Shield WP Admin Pro

Introduction & Overview

Shield WP Admin Pro is a powerful WordPress security plugin designed specifically to protect and harden the WordPress admin area. It focuses on preventing unauthorized access, reducing common attack vectors, and providing administrators with clear visibility into security-related activities.

Instead of relying on a single protection layer, Shield WP Admin Pro applies multiple security mechanisms such as login protection, two-factor authentication, bot detection, file change monitoring, and backup recovery tools. The plugin is suitable for single-site owners, agencies, and developers managing multiple WordPress installations.

Key Features Overview

Why Use Shield WP Admin Pro?

Shield WP Admin Pro helps secure your WordPress site by focusing on the most commonly exploited areas - login pages, admin access, file integrity, and backups.

• Reduces brute-force attacks through login limits, reCAPTCHA, and IP blocking
• Protects admin access with 2FA and email OTP verification
• Detects unauthorized changes using file and malware scanning
• Provides visibility with detailed logs and admin analytics
• Enables quick recovery with built-in backup and restore tools
• Optimized for performance with lightweight and modular code

System Requirements

Back to top

TemplateMonster License

Shield WP Admin Pro is distributed under the TemplateMonster "For 1 Site" License, which allows usage on a single website only.

Key License Rules

• One license is valid for one WordPress site only.
• Each production domain requires a separate license.

License Activation

• Enter your TemplateMonster purchase code and email.
• The license is securely validated and bound to your domain.
• License can be deactivated and moved to another site.

Retrieve Your Purchase Code

1. Sign in to your account at account.templatemonster.com
2. Navigate to My Account → Downloads section
3. Locate your Shield WP Admin Pro purchase in the downloads list
4. Copy the Purchase Code displayed for license activation

Important Notes

• Do not share your purchase code publicly
• License abuse may result in deactivation
• TemplateMonster license terms apply in full

Back to top

Installation & Setup

Method 1: WordPress Admin (Recommended)

1. Log in to your WordPress admin dashboard.
2. Navigate to Plugins → Add New.
3. Click the Upload Plugin button.
4. Select shield-wp-admin-pro.zip and click Install Now.
5. When installation completes, click Activate Plugin.

Method 2: Manual FTP

1. Extract the shield-wp-admin-pro.zip file on your computer.
2. Upload the extracted folder to /wp-content/plugins/ via FTP.
3. Log in to WordPress and open Plugins → Installed Plugins.
4. Locate Shield WP Admin Pro and click Activate.

Initial Plugin Setup

After activation, Shield WP Admin Pro adds its dashboard to the WordPress sidebar. Use it to review system status and enable security modules.

1. Navigate to Shield WP Admin Pro from the WordPress admin sidebar.
2. Review the available security modules listed under the Shield WP Admin Pro menu.
3. Open each module (such as Login Security, Malware Scanner, or Audit Logs) to configure its settings.
4. Enable or disable individual security features based on your website requirements.

Recommended First-Time Configuration

Enable these essentials immediately after installation for maximum protection:

• Set Permalinks to Post name
• Custom Login URL + Limit Login Attempts
• Google reCAPTCHA and Two-Factor Authentication
• Email notifications for security alerts
• Initial file integrity and malware scan

Troubleshooting Installation Issues

• Verify permissions on /wp-content/plugins/
• Confirm ZIP uploads are allowed on your host
• Temporarily disable conflicting security plugins
• Check PHP error logs if activation fails

Persistent issues? Contact support with your WordPress version, PHP version, and exact error details.

Back to top

License Configuration

Shield WP Admin Pro uses a secure license activation system to enable premium features. Each license is validated against your domain to ensure authorized usage and prevent misuse.

Activating your license unlocks all Pro modules including advanced login security, malware scanning, backup & restore, analytics, and enterprise-grade hardening features.

Accessing the License Page

To manage your license, navigate to:

• WordPress Admin → Shield WP Admin Pro → License

How License Activation Works

The license activation process securely verifies your purchase details and binds the license to your website domain.

1. Enter your Purchase Code
2. Provide your Email Address
3. Click Activate License

Once activated, the system validates the license and enables all premium features automatically.

License Status Indicators

What Information Is Stored

After activation, the following license details are securely stored and displayed:

• Email: Stored for license owner contact records
• Domain: Website where the license is active
• License Status: Active / Inactive

Deactivating a License

You can deactivate your license at any time by clicking the Deactivate License button.

