Shield v1.2.2
Sign in Get Shield
FILE shield.c-istudios.com/modules BUILD 1.2.2 PHP 7.4 → 8.4 · WP 6.0+ 12 / 12 MODULES SHIPPED
The Reference · all 12 modules

Twelve responsibilities. One plugin file.

Each module is documented like a piece of software, not a feature card. What it hooks, what it touches, what it doesn’t. Read top-to-bottom or jump to the one you came for.

01 Security Headers 02 Login Protection 03 Application Firewall 04 REST API 05 Image Protection 06 File Manager 07 Dashboard 08 Site Analysis 09 File Integrity 10 Email 11 Event Log 12 Auto-Update
MODULE 01 / HEADERS

Security Headers that actually land.

A modern, tuned security-header set that verifies itself against an independent public scanner. Tuned for A+ out of the box, with per-route nuance for cart, checkout, and account pages.

  • Transport security · long-lived, subdomain-covering, preload-eligible.
  • Content policy · auto-tuned to your active plugins. Strict where it counts.
  • Per-route nuance. The checkout doesn’t run the same rules as the blog.
  • Daily self-test against the public scanner so a regression never surprises you.
LayerServer-level enforcement
TargetA+ score
VerificationIndependent public scan
FrequencyDaily, automatic
Daily scan report · example.com97 / 100
A+
securityheaders.com
VERIFIED 2 H AGO · ↗ PUBLIC REPORT
Transport security PASS
Content policy PASS
Framing protection PASS
MIME sniffing PASS
Referrer policy PASS
Permissions policy PASS
Origin isolation PASS
!Resource origin REVIEW
MODULE 02 / LOGIN

Login Protection. The front door.

Move your login behind a private URL. Progressive lockouts on repeated failures. Allow-list for your own team. Decoy fields for the lazy bots. Error messages are masked so attackers can’t fingerprint usernames.

  • Private login URL. The default login path returns a 404. The real form lives where only your team knows.
  • Progressive lockouts. Escalating penalties tuned to deter automation.
  • Team allow-list. Your own IPs bypass throttling entirely.
  • Error masking. One generic message — attackers can’t fingerprint usernames.
Tools → CI Shield → Login ProtectionSETTINGS
Hide your login behind a private URLKnown only to your team
Progressive lockouts on repeated failuresEscalating penalties tuned to deter automation
Decoy field for automated submissionsBlocks the lazy bots without bothering humans
Mask login error messagesOne message — no username fingerprinting
Team allow-listYour own IPs bypass throttling entirely
• 2 active
MODULE 03 / WAF

Application Firewall. PHP-level.

Catches the standard family of injection and bot patterns before WordPress processes the request. Pattern-matched, low overhead, plays nice with Wordfence’s WAF.

  • Proprietary pattern library tuned for WordPress, updated with every release.
  • Adaptive rate-limiting per visitor, per endpoint. Calibrates to your traffic.
  • Log-only mode for two weeks before you turn enforcement on.
  • Pre-WordPress. Runs before WordPress sees the request.
Event log · liveFILTER: BLOCKED
14:02:17BLOCKautomated clientPattern match · query parameter
14:01:42BLOCKautomated clientPattern match · comment field
14:00:09BLOCKautomated clientPattern match · path traversal
13:58:33BLOCKautomated clientRate limit · legacy endpoint
13:55:21BLOCKautomated clientPattern match · malformed input
MODULE 04 / REST API

REST API hardening, with auto-whitelists.

Blocks the endpoints attackers enumerate. Detects the plugins you actually use and quietly tunes the rules so checkout, form submissions and page-builder previews never break.

  • Blocks enumeration by default. Anonymous queries to identity endpoints get a 403.
  • Auto-detects WooCommerce, Gravity Forms, WPBakery, Elementor and relaxes rules to match.
  • Author-page enumeration redirects to homepage instead of leaking usernames.
  • Settings endpoints require admin capability to query.
Auto-whitelist · detected endpoints4 PLUGINS
WooCommerceStorefront endpoints tuned for checkout
• detected
Gravity FormsSubmission endpoints tuned
• detected
ElementorPreview endpoints tuned
• detected
WPBakerySave endpoint tuned
• detected
MODULE 05 / IMAGES

Image Protection. Six knobs, not nine clicks.

Disable right-click, drag, touch-save, and keyboard shortcuts on images. Per-role overrides so your editorial team isn’t blocked from saving their own work.

  • Six controllable protections with per-role overrides.
  • Hotlink prevention via referer check at the .htaccess / Nginx level.
  • Per-image opt-out with a single attribute on the <img> tag.
Tools → CI Shield → Image ProtectionSETTINGS
Disable right-click on images
Disable drag-to-save
Disable touch-and-hold (mobile)
Disable keyboard save (Cmd/Ctrl + S)
Block hotlinking from other domains
Watermark on printLight overlay added on window.print()
MODULE 06 / FILE MANAGER

File Manager Control.

