Getting Started with VistoShield

Install, activate, and configure VistoShield security modules in WordPress. No server access required — works on any standard WordPress hosting.

Requirements

  • WordPress 5.4 or higher
  • PHP 7.4 or higher
  • Any standard WordPress hosting (shared, VPS, managed, etc.)

Step 1: Create Your VistoShield Account

Before installing the plugin, create a free VistoShield cloud account. This account lets you manage all your WordPress sites from a single dashboard.

  1. Go to app.vistoshield.com/register
  2. Enter your name, email address, and a strong password
  3. Verify your email address by clicking the confirmation link
  4. Log in to the cloud dashboard at app.vistoshield.com
Tip: The free plan includes up to 3 sites with core security features — no credit card required, no time limit.

Step 2: Download and Install the Plugin

There are two ways to install VistoShield on your WordPress site:

Option A: Install from WordPress.org (recommended)

  1. In your WordPress admin, go to Plugins → Add New
  2. Search for "VistoShield"
  3. Click Install Now and then Activate

Option B: Upload the ZIP file

  1. Download the latest ZIP file from the VistoShield website
  2. In your WordPress admin, go to Plugins → Add New → Upload Plugin
  3. Choose the downloaded ZIP file and click Install Now
  4. Click Activate Plugin

Install the VistoShield plugin and enable the security modules you need. Each module works independently — enable or disable from the dashboard.

Step 3: Run the Setup Wizard

After activating the plugin, the setup wizard launches automatically. It connects your WordPress site to the VistoShield cloud dashboard.

  1. The wizard will prompt you for your VistoShield account credentials
  2. Enter the email and password you used to register at app.vistoshield.com
  3. Alternatively, paste an API key — you can generate one from Cloud Dashboard → Account → API Keys
  4. Click Connect — the plugin will register your site with the cloud and receive a unique site token
  5. Once connected, you will see a green "Connected" status in the plugin header
Tip: If you skipped the wizard, you can access it anytime from VistoShield → Setup Wizard in the WordPress admin menu.

Step 4: Verify the Connection

After connecting, verify that your site is communicating with the cloud dashboard:

  1. In your WordPress admin, go to VistoShield → Dashboard
  2. Check the Connection Status indicator — it should show "Connected" with a green dot
  3. Check the Last Heartbeat timestamp — it should update within 5 minutes of activation
  4. In the cloud dashboard at app.vistoshield.com, confirm your site appears in the sites list with an "Active" status
Important: If the heartbeat is not updating, check that your server can make outbound HTTPS requests to api.vistoshield.com and that WP-Cron is functioning correctly.

Step 5: Explore Your Cloud Dashboard

The cloud dashboard at app.vistoshield.com is your central command center. From here you can:

  • Monitor all connected sites — security scores, recent events, and module status at a glance
  • Configure security modules — enable or disable each of the 14 modules per site
  • View security events — blocked attacks, login attempts, bot detections, and scanner results
  • Set up alerts — email and Slack notifications for critical security events
  • Manage licenses — upgrade to Pro or Max, assign licenses to sites
  • Run on-demand scans — trigger malware scans and integrity checks from the cloud

Once connected, your security events, scan results, and module status will sync to the cloud dashboard in real time.

First Steps After Activation

Security Scanner

Go to VistoShield → Scanner and run your first scan. The scanner will check your WordPress core files against official checksums, scan for malware patterns, and report any vulnerabilities.

Firewall & WAF

Go to VistoShield → Firewall and enable the WAF rules. We recommend starting in Learning Mode for the first few days to avoid blocking legitimate traffic, then switching to enforcement mode.

Bot Detector

Go to VistoShield → Bot Detector and review the default bot signatures. The free version includes 143 signatures covering scrapers, spam bots, and AI crawlers. You can set per-bot actions: Block, Challenge, Allow, or Monitor.

Login Guard

Go to VistoShield → Login Guard to configure brute force protection. Enable TOTP two-factor authentication for administrator accounts for maximum security. The honeypot CAPTCHA is enabled by default.

Activity Log

Go to VistoShield → Activity Log to check the dashboard. The module automatically tracks logins, content changes, plugin activations, and user role modifications. Configure alert rules to receive email notifications for critical events.

Upgrading to Pro

The Pro plan unlocks premium features across all 14 modules:

  1. Purchase Pro from the Pro page
  2. Upgrade to the Pro plan from the dashboard
  3. Go to VistoShield → License and enter your license key
  4. All 14 modules will automatically unlock their Pro features

Pro includes a unified dashboard, 500+ bot signatures, extended history (up to 14 days), PDF export, weekly reports, and priority 24h support.

Troubleshooting

Common issues and how to resolve them:

Plugin shows "Not Connected"

The plugin cannot reach the VistoShield cloud or the site token is invalid.

  • Go to VistoShield → Dashboard and check the site_key value. If it is empty or incorrect, the connection cannot be established.
  • Try re-running the setup wizard from VistoShield → Setup Wizard. This will generate a new site token and re-authenticate with the cloud.
  • Verify that your server can make outbound HTTPS requests to api.vistoshield.com. Some hosting providers block outgoing connections on shared hosting — contact your host if needed.
  • If you recently changed your VistoShield account password, you may need to re-authenticate the plugin.

Dashboard shows login page in iframe

The cloud dashboard session has expired inside the WordPress admin iframe.

  • Clear your browser cache and cookies for app.vistoshield.com
  • Deactivate and re-activate the VistoShield plugin in Plugins → Installed Plugins
  • If the issue persists, try accessing the cloud dashboard directly at app.vistoshield.com to verify your session is active
  • Some ad blockers and privacy extensions block iframe embedding — try disabling them temporarily

WAF blocking Elementor / page builder

Older WAF rules could trigger false positives when saving pages with visual page builders.

  • Update to the latest plugin version (2.0.3 or newer) — this version includes comprehensive WAF whitelists for Elementor, Divi, WPBakery, Beaver Builder, Bricks, Oxygen, and other popular builders
  • If you cannot update immediately, switch the WAF to Learning Mode from VistoShield → Firewall → Settings
  • Check the Firewall → Log to see which specific rule triggered the block, and add an exception if needed

Heartbeat not updating

The heartbeat relies on WP-Cron to send periodic pings to the cloud dashboard.

  • Check if DISABLE_WP_CRON is set to true in your wp-config.php. If so, you need a real server-side cron job calling wp-cron.php
  • Visit your site's front end to trigger WP-Cron (WordPress cron only runs on page loads)
  • Use the WP Crontrol plugin to verify that the vistoshield_heartbeat event is scheduled
  • On sites with very low traffic, consider setting up a real cron job: */5 * * * * wget -q -O /dev/null https://yoursite.com/wp-cron.php

Getting Help