Deactivation is recommended when:

• Migrating your website to a new domain
• Moving from staging to production
• Reinstalling WordPress

Security & Validation

Shield WP Admin Pro performs license checks securely without impacting site performance. The license system is designed to:

• Prevent unauthorized access to premium features
• Bind license to approved domains
• Ensure stable operation even during temporary connectivity issues

Back to top

Features List

Shield WP Admin Pro provides a comprehensive set of security, monitoring, and recovery tools designed to protect the WordPress admin area and critical site components.

🛡️ Core Security & Access Control

• Login Security - Secure admin login with advanced protection rules
• Two-Factor Authentication (2FA) - Additional verification layer for admin access
• Email OTP Authentication - One-time password verification via email
• Custom Login Protection - Reduce brute-force and unauthorized access attempts

🚦 Rate Limiting & Bot Protection

• Rate Limit & Bot Protection - Restrict repeated login and request attempts
• Fake Bot Detection - Block fake crawlers and malicious bots
• IP Blacklist - Control access based on IP rules
• Request Validation - Detect suspicious and malformed requests

🧪 Malware & File Security

• Malware Scanner - Scan files for suspicious and malicious code
• File Modified Scanner - Detect unauthorized file changes
• Manual & Automated Scans - Run scans on demand or on schedule
• File & Directory Exclusions - Ignore safe files and folders

📊 Monitoring, Logs & Analytics

• Audit Logs - Track login and authentication events
• Login Analytics - Visual insights into login activity
• Admin Analytics - Monitor live traffic and admin access

🔐 API & System Protection

• Secure APIs - Protect WordPress REST and custom API endpoints
• Hotlink Protection - Prevent unauthorized media usage
• WordPress Hardening Rules - Disable risky core features

💾 Backup & Recovery

• Full Site Backup - Database + files backup
• Database-Only Backup - Lightweight and fast backups
• One-Click Backup & Restore - Backup and Restore your site easily
• Backup Management - Download and delete backups

📧 Email & Notification System

• Built-in SMTP Configuration - Reliable email delivery
• Test Email Utility - Verify SMTP settings
• Security Notifications - Email alerts for critical actions

🔑 Licensing & Management

• License Activation System - Secure license verification
• Domain-based License Binding - Prevent unauthorized usage

⚙️ Performance & Reliability

• Lightweight and optimized architecture
• No impact on front-end performance
• Modular feature-based design
• Compatible with latest WordPress versions

Back to top

1. General Settings

Overview

The General Settings page is the primary configuration area of Shield WP Admin Pro. From here, you can manage login customization, brute-force protection, reCAPTCHA integration, WordPress hardening options, and IP blocking rules.

These settings apply globally and form the foundation of your website’s security configuration.

Accessing General Settings

1. Log in to your WordPress admin dashboard.
2. Navigate to Shield WP Admin Pro → Shield WP Admin Pro.
3. The General Settings page will open by default.

Login Page Customization

• Custom Login Logo
  Upload a custom logo to replace the default WordPress logo on the login page. This helps with branding and professional presentation.
• Custom Login Background
  Upload an image to be used as the background of the WordPress login page.

Custom Login URL Protection

• Enable Custom Login Slug
  When enabled, the default WordPress login URLs (wp-login.php and /wp-admin) are disabled.
• Custom Admin Login Slug
  Define a custom login URL slug (example: yoursite.com/mysecretlogin) to access the admin login page.

Login Attempt Protection

• Limit Login Attempt
  Set the maximum number of failed login attempts allowed before a user is blocked.
• User Block Duration (Minutes)
  Define how long (in minutes) a user will be blocked after exceeding the login attempt limit.

Google reCAPTCHA Protection

• Enable reCAPTCHA
  Enable Google reCAPTCHA on the admin login form to prevent automated login attempts.
• reCAPTCHA Site Key
  Enter your Google reCAPTCHA site key.
• reCAPTCHA Secret Key
  Enter your Google reCAPTCHA secret key.

You can generate reCAPTCHA keys from the official Google reCAPTCHA website.

WordPress Hardening Options

• Hide File Editor Option
  Disables the theme and plugin file editor in the WordPress admin area.
• Hide WordPress Version
  Removes WordPress version information from the site’s source code.
• Disable XML-RPC
  Disables XML-RPC access, which is commonly abused for brute-force attacks.
• Force HTTPS in Admin
  Forces HTTPS for all admin URLs (recommended only if SSL is properly configured).
• Disable Pingbacks / Trackbacks
  Prevents all pingbacks and trackbacks to reduce spam and abuse.

IP Blacklisting

• Blacklist IP Addresses
  Enter IP addresses to block access to your site. Add one IP address per line.

Saving Settings

After configuring your settings, click the Save Changes button at the bottom of the page. All changes take effect immediately.

