Enhanced Protection Against WordPress Vulnerabilities with SiteGround Security Plugin Preinstalled
Table of Contents
We have recently launched our own WordPress security plugin — SiteGround Security (now named Security Optimizer), which aims to protect WordPress users against the most common vulnerabilities plaguing the sites. It is available for anyone to download and use for free, regardless which hosting platform they use. To make sure that our WordPress sites are well protected on application level, however, we have started preinstalling SiteGround Security on all new installations on our platform with some of the features enabled by default.
Default SiteGround Security Settings Against Common WordPress Vulnerabilities
Having your site set up with security in mind from the start can easily protect you against some of the most popular vulnerabilities out there. To help you achieve that goal, when we preinstall the SiteGround Security plugin we enable the following settings:
WordPress Version is Hidden by default
Hackers often crawl websites scooping information about software versions used. That way, when they get to discover a vulnerability in any of those versions, they are able to reach to and quickly hack many sites in bulk using that information. For WordPress application this data is openly available in 2 places – in an HTML tag and in the readme.html file.
By default, our plugin removes the HTML tag with the WordPress version and we strongly recommend that you also remove the readme.html file via the option in the SiteGround Security plugin.
Advanced XSS Vulnerability Protection enabled
The cross-site script vulnerability, known as XSS, allows different apps and plugins to access information in your WordPress that they shouldn’t. Such attacks are often used to gather sensitive user data for example. By default, the SiteGround Security plugin enables protection against XSS by adding headers instructing browsers not to accept JS or other code injections.
Disabled XML-RPC protocol to prevent many vulnerabilities and attacks
The XML-RPC is an old protocol used by WordPress to talk to other systems. It is getting less and less used since the appearance of the REST API. However, it is available in the application and many are using it for exploiting vulnerabilities, starting DDOS attacks and other troubles. That is why our SiteGround Security plugin disables this open access line to your WordPress application by default.
NOTE:
Jetpack plugin and mobile apps are valid users of the XML-RPC protocol. If you download Jetpack at some point, we will automatically enable the protocol back. You can also enable it yourself through the plugin interface.
Option to Disable RSS and ATOM Feeds
Similar to XML-RPC, feeds are rarely used nowadays, but they are often used by attackers and bad bots to scrape your site content. So the SiteGround Security plugin allows you to disable them easily. Unless you really need them, we recommend using this option and disable them as soon as possible.
Lock and Protect System Folders by default
Usually, when an exploit happens, attackers try inserting and executing PHP files in public folders to add backdoors and further compromise your account. By design, those publicly accessible WordPress folders are used for uploading media content (images for example). Via the SiteGround Security plugin, we do not forbid the upload of files, but we stop PHP files and malicious scripts from being executed and causing problems for your sites. This feature protects those system folders and prevents potentially malicious scripts from being executed from them.
Disabled “Admin” Username
The default username and one most widely used on all applications by their owners is “Admin.” Hackers know that and when they wish to bruteforce a login form, they will definitely try it. That is why we disable this username by default.
Disabled Themes & Plugins Editor
Editing code through the plugins and themes editor poses direct security risks both from potential elevation of privileges attacks and errors made by a regular site administrator. If you want to edit your files, it is strongly recommended that you use the File Manager tool in Site Tools, or your preferred editor through FTP or SSH (ideally on a staging copy of your site). To help you avoid bad practices and attacks, we disable the themes & plugins editor by default.
Recommended Vulnerabilities Protection Settings
There are a few settings, which you can control from the SiteGround Security plugin, which we have not enabled by default because they need your permission or they pose a risk on the way you use your app. Yet, we wish to encourage you to enable them consciously as they are quite powerful protection tools as well.
Two-Factor Authentication is a MUST
You already know that 2FA protects your login from brute force attacks and hijacking of login credentials. You can read more on the topic here and you can enable it easily using the SiteGround Security plugin.
Limit Login Attempts
When someone tries to log in several times with wrong credentials, they are most likely trying to guess your logins. That is why it is strongly recommended to block such attempts after the first few – 3 or 5. You can set that in the SiteGround Security plugin interface and after that many times of wrong logins, the user gets blocked for 1hour the first time, then 24hours on the second trial, and finally for 7 days on their third trial. Again, since if you don’t know about this functionality, you may lock yourself out of the WordPress admin area, we are not enabling it by default for you, but you can do it easily in a click!
More Tools Against WordPress Vulnerabilities Coming Up
We’re continuing the development of the plugin and will add a lot of new functionality soon. Monitor the change log for new features added with the upcoming updates. There isn’t a strict roadmap that we can share at this point but some of the features coming next are custom login URLs, Strict Transport Security headers and X Frame options that will prevent page hijacking. As usual, we want to bring what’s usually difficult to implement technologies to everyone and with an interface easily accessible without having to spend hours researching the exact syntax of the necessary headers or other code.
Comments ( 91 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Caroline
Is SiteGround ISO27001 certified?
Hristo Pandjarov Siteground Team
All our hosting accounts are built on GCP. Although we are not certified, the Google services that we use are. I can assure you that we're following all the best security practices on our platform.
