How does AI-powered login protection work?

Shield monitors every login attempt, detects patterns like brute force attacks and credential stuffing. When a threat is detected, the AI analyzes the pattern and automatically blocks the attacker's IP.

Will Shield block legitimate users?

No. Shield only locks out IPs after repeated failed login attempts (configurable threshold). Successful logins are never affected. If a legitimate user gets locked out, you can unblock them instantly from the admin or Telegram.

Does Shield work with other security plugins?

Yes. Shield focuses specifically on login protection and complements plugins like Wordfence or Sucuri. It doesn't conflict with firewall or malware scanning plugins.

What are Telegram security alerts?

Shield can send real-time alerts to your Telegram when brute force attacks are detected, new users register, or daily security digests with failed logins, plugin updates, and PHP errors.

Is Shield included in the free version?

Shield is a Pro feature. It is included in all Pro tiers (Pro, Business, Agency) with no feature differences between them.

PressBot Shield | AI Login Protection for WordPress

The status quo

Your login page is under attack right now.

WordPress sees roughly 90,000 attacks per minute worldwide. Most site owners only notice after the breach — three tiny defaults make that inevitable.

“Bots hammer wp-login.php with no rate limit.”

Automated scripts churn through username/password combinations every day. Vanilla WordPress welcomes every attempt equally.

Shield → auto-lockout after 5 failures

“You won’t know until it’s far too late.”

WordPress sends no alerts for failed logins. Attackers can probe for weeks before anyone sees the logs — if the logs even exist.

Shield → instant Telegram alert with AI triage

“Manual IP blocking is tedious work.”

Editing .htaccess, wading through security-plugin dashboards, triaging one IP at a time — it wears thin fast.

Shield → one tap in Telegram, done

How Shield works

From login attempt to Telegram alert in under ten seconds.

A five-stage pipeline runs silently every time someone touches wp-login.php. You see it only when the AI decides you should.

Every attempt is logged.

Success or fail, Shield records the IP, username, user agent, and timestamp. Cloudflare-aware IP detection reads CF-Connecting-IP, X-Forwarded-For, and REMOTE_ADDR so you get the real attacker — IPv6 included.
Threshold check.

When failures from one IP cross your threshold (default: 5 / 15 min), Shield acts without waiting for you.
Auto-lockout.

The IP is banned. They see a “too many failed attempts” error; legitimate users never do. The block expires after your configured window (default: 30 min).
AI threat analysis.

PressBot uses the cheapest available model to classify the attack: automated script or human, credential stuffing or targeted, what the attacker likely knows, and what you should do about it.
Telegram alert with one-tap actions.

The AI’s verdict lands in Telegram with inline buttons: Block 30 min, Block 24 hrs, View details, Dismiss. Tap once. Done. No browser required.

What an alert looks like

A real alert, triaged by AI, waiting for one tap.

No raw logs. No dashboards to open. Just a quick verdict from the model, the facts that matter, and the buttons that close the loop.

Attacker IP, username targeted, and block window summarised in one glance.
AI explains what kind of attack it is and why it’s rated that threat level.
Extend the block, dismiss, or dig into the log — without leaving Telegram.

PressBot Shield

Security alert · just now

5 failed logins from 104.28.208.84

Username: “admin”
5 attempts in the last 10 minutes
IP auto-locked for 30 minutes

AI: High threat. Automated credential stuffing via a Cloudflare tunnel. “admin” doesn’t match any real account here; user agent is a Python script, not a browser. Recommend extending the block to 24 hours.

Block 30 min Block 24 hrs View details Dismiss

One tap executes the action. No dashboard, no browser.

New in 1.6 · Plugin Guardian

The supply-chain watchdog your plugin updates never had.

31 WordPress plugins shipped a silent backdoor through auto-updates on April 16, 2026. Wordfence, Sucuri, and every other signature-based scanner missed it. Plugin Guardian is the layer that would have flagged it — before the payload reached your site.

What happened: a legitimate ownership transfer on Flippa. Eight quiet months. Then one coordinated update across 31 plugins, delivered via the trusted WordPress.org channel. Trusted source, trusted mechanism, malicious payload.