Back to top

2. Login Security

The Login Security module protects your WordPress login system against automated bots, brute-force attempts, and malicious injection attacks. It also allows you to configure notifications and manual user registration approval.

Accessing Login Security Settings

1. Log in to your WordPress admin dashboard.
2. Navigate to Shield WP Admin Pro → Login Security.
3. Use the tabs at the top to switch between Login Security, Notification, and Manual Approval.

Login Security Settings

• Enable Honeypot Protection
  Enables a hidden honeypot field on the login form. Automated bots that fill this hidden field are blocked instantly.
• Honeypot Field Name
  Defines a unique hidden field identifier used by the honeypot system. Only lowercase letters, numbers, and underscores are allowed.
• Enable Injection Guard
  Detects SQL injection and JavaScript injection patterns in login fields and blocks the request automatically.
• Injection Lockout (Minutes)
  Sets the duration (in minutes) to block an IP address after an injection attempt is detected.
• Suspicious Pattern List
  A list of suspicious keywords or patterns (one per line) that will be matched against login form submissions. Matches are case-insensitive.

Notification Settings

• Notification Email
  Email address used to receive security alerts. If left empty, the site administrator email is used.
• Lockout Notifications
  Sends an email when a user exceeds the login attempt limit and is temporarily blocked.
• Admin Login Notifications
  Sends an email when an administrator logs in successfully.
• Enable Login Analytics
  Enables tracking and logging of all login attempts across the site, including WooCommerce and membership-based logins.

Manual Registration Approval

Enable Manual Registration Approval lets you turn administrator review on or off for new signups. When the toggle is enabled, every new registration stays pending until an admin approves it; when disabled, new users are activated immediately after submitting the form.

The Manual Registration Approval feature allows administrators to review and approve newly registered users before they gain access to the site.

• Pending Accounts
  Displays a list of users awaiting approval.
• Go to Users List
  Redirects you to the WordPress Users screen, where you can approve or manage pending accounts.

Saving Changes

After configuring your settings, click the Save Changes button within each tab. Changes take effect immediately.

Back to top

3. Rate Limit & Bot Protection

The Rate Limit & Bot Protection module helps protect your WordPress admin area and custom login page from automated bots, excessive requests, and brute-force attacks by monitoring request patterns and user-agent behavior.

Accessing Rate Limit & Bot Protection

1. Log in to your WordPress admin dashboard.
2. Navigate to Shield WP Admin Pro → Rate Limit & Bot Protection.

User-Agent Protection

User-Agent Protection blocks requests from known bot tools and scripts based on their User-Agent signature.

• Enable User-Agent Blocking
  When enabled, requests containing suspicious User-Agent values are blocked automatically.
• Suspicious User-Agent List
  Enter known bot or script identifiers (one per line). Requests containing these keywords will be blocked.

Default include:
curl, python, scrapy, bot, crawler, spider

Rate Limiting

Rate Limiting restricts the number of requests an IP address can make within a defined time window to prevent abuse.

• Enable Rate Limiting
  Enables request throttling for the admin and login areas.
• Max Requests per Minute per IP
  Defines how many requests an IP address is allowed to make within one minute.
• Block Duration (Minutes)
  Sets how long an IP address will be blocked after exceeding the rate limit.

How This Helps

• Blocks automated bots and scraping tools
• Prevents brute-force login attempts
• Reduces server load from repeated requests
• Improves overall site stability

Saving Changes

After configuring your settings, click the Save Changes button. Changes take effect immediately.

Back to top

4. Fake Bot Detection

The Fake Bot Detection feature protects your website from malicious crawlers that pretend to be legitimate search engine bots such as Googlebot, Bingbot, or other well-known crawlers.

Many bots fake their User-Agent string to bypass basic security checks. Shield WP Admin Pro verifies these requests using DNS validation to ensure that the request actually originates from the official crawler network.

How Fake Bot Detection Works

• Checks the User-Agent claiming to be a known crawler
• Performs a reverse DNS lookup on the request IP address
• Verifies that the IP belongs to the official crawler domain
• Blocks fake crawlers with a 403 Forbidden response

Bots Covered by Detection

Shield WP Admin Pro verifies and protects against fake requests pretending to be the following well-known crawlers:

• Googlebot (googlebot.com, google.com)
• Bingbot (search.msn.com)
• Yahoo Slurp (yahoo.net)
• Facebook External Hit (facebook.com)
• Twitterbot (twitter.com)
• LinkedInBot (linkedin.com)

Fake requests impersonating these crawlers are blocked automatically.

Settings

• Enable Fake Bot Detection
  When enabled, the plugin actively blocks fake crawlers that pretend to be search engine bots or social media crawlers.

