When you go to Joomla's update manager there's a link for more information. Clicking it takes you to our Release Notes where we say if we have added or modified WAF features. As a rule of thumb, you should check the documentation to understand what new features do and if you agree that it's an important thing for your use case then do enable the option.
Regarding the 404Shield, I personally don't consider it a must-have feature. With that I mean that it does not stop any attacks which otherwise would go through. It will simply stop earlier some script kiddies who try to brute force a WordPress login on a Joomla site. Clearly what they are doing has not a cat's chance in hell of succeeding. They are just not the sharpest tool in the shed, therefore they cannot understand that what they're doing is pointless. To you, what they are doing is mostly harmless but wastes server resources. 404Shield kicks in and blocks them from your site, therefore preventing a lot of the server resource waste. I think you get the idea :)
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