Prevents the WP File Manager plugin from being activated. Fifteen-minute, single-use email codes when someone genuinely needs file access from inside WordPress.

  • Block-on-activate for WP File Manager and three known forks.
  • 15-minute one-time codes via email when access is required.
  • Audit log of every code requested, used, or expired.
Email · One-time file access15-MIN EXPIRY

Hi Sarah,

Someone requested file-manager access on example.com at 14:02 UTC. Your one-time code is:

7K2 · 9F4 · 0B8

Code expires 2026-05-20 14:17 UTC. If you didn’t request this, ignore the email.

MODULE 07 / DASHBOARD

The Security Dashboard.

A+ scoring modeled on securityheaders.com. Color-coded checks with “Fix Now” buttons next to every actionable issue. No spreadsheets, no PDFs to read.

  • Single-screen overview. Score, recent blocks, next scheduled scan.
  • “Fix Now” button on every warning — one click sets the recommended value.
  • Live event tail. Last 50 events visible without leaving the page.
Dashboard — Active warnings2 ACTIONABLE
Cross-Origin-Resource-Policy is cross-originRecommended: same-site
[ FIX NOW ]
CSP is in report-only modePromote to enforced after 14 days of clean reports
[ ENFORCE ]
MODULE 08 / ANALYSIS

Site Analysis.

A focused set of compatibility checks run on install and every time you ask. Plugin conflicts, caching weirdness, certificate expiry, file permissions, runtime version, mail delivery — anything that affects security or stability.

  • A focused check set covering compat, headers, certs, file perms.
  • Compares against last clean run — flags only what changed.
Site Analysis — Last run14 / 16 PASS
Runtime version supported through end of life
SSL certificate well clear of expiry
Core config file out of the document root
File permissions match recommended values
!Legacy remote-publishing endpoint still reachable
!Background scheduler running via in-page trigger
No plugin conflicts detected (47 active plugins)
MODULE 09 / FILE INTEGRITY

File Integrity Scan.

Continuously verifies WordPress core against the official manifest. Watches the upload paths for unauthorized executables and audits permissions. Daily scan, alert-on-change.

  • Core verification against the official manifest — a single bit out of place gets flagged.
  • Backdoor detection in upload paths. Common attacker behavior, caught immediately.
  • Permissions audit. Flags files writable when they shouldn’t be.
Integrity scan · Last run1,847 FILES
WordPress core verified against the official manifest
Upload paths clean of unauthorized executables
File permissions match recommended values
No unexpected changes since the last clean run
·Next scan: tomorrow, same time
MODULE 10 / EMAIL

Email Notifications.

Critical alerts instantly. Daily or weekly digest if you’d rather. Configurable recipients with CC support. Rate-limited so a brute-force storm never floods your inbox.

  • Instant alerts for integrity changes, brute-force lockouts, plugin updates.
  • Daily or weekly digest with score change, top blocks, plugin activity.
  • Multiple recipients with CC support. Up to 10 addresses.
Weekly digest · previewSUNDAY 09:00

Shield · Weekly digest

Hi, here’s what Shield did on example.com this past week.

BLOCKED
4,217
SCORE
A+

Top blocked source: automated client (412 attempts) · No integrity changes · 2 plugin updates auto-applied.

MODULE 11 / EVENT LOG

Event Log & Reports.

Ninety days of retention. Logins, content changes, plugin updates, security events. Filterable, paginated, exportable. Hand a PDF to a client, an auditor, anybody.

  • 90-day retention in a dedicated table — never bloats wp_options.
  • CSV + PDF export with a one-click “auditor report” template.
  • Filter by user, action, IP, severity, date range.
Event log · filter: last 24h, severity ≥ medium14 / 2,107
14:02BLOCKlogin5 failed attempts · automated client
13:18PASSloginsarah@ · team allow-list
11:42WARNplugin-updateWooCommerce updated
02:14PASSintegrity-scanCore verified · clean
MODULE 12 / AUTO-UPDATE

Auto-Update Control.

Per-plugin precision. Toggle core, plugins, themes independently. Override the one plugin that breaks on every update. Email confirmation when an update runs.

  • Per-plugin toggles overriding WordPress defaults.
  • Minor-only mode for core (e.g. 6.5.x but not 6.6).
  • Email-on-update with a 1-click rollback link for 24h.
Per-plugin auto-update overrides4 OVERRIDDEN
WooCommerceWordPress default: enabled
• auto
Gravity FormsOverride: manual only
• manual
ElementorOverride: minor versions only
• minor
WP RocketWordPress default: enabled
• auto
Yoast SEOOverride: disabled (custom build)
• off

That’s the whole box. Take it home.

Twelve modules, one plugin file, one flat price. Ninety seconds from upload to A+ score.

Get Shield ← Back to overview