Benefits

• Prevents fake bots from accessing your site
• Stops content scraping and spam crawling
• Ensures real search engine bots are not blocked
• Improves site performance and security

Saving Changes

After enabling Fake Bot Detection, click the Save Changes button. The protection is applied immediately.

Back to top

5. Two-Factor Authentication

Two-Factor Authentication (2FA) adds an extra layer of security to WordPress user accounts by requiring a second verification step during login. Even if a password is compromised, unauthorized access is prevented.

How Two-Factor Authentication Works

1. The user enters their username and password as usual
2. If 2FA is enabled, the user is redirected to a verification screen
3. The user enters a 6-digit code generated by an authenticator app
4. Access is granted after successful verification

Supported Authenticator Apps

• Google Authenticator (iOS & Android)
• Microsoft Authenticator (iOS & Android)

Enabling Two-Factor Authentication

1. Navigate to Shield WP Admin Pro → Two-Factor Authentication
2. Click Setup Two-Factor Authentication
3. Scan the QR code using your authenticator app or enter the secret key manually
4. Enter the 6-digit verification code generated by the app
5. Complete the setup to enable 2FA for your account

Your 2FA Status

Once enabled, the plugin displays the current status of Two-Factor Authentication for your account along with options to manage or disable it.

• Enabled - 2FA is active for the user
• Not Enabled - 2FA is not configured for the user

Backup Codes

Backup codes are generated after enabling 2FA and can be used to access the account if the authenticator app is unavailable.

• Each backup code can be used only once
• Backup codes are shown only once after generation
• Users can regenerate backup codes at any time

Regenerating Backup Codes

When regenerating backup codes, all existing codes are invalidated for security reasons. A confirmation prompt is shown before regeneration.

Disabling Two-Factor Authentication

Users can disable Two-Factor Authentication at any time by clicking the Disable 2FA button from the Two-Factor Authentication page.

Security Benefits

• Protects against stolen or leaked passwords
• Secures administrator and high-privilege accounts
• Reduces risk of unauthorized access
• Improves overall site security posture

Back to top

6. Secure APIs

The Secure APIs module helps protect your WordPress site from data exposure and abuse through REST APIs and application-level entry points.

Disable User Enumeration

User enumeration attacks allow attackers to discover valid usernames using author-based URLs or API requests.

• Disable User Enumeration
  Prevents exposing usernames through author-based requests and related APIs. (Recommended)

Disable Application Passwords

WordPress application passwords allow third-party applications to access your site without using the main account password.

• Disable Application Passwords
  Disables WordPress application passwords to reduce the risk of unauthorized third-party access. (Recommended)

REST API Block Mode

• Block all REST APIs for unauthenticated users
  Completely blocks REST API access for visitors who are not logged in.
• Block only selected REST API routes
  Allows you to block specific REST API endpoints while keeping others accessible.
• None (do not block any REST APIs)
  Disables REST API blocking and allows all API requests.

Select REST API Routes to Block

When using the Block only selected REST API routes option, you can choose individual REST API endpoints to restrict.

• Select one or more REST API routes from the list
• Use Select All or Deselect All for quick management
• Blocking a base endpoint (e.g. /wp/v2/posts) will block all related parameterized routes automatically

Recommended Usage

• Disable user enumeration on all sites
• Disable application passwords if not actively required
• Use selective REST API blocking instead of blocking all endpoints
• Test front-end and integrations after applying API restrictions

Saving Changes

After configuring Secure API settings, click the Save Changes button. All rules are applied immediately.

Back to top

7. Hotlink Protection

The Hotlink Protection feature prevents other websites from directly embedding your images and media files, helping to protect your bandwidth and server resources.

When hotlink protection is enabled, only approved domains are allowed to load images hosted on your website.

Accessing Hotlink Protection

1. Log in to your WordPress admin dashboard.
2. Navigate to Shield WP Admin Pro → Hotlink Protection.

Hotlink Protection Settings

• Enable Hotlink Protection
  When enabled, direct links to your images from external websites will be blocked to prevent bandwidth theft.
• Allowed Domains
  Enter the domains that are permitted to embed your images. Add one domain per line.

Both root domains and their subdomains are automatically allowed.

Example Allowed Domains

example.com
subdomain.example.org
    

Benefits

• Prevents unauthorized image hotlinking
• Reduces bandwidth usage
• Improves website performance
• Protects media assets from misuse

Saving Changes

After configuring hotlink protection, click the Save Changes button. The rules take effect immediately.