Pre-update snapshots — every plugin’s PHP files and header metadata are captured the moment WordPress requests an update, before install.
AI diff analysis on what actually changed — eval, base64_decode chains, new outbound HTTP, wp-config.php writes, obfuscation. Semantic red flags, not signatures.
Ownership-change detection reads the author and author URI fields the way an analyst would — the signal that was sitting in plain text in all 31 plugins.
Telegram alert + re-run from Shield — escalated findings ping you with one-tap actions, and you can re-queue analysis any time without rolling back the update.

Read the incident post-mortem

Plugin Guardian

Enabled

Critical / high 0

Pending 0

Ownership flags 0

Alert threshold High

Plugin Verdict Summary Captured

WooCommerce v10.7.0 · 792 changed files

Medium

Routine version bump from 10.5.3 → 10.7.0. Changes are regenerated *.asset.php manifests. No executable logic, no outbound requests, no obfuscation.

dynamic invocation outbound http

Apr 18
12:24 AM

What you get

Everything the login page should have shipped with.

Six working pieces, zero plugin soup. Shield was built to feel like it was in the WordPress core all along.

Auto IP lockout

Configurable thresholds — max failures, time window, lockout duration. Defaults work out of the box; tweak one slider if you need to.

AI threat analysis

Attack pattern, threat level, what the attacker probably knows, recommended action. Runs on the cheapest model available — under $0.01 per day.

Telegram one-tap actions

Block 30 min, Block 24 hrs, View details, Dismiss. Tap a button — the action executes on your site. No device switching.

Cloudflare-aware IPs

Reads CF-Connecting-IP, X-Forwarded-For, REMOTE_ADDR. Always identifies the real attacker, never the proxy. IPv6 supported.

30-day auto-cleanup

Login data purges after 30 days on its own. No database bloat, no cron jobs to babysit, no migration headaches when you move hosts.

12-point security audit

Ask the agent for a security audit and get a live checklist: file permissions, debug mode, SSL, database prefix, admin users, XML-RPC, and more.

Your thresholds

Sensible defaults. Override any of them.

Configure Shield in PressBot → Settings → PressBot Shield. The defaults below are what ships, and they’re right for almost every site — change only what you know you need.

Setting Default What it controls

enable_shield On Master toggle for login tracking and IP lockouts.

max_failures 5 Failed attempts from a single IP before the lockout triggers.

time_window 15 min Rolling window over which failed attempts are counted.

lockout_duration 30 min How long an IP stays blocked before it can try again.

ai_analysis_level Security only “All reports” · “Security alerts only” · “None (data only)” — trade detail for AI spend.

Shield is just the start

The same Pro plan brings 99 tools to the party.

Shield lives inside the broader admin agent — content tools, WooCommerce, plugin management, AI images, Telegram, scheduled automations, and MCP for your IDE. One purchase, one toolset, every surface.

See the full toolbelt

Pricing

Shield is included everywhere the agent runs.

No per-message fees. Bring your own Anthropic, Gemini, or OpenAI key for Shield, pay the provider directly — we don’t sit in the middle. DeepSeek is also available on the public chatbot.

Free

$0 · forever

Visitor chatbot only

Unlimited conversations
Claude + Gemini + GPT + DeepSeek
10 knowledge entries

Download free

Before you flip the switch.

How does AI-powered login protection actually work?

Shield monitors every login attempt and detects patterns — brute force, credential stuffing, distributed attacks. When a threat crosses the threshold, the AI classifies it and the IP is automatically blocked while you get a Telegram alert with the model’s verdict.

Will Shield ever block legitimate users?

No. Shield only locks an IP after repeated failed attempts within your configured window. Successful logins are never counted. If a real user does get locked out, you can unblock them instantly from the admin or from Telegram.

Does Shield play nicely with other security plugins?

Yes. Shield focuses specifically on the login surface and complements firewalls and malware scanners like Wordfence or Sucuri. It doesn’t duplicate those layers — it fills the login-attempt gap.

What do Telegram security alerts actually send?

Real-time alerts for brute-force detection, new-user registrations, and a daily security digest (failed logins, plugin updates, PHP errors). Each alert includes inline action buttons so you can respond without switching to a browser.

Is Shield in the free version?

No — Shield is a Pro feature. It ships identically across Pro, Business, and Agency; no feature differences between tiers, only the number of sites you can run it on.

Shield your login tonight

Stop waking up to another breach email.

AI-powered login protection, auto-lockouts, and one-tap Telegram response — bundled into every Pro plan, for less than a coffee a month.

Get PressBot Pro Download free