/)
* [ Shield Security ](https://profiles.wordpress.org/getshieldsecurity/)
“Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning”
foi traducido a 8 idiomas. Grazas [aos desenvolvedores](https://translate.wordpress.org/projects/wp-plugins/wp-simple-firewall/contributors)
polas súas contribucións.
[Traduce “Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning” ao teu idioma.](https://translate.wordpress.org/projects/wp-plugins/wp-simple-firewall)
### Interesado no desenvolvemento?
[Revisa o código](https://plugins.trac.wordpress.org/browser/wp-simple-firewall/),
bota unha ollada ao[repositorio SVN](https://plugins.svn.wordpress.org/wp-simple-firewall/),
ou subscríbete ao [log de desenvolvemento](https://plugins.trac.wordpress.org/log/wp-simple-firewall/)
por [RSS](https://plugins.trac.wordpress.org/log/wp-simple-firewall/?limit=100&mode=stop_on_copy&format=rss).
## Rexistro de cambios
#### [View Shield Security Changelog](https://clk.shldscrty.com/shieldwporgfullchangelog)
## Meta
* Versión **22.0.5**
* Última actualización **Fai 2 días**
* Instalacións activas **40.000+**
* Versión de WordPress ** 5.7 ou superior **
* Probado ata **7.0**
* Versión de PHP ** 7.4 ou superior **
* Idiomas
* [Dutch](https://nl.wordpress.org/plugins/wp-simple-firewall/), [English (Canada)](https://en-ca.wordpress.org/plugins/wp-simple-firewall/),
[English (UK)](https://en-gb.wordpress.org/plugins/wp-simple-firewall/), [English (US)](https://wordpress.org/plugins/wp-simple-firewall/),
[German](https://de.wordpress.org/plugins/wp-simple-firewall/), [Italian](https://it.wordpress.org/plugins/wp-simple-firewall/),
[Japanese](https://ja.wordpress.org/plugins/wp-simple-firewall/), [Romanian](https://ro.wordpress.org/plugins/wp-simple-firewall/),
e [Turkish](https://tr.wordpress.org/plugins/wp-simple-firewall/).
* [Traduce ao teu idioma](https://translate.wordpress.org/projects/wp-plugins/wp-simple-firewall)
* Etiquetas
* [2FA](https://gl.wordpress.org/plugins/tags/2fa/)[Activity Log](https://gl.wordpress.org/plugins/tags/activity-log/)
[bots](https://gl.wordpress.org/plugins/tags/bots/)[firewall](https://gl.wordpress.org/plugins/tags/firewall/)
[security](https://gl.wordpress.org/plugins/tags/security/)
* [Vista avanzada](https://gl.wordpress.org/plugins/wp-simple-firewall/advanced/)
## Valoracións
4.8 de 5 estrelas
* [ 965 valoracións de 5 estrelas ](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/?filter=5)
* [ 26 valoracións de 4 estrelas ](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/?filter=4)
* [ 11 valoracións de 3 estrelas ](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/?filter=3)
* [ 9 valoracións de 2 estrelas ](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/?filter=2)
* [ 21 valoracións de 1 estrelas ](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/?filter=1)
[Your review](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/#new-post)
[Ver todas as valoracións](https://wordpress.org/support/plugin/wp-simple-firewall/reviews/)
## Colaboradores
* [ Paul ](https://profiles.wordpress.org/paultgoodchild/)
* [ Shield Security ](https://profiles.wordpress.org/getshieldsecurity/)
## Soporte
Problemas resoltos nos últimos dous meses:
1 de 2
[Ver o foro de soporte](https://wordpress.org/support/plugin/wp-simple-firewall/)
## Doar
Queres apoiar o progreso deste plugin?
[ Dona a este plugin ](https://clk.shldscrty.com/bw)