Back to top

8. Malware Scanner

The Malware Scanner module scans your WordPress installation for suspicious files, malicious code patterns, and unexpected file changes that may indicate a security threat.

It provides manual and automatic scanning options, quarantine handling, and file exclusion controls to give you full visibility and control.

Accessing the Malware Scanner

1. Log in to your WordPress admin dashboard.
2. Navigate to Shield WP Admin Pro → Malware Scanner.

Scanner Tab

The Scanner tab allows you to configure scan settings and run malware scans manually or automatically.

• Exclusions
  Specify file or directory paths to exclude from malware scans. Enter one path per line. Paths are relative to the WordPress root.
• Enable Automatic Scans
  Enables scheduled malware scans to run automatically at the selected interval.
• Scan Interval
  Choose how frequently automatic scans should run (for example, every 24 hours).
• Next Scheduled Scan
  Displays the date and time of the next automatic scan, if scheduled.

Manual Scan Controls

• Start Full Scan - Starts a complete malware scan immediately
• Stop Scan - Stops an ongoing scan
• Clear Report - Clears the previous scan results

Scan results are displayed in the Scan Results section once the scan is complete.

Quarantine Files Tab

The Quarantine Files tab lists files that have been isolated after being detected as potentially malicious.

• Quarantined files are prevented from executing
• Files can be reviewed before further action
• No files are shown if nothing has been quarantined

Ignored Files Tab

The Ignored Files tab displays files that you have chosen to exclude from future malware scans.

• Ignored files will not appear in future scan results
• Useful for known safe files that trigger false positives
• Helps reduce repeated scan warnings

Best Practices

• Run a full scan after installing new plugins or themes
• Enable automatic scans for continuous protection
• Use exclusions sparingly to avoid missing real threats
• Review quarantined files before taking action

Saving Changes

After updating scan settings or exclusions, click Save Changes to apply the configuration.

Back to top

9. File Modified Scanner

The File Modified Scanner helps you monitor changes made to your WordPress files. It is designed to detect unauthorized or unexpected file modifications that may indicate hacking, malware injection, or suspicious activity.

What this feature does

• Creates a complete listing of your WordPress files
• Tracks file size, modification date, and time
• Helps identify recently modified or suspicious files
• Supports automated scheduled scans

File Scanning Settings

File types to ignore

You can exclude specific file extensions that do not usually pose a security risk. Common examples include image files such as:

jpg
png
bmp

Each extension should be entered on a new line.

Files / Directories to ignore

Use this option to exclude specific files or directories from the scan. This is useful for cache folders, logs, or known dynamic files.

cache/config/master.php
somedirectory

Paths are relative to the WordPress root directory.

Email notification after scan

Enable this option if you want to receive an email when a scan is completed. You can specify one or more email addresses, or leave it empty to use the site admin email.

Automated File Scans

You can enable automatic file scans to run periodically in the background.

• Enable automated file scan
• Select scan interval (e.g. every 24 hours)
• Scheduled scans help detect changes without manual effort

File Scan & Results

Click Start Scanning Files to generate a complete file listing of your WordPress installation. Files are processed in chunks to avoid memory and database limitations.

Once the scan is complete, you will see:

• File name
• File path and directory
• File size
• Last modified date and time

You can also search files and review modification timestamps to quickly identify changes.

When to use this feature

• After a suspected security breach
• To monitor core WordPress file changes
• To audit plugin or theme file modifications
• As part of regular security maintenance

Tip: If you notice unexpected changes in core files such as wp-config.php, .htaccess, or wp-login.php, investigate immediately.

Back to top

10. Audit Logs

The Audit Logs feature records and tracks user login activities on your WordPress site. It helps administrators monitor who accessed the site, when they logged in, and from which IP address.

What are Audit Logs?

Audit Logs automatically capture authentication-related events whenever a user logs in to your WordPress site. These logs provide visibility into user access patterns and help identify suspicious or unauthorized activity.

Note: Logs are generated automatically and do not require manual configuration.

Information Recorded

Each log entry contains the following details:

• Username - The WordPress user who logged in
• IP Address - The IP address used during login
• Date & Time - When the login occurred

Using Audit Logs

• Monitor user login activity
• Identify unexpected or unusual login attempts
• Track administrator and editor access
• Assist with security audits and investigations

Sorting & Review

You can sort the audit log entries by username, IP address, or date/time to quickly analyze login activity. This makes it easy to review recent access or investigate specific users.

When Audit Logs are useful

• Detecting unauthorized access attempts
• Reviewing user activity after a security incident
• Monitoring admin and privileged user logins
• Maintaining compliance and accountability

Security Tip: If you notice repeated logins from unknown IP addresses, consider enabling additional protection such as Two-Factor Authentication or Rate Limiting.

