Shield v1.2.2
Sign in Get Shield
FILE shield.c-istudios.com/docs VERSION 1.2.2 PHP 7.4+ · WP 6.0+ 14 SECTIONS
Reference · Setup & Configuration

Documentation.

Everything you need to install, configure, and manage CI Security Shield on your WordPress site.

Installation

  1. Download the CI Security Shield ZIP file from your purchase confirmation email
  2. In your WordPress admin, go to Plugins → Add New → Upload Plugin
  3. Select the ZIP file and click Install Now
  4. Click Activate Plugin
  5. Go to Tools → CI Security Shield → License and enter your license key

All security features activate after your license key is entered. No additional configuration is required for full protection.

License Activation

A valid license key is required for CI Security Shield to function. To activate:

  1. Go to Tools → CI Security Shield → License
  2. Enter your license key in the format CISS-XXXX-XXXX-XXXX-XXXX
  3. Click Activate License

Your license is tied to one domain. To move it to a different site, deactivate first, then activate on the new site.

Security Headers

Shield sets security headers at the PHP level via the send_headers hook. Headers are replaced (not appended) to avoid duplicates when Cloudflare or Nginx also sets them.

Configurable Headers

  • HSTS — max-age, includeSubDomains, preload (configurable)
  • Content-Security-Policy — default: upgrade-insecure-requests
  • X-Frame-Options — default: SAMEORIGIN
  • Referrer-Policy — default: strict-origin-when-cross-origin
  • Permissions-Policy — disables camera, mic, geolocation, etc.
  • COOP / CORP — configurable for sites using embeds or Stripe

Login Protection

Shield replaces the default /wp-login.php URL with a custom slug (default: /go). Anyone visiting /wp-login.php or /wp-admin while not logged in receives a 404.

Configuration

  • Custom Login Slug — any alphanumeric string
  • Max Login Attempts — default: 5
  • Lockout Duration — default: 30 minutes, progressive
  • IP Whitelist — comma-separated IPs that bypass lockouts
  • Honeypot Field — invisible field that catches bots

Firewall

The PHP-level firewall runs on every request before WordPress loads. It filters:

  • SQL injection patterns in query strings
  • XSS payloads in request parameters
  • Suspicious HTTP methods (TRACE, TRACK, DEBUG)
  • Known malicious bot user agents
  • Rate limiting on login and XML-RPC endpoints

The firewall operates as an additional layer alongside Wordfence WAF. They do not conflict.

REST API Hardening

Shield blocks only specific sensitive endpoints for unauthenticated users:

  • /wp/v2/users — prevents username enumeration
  • /wp/v2/settings — prevents settings exposure

All other REST API endpoints remain accessible. WooCommerce Store API, Gravity Forms, WPBakery, and Elementor are auto-detected and whitelisted.

Image Protection

Prevents casual image theft with client-side protections. Configurable toggles:

  • Disable right-click context menu on images
  • Disable image dragging
  • Disable touch-save on mobile
  • Disable keyboard shortcuts (Ctrl+S, PrintScreen)
  • Allow admins / logged-in users to bypass

File Integrity Scanning

Scheduled scans verify WordPress core files against official checksums, detect PHP files in the uploads directory (a common backdoor vector), and audit file permissions on critical files.

Results appear in the dashboard with “Fix Now” buttons for actionable issues. Exportable to CSV and PDF.

Email Notifications

Configure which events trigger email alerts:

  • Critical — lockouts, file integrity failures, new admin users
  • Warning — multiple failed logins, available updates, permission issues
  • Info — auto-updates completed, settings changed

Digest mode sends a daily or weekly summary instead of individual alerts. Rate limited to 10 emails per hour.

Auto-Updates Management

Granular control over WordPress auto-updates:

  • Core minor updates (security patches)
  • Core major updates
  • Individual plugin toggles
  • Theme updates
  • Email notification after updates complete

Wordfence Compatibility

CI Security Shield does NOT disable, modify, or override any Wordfence feature. Both can run simultaneously:

  • Both can run brute force protection (Shield uses transients, Wordfence uses its own tables)
  • Shield’s firewall operates at a different layer than Wordfence WAF
  • Security headers don’t conflict (Shield checks before setting)
  • Scanning and notifications use separate cron schedules

Caching Plugin Compatibility

Tested and compatible with:

  • WP Rocket
  • W3 Total Cache
  • LiteSpeed Cache
  • WP Super Cache
  • Cloudflare (proxy and page cache)

The custom login URL uses WordPress rewrite API (not .htaccess), so it works with all caching configurations.

Minimum Requirements

  • PHP 7.4 or higher
  • WordPress 6.0 or higher
  • Any hosting provider (shared, VPS, dedicated, managed)
  • Apache or Nginx

Troubleshooting

I can’t access wp-login.php after installing

That’s by design. Your login URL is now /go (or whatever you configured). If you’re locked out, rename the plugin folder via FTP/SSH to deactivate Shield, then access /wp-login.php normally.

My caching plugin isn’t clearing the login page

Shield automatically excludes the custom login URL from WP Rocket and other caching plugins. If you’re still seeing cached login pages, clear your cache manually after initial setup.

Security headers show duplicates on securityheaders.com

This happens when both Shield and your web server (Nginx/Cloudflare) set the same headers. Shield uses header_remove() before setting each header, but some servers add headers after PHP. The duplicate doesn’t affect your A+ grade.

Need help?

Contact us at hello@c-istudios.com.

Ready to harden your site?

Twelve modules, one plugin file, ninety seconds to A+.

Get Shield See all 12 modules