PATRICK BIANCONI
Thanks Hristo.
Mark MacAllister
I already use WordFence on my site. Is this new plug-in fully compatible with WordFence? Is it necessary if I have WordFence installed and configured correctly?
Hristo Pandjarov Siteground Team
Please, check my previous comment on that subject.
Tom
I have a WP site (with SG) that uses Wordfence - can your Plugin be used alongside Wordfence? Thanks
Hristo Pandjarov Siteground Team
Please, check my previous comment on that subject.
Paul Guilfoyle
Can this be used in addition to Wordfence? Are there any conflicts?
Hristo Pandjarov Siteground Team
Not at this point but I can't tell if any Wordfence update won't break something in the future. I'd recommend using only the SiteGround Security plugin since overlapping functionality should be avoided every time possible.
michelle
I read this article specifically to understand what, if any, overlaps exist with WordFence. I don't see anything to suggest the Siteground plugin acts as a firewall. So I wil keep WordFence until you add a firewall. In that situation which wordfence / siteground functionalities overlap.
Hristo Pandjarov Siteground Team
We have a WAF running on all SiteGround services by default and you don't need Wordfence if you are using it just for that. It will consume resouces that you can use for regular visits.
Gerhard
Is Wordfence then no longer needed or can it be used in addition?
Hristo Pandjarov Siteground Team
I wouldn't recommend to use both. You can use only the SiteGround Security :)
Howard
How will this affect “overall” site speed, generally speaking?
Hristo Pandjarov Siteground Team
It shouldn't affect your site speed at all, everything we do is with performance in mind so your site should not experience any negative impact from using the SiteGround Security plugin.
Robert Graziani
I have All In One WordPress Security, and Black Hole for Bad Bots, and WPS Hide Login plugins already installed. Which of these, if any, should I de-activate?
Hristo Pandjarov Siteground Team
The first one and soon the hide login one :)
Phil
Does SiteGround Security have all of the features of "the free version of" WordFence currently? I have multiple sites and I'm pretty comfortable with WordFence, but I your plugins and support are awesome.
Hristo Pandjarov Siteground Team
Please, check my previous comment on that subject.
Lynne
Hi, one of the options is the 'Login Access' and to enter safe IP addresses. I put in the IP address but it says it is not formatted correctly, but I can't find an example of how it should be fomratted, could you point me to some instructions please?
Hristo Pandjarov Siteground Team
The standard IP format xxx.xxx.xxx.xxx - you can use whatismyip.com to get your public IP address.
Willem
Is it better than the free version of 'All in One WP security'? What are the differences?
Hristo Pandjarov Siteground Team
Please, check my previous comment on that subject.
Karim
Great plug-in. What’s the difference between this and Wordfence since the latter is very widely used among the WordPress community? Shall we say if we used yours there’s no need to think about Wordfence? The other quest is regarding the performance on the site itself, which one is lighter and better for site optimisation? Thanks for all the effort.
Hristo Pandjarov Siteground Team
Our plugin is designed from the very beginning with performance in mind. This said, I don't want to go into feature comparisson with Wordfence. With this initial version and the SiteGround WAF running on all servers already your site will be protected well enough. Yes, we will introduce more features along the way but even now you're still covered.
Cambs Digital
As a developer I have concerns that htaccess is indiscriminately written to. I have had sites taken down before due to this. I really would prefer to review additions to this file and add them manually. Also blocking the admin folder breaks many ecommerce sites using an ajax enabled cache as another example. So It's great to have this plugin but have been put off by maveric site editing behind the scenes. Generally what you need is the limiting login attempts Stop the application having editing access to the actual theme files Block ip addresses when you come across bad actors Block access to the admin folder with a whitelist and with the possibility to whitelist a file (to run ajax operations)
Hristo Pandjarov Siteground Team
We have tested our plugin extensivelly to make sure it doesn't break functionality. Evrything you've mentioned can be achieved, just give it a try.
David
How does this compare to SG Site Scanner? If this security plugin is used do we still need the SG Site Scanner?
Hristo Pandjarov Siteground Team
The plugin improves your site security while the scanner checks if your account has been compromised. Those are different things :)
Pele Banugo
Hristo, this is both interesting and exciting. Why did SiteGround decide to build a security plugin when here are so many on the market?
Hristo Pandjarov Siteground Team
Because we believe we can make it better and faster than anyone else. Right now people use 2-3-4 plugins for things like stopping xml rpc, custom login urls, access log, etc. We want to replace those with a single, well built and maintained plugin.
Vincent Poirier
Is it compatible with WordPress Multisite? (if yes) Are there network-wide configurations?
Hristo Pandjarov Siteground Team
Not in this version, we will add MS support on a later stage since there are a lot of custom needs to be met there.
Judy
Will ManageWP still be able to access the websites to do updates and backups with your security plugin?
Hristo Pandjarov Siteground Team
If they do it in a legitimate way, yes. To be honest, I haven't tested it but there shouldn't be problems. If such exsist though, feel free to post a thread in the plugin forum at wp.org. We will happily assist you further.
Lisa
What is the difference between Wordfence and