Back to top

11. Login Analytics

The Login Analytics module provides detailed insights into user login activity across your WordPress site. It helps administrators monitor login behavior, detect unusual access patterns, and improve overall account security.

Overview Dashboard

At the top of the Login Analytics page, you will find a summary dashboard displaying key login statistics:

• Total Logins - Total number of login events recorded.
• Today - Number of logins that occurred today.
• Last 24 Hours - Login count in the past 24 hours.
• Last 7 Days - Total logins recorded in the last week.
• Unique Users (24H) - Number of distinct users who logged in during the last 24 hours.
• Unique IPs (24H) - Number of unique IP addresses used to log in during the last 24 hours.

Login Insights

The analytics section also highlights user behavior trends, including:

• Top Login Sources - Shows where logins originated (e.g., WP Login).
• Logins by Role - Displays login counts grouped by user roles such as Administrator.
• Logins by Device - Identifies whether users logged in from Desktop, Mobile, or other devices.
• Most Active Users - Lists users with the highest login activity over the last 7 days.

Login History

The Login History table provides a detailed log of individual login events, including:

• Date & Time - When the login occurred.
• User - Username, email, and assigned role.
• IP Address - IP address used for login.
• Login Source - Entry point such as WP Login.
• Device Info - Browser, operating system, and device type.

You can use the filters above the table to refine results by Login Source or User Role, and quickly search specific login records.

Reset Analytics Data

The Reset Analytics Data button allows administrators to clear all stored login analytics data. This is useful when you want to start fresh monitoring or remove old records.

Note: Login Analytics works alongside Audit Logs and Login Security features to give you a complete picture of authentication activity on your site.

Back to top

12. Traffic Analytics

The Analytics module provides real-time visibility into visitor activity across your WordPress site. It tracks page hits, requests, IP addresses, referrers, and client details to help you understand traffic behavior and detect suspicious activity.

Overview Metrics

At the top of the Analytics dashboard, you’ll see summary cards displaying:

• Total Hits - Total number of requests recorded
• Hits Today - Requests received today
• Unique Visitors (All Time) - Distinct IPs recorded
• Unique Visitors (Last 24 Hours) - Recent unique visitors

Top URLs & IP Addresses

These sections show the most accessed URLs and IP addresses over time. This helps identify:

• Popular pages on your site
• Repeated access from specific IP addresses
• Potential abuse or unusual traffic patterns

Recent Activity (Last 24 Hours)

The dashboard includes breakdowns for the last 24 hours, including:

• Top Pages - Most visited pages
• Top Requests - HTTP methods (GET, POST, etc.) and URLs
• Top Referrers - Traffic sources
• Top IP Addresses - IPs with the most requests

Traffic Log Table

The detailed log table displays individual visitor requests with:

• Date & Time
• IP Address
• Hostname
• Request URL & Method
• Client Details (Browser, OS, Device)

You can use the Search Traffic field to quickly filter results and investigate specific requests or IPs.

Reset Metrics

Clicking Reset Metrics will permanently clear all stored analytics data and start fresh tracking from zero. Use this if you want to reset statistics after testing or deployment.

Note: Analytics data is stored locally and does not rely on third-party tracking services.

Back to top

13. Backup & Restore

The Backup & Restore feature allows you to create secure backups of your WordPress site and restore them when needed. This is especially useful before updates, migrations, troubleshooting, or recovering from unexpected issues.

What This Feature Is Used For

• Creating a safe restore point before plugin or theme updates
• Migrating a website to another server or hosting environment
• Recovering from accidental data loss or misconfiguration
• Restoring a site after malware cleanup or testing changes

Backup Types

Full Backup (Database + Files)

• Includes all WordPress database tables
• Includes wp-content directory files
• Includes installed plugins and themes
• Includes uploaded media files
• Recommended for full site migration or disaster recovery

Database Only Backup

• Includes only database tables
• Faster and smaller in size
• Recommended before content changes or testing

What Is Not Included (For Safety Reasons)

• wp-config.php - Database credentials are preserved
• .htaccess - Server-level configuration remains unchanged
• Cache directories
• Backup directories (to prevent recursive backups)

Recommended Server Requirements

Large sites may require higher PHP limits to complete backups successfully. If backups fail or stop midway, ensure your server meets the recommended limits shown on the Backup page.

Creating a Backup

1. Select the desired backup type (Full or Database Only).
2. Click Create Backup (.swpp).
3. Wait for the backup process to complete.
4. Download and store the backup file in a safe location.

Restoring a Backup

You can restore your site using a previously created .swpp backup file. Restoring will overwrite existing database tables and files.

1. Choose a valid .swpp backup file.
2. Click Restore Backup.
3. Wait while Shield WP Admin Pro validates the backup internally and restores your site. Once the progress indicator finishes, the restoration is complete and your site will reflect the selected backup state.

Important: Always create a fresh backup before restoring another backup.

Existing Backups

All created backups are listed in the Existing Backups section, where you can:

• Download backups to your local machine
• Delete outdated or unused backups
• Verify backup size and creation date

Best Practices

• Always download backups after creation
• Store backups outside the WordPress installation
• Create backups before major updates or configuration changes
• Test restores on a staging site when possible

Important Notes

• Do not close the browser while a backup or restore is in progress
• Ensure sufficient disk space before creating backups
• Very large sites may require increased PHP execution time

Back to top

14. Email & SMTP

The Email & SMTP module ensures reliable email delivery for all system notifications, security alerts, and OTP emails generated by Shield WP Admin Pro. Proper SMTP configuration is essential for features such as Email OTP, alerts, and administrative notifications.

Key Features

• Built-in SMTP configuration (no third-party plugin required)
• Support for popular SMTP providers
• Test Email functionality to verify configuration
• Email OTP support for secure login authentication
• Automatic conflict prevention with third-party SMTP plugins

Configuring SMTP Settings

To configure SMTP, enter the required details such as SMTP Host, Port, Encryption type, Username, and Password. Once configured, click Save SMTP Settings. A confirmation email will be sent automatically to verify the setup.

Send Test Email

Use the Send Test Email feature to manually verify that emails are being sent successfully. This is strongly recommended before enabling Email OTP or relying on security alerts.

Email OTP Integration

After confirming that SMTP is working correctly, you can enable Email OTP for your account. Email OTP adds an extra layer of security by requiring a one-time code sent to your registered email address during login.

Note: Email OTP cannot be enabled while Two-Factor Authentication (2FA) is active to avoid conflicts between authentication methods.

Built-in vs Third-Party SMTP Plugins

Shield WP Admin Pro includes its own SMTP system. If you install and configure a third-party SMTP plugin, the built-in SMTP settings will be automatically disabled to prevent conflicts. In such cases, ensure that test emails work correctly via the third-party plugin.

Best Practices

• Always test email delivery after changing SMTP settings
• Use encryption (SSL/TLS) whenever possible
• Ensure correct sender email and domain alignment to avoid spam filters
• Enable Email OTP only after confirming reliable email delivery

Back to top

Troubleshooting & FAQ

This section helps you quickly resolve common issues and answers frequently asked questions related to Shield WP Admin Pro. Most problems can be fixed by following the steps below.

Common Issues & Solutions

🔒 Locked Out of WordPress Admin

If you are unable to access the admin panel due to login protection, rate limiting, or 2FA:

• Access your site via FTP or File Manager
• Temporarily disable the plugin by renaming the shield-wp-admin-pro folder
• Log in to WordPress and re-enable the plugin
• Review Login Security and Rate Limit settings

📧 Email OTP or SMTP Emails Not Sending

• Verify SMTP host, port, encryption, username, and password
• Use the Send Test Email feature to confirm delivery
• Check spam or junk folders
• If using a third-party SMTP plugin, built-in SMTP will be disabled automatically
• Confirm your hosting provider allows outbound SMTP connections

🔐 Cannot Enable Email OTP

Email OTP cannot be enabled while Two-Factor Authentication (2FA) is active. Disable 2FA first, then enable Email OTP if required.

🧪 Malware Scanner Finds False Positives

• Review the file content before taking action
• Add trusted files or directories to the Ignore list
• Do not quarantine core WordPress files unless you are certain

💾 Backup or Restore Fails

• Ensure sufficient disk space is available
• Increase PHP limits for large backups (memory, execution time)
• Do not interrupt the restore process once started
• Always keep a copy of the backup file outside the server

Frequently Asked Questions (FAQ)

❓ Are backups stored securely?

Backups are stored in a protected directory and are excluded from public access. Always download and store backups externally for maximum safety.

❓ Does the malware scanner automatically remove threats?

No. The scanner performs integrity checks against official WordPress core checksums and never deletes or modifies files automatically.

❓ Does the plugin impact website performance?

The plugin is built to be lightweight. External API calls run only when features such as license validation, QR generation, or integrity scanning demand them.

❓ What happens if I forget my custom login URL?

Disable the plugin via FTP or your hosting file manager to restore the default WordPress login URL, then reconfigure your preferred custom path.

❓ Which features are available in the free version?

The free tier includes core login protection. Premium-only modules cover malware integrity scanning, QR code generation, license validation, and advanced controls.

❓ What happens after activating the premium version?

Once you enter a valid license key, every premium security module unlocks inside the plugin settings panel without additional downloads.

❓ How does the License Validation system operate?

The plugin contacts the remote Shield licensing server to verify the license key. Successful validation enables premium modules linked to that license.

❓ How does the Malware Integrity Scanner work?

It compares your WordPress core files with official checksums from WordPress.org to detect modifications or potential tampering.

❓ Will this plugin slow down my website?

No. Shield WP Admin Pro remains lightweight and optimized, issuing external API calls only when the corresponding feature is triggered.

❓ Does it work with other security plugins (e.g., Wordfence, All In One Security)?

Yes. Just avoid enabling overlapping protections (firewall, login limits, SMTP, etc.) in multiple plugins simultaneously to prevent conflicts.

❓ What should I do before changing my site URL or domain?

Deactivate your Shield WP Admin Pro license before switching domains or updating the site URL. After the move, reactivate the license on the new domain to restore premium functionality.

Back to top

Privacy & Data Collection

Shield WP Admin Pro operates entirely on your WordPress installation, but certain features process personal data. Review the details below and update your site’s privacy policy accordingly.

Login Analytics Module

• Stored data: User ID, username, IP address, hostname, browser, OS, device type, login source, status, and timestamps in the table {$wpdb->prefix}shield_wp_admin_pro_login_analytics.
• Purpose: Security auditing and anomaly detection.
• Retention: Data remains until purged via the analytics screen or when the plugin is uninstalled.
• Admin responsibility: Inform users in your privacy/GDPR notice and ensure you have a lawful basis for storing personal data such as IP addresses.

Other modules (audit logs, backups, malware reports) store information locally on your site only. Delete logs or backups you no longer require to minimize retained data.

Third-Party Libraries & APIs

Shield WP Admin Pro bundles these trusted third-party libraries and APIs to deliver updates, licensing, and security protections:

• Google reCAPTCHA: Verification API endpoint used to validate human logins.
• QR Code Service: api.qrserver.com generates QR codes for 2FA enrollment.
• Custom Shield Licensing API: Internal licensing endpoint used to activate and verify plugin license.
• WordPress.org Public APIs: api.wordpress.org provides core checks such as version information and security notices.

No other third-party code is bundled. All remaining functionality is authored by Differenz System.

Back to top

Changelog

Version 1.0.0 - 26 May 2026

Initial Commercial Release

Added

• Custom Admin Login URL with configurable slug
• Login attempt limitation system to prevent brute-force attacks
• Google reCAPTCHA integration with server-side verification
• IP blacklisting module for blocking suspicious access
• Option to disable XML-RPC functionality
• Option to disable WordPress theme and plugin file editor
• WordPress version hiding mechanism
• Force HTTPS redirection module
• Option to disable pingbacks and trackbacks
• QR code generation support via external API
• License validation system with remote verification server
• WordPress core integrity scanner using official checksum API

Security

• Server-side validation of reCAPTCHA tokens
• Remote license verification to prevent unauthorized usage
• WordPress core checksum comparison for malware detection

Compatibility

• Tested up to WordPress 7.0
• Requires PHP 7.4 or higher

Back to top

Support & Credits

We are committed to providing reliable support and continuous improvements for Shield WP Admin Pro. If you need help, guidance, or encounter any issues, please use the support channels outlined below.

📞 Support

Support is available for all licensed users. Before contacting support, we recommend reviewing the documentation and the Troubleshooting & FAQ section.

• Email Support: info@differenzsystem.com
• Support Portal: Submit a ticket through your purchase platform (TemplateMonster / Marketplace)
• Response Time: Typically within 24-48 business hours

When contacting support, please include:

• WordPress version
• PHP version
• Plugin version
• Active theme name
• Other active plugins (security or cache-related)
• Relevant error messages or screenshots

🛠️ Customization & Professional Services

Need custom features, integrations, or security hardening for enterprise projects? Our team offers professional WordPress development and security services.

• Custom security rules & hardening
• Agency & multisite setups
• Performance and security audits
• White-label solutions

Contact us at info@differenzsystem.com for professional inquiries.

👏 Credits & Acknowledgements

Shield WP Admin Pro is developed and maintained by Differenz System.

• Development & Security Engineering: Differenz System Team
• UI/UX Design: Differenz System Team
• Quality Assurance: Internal testing team

We would also like to thank the WordPress open-source community for building and maintaining a powerful platform that enables plugins like this.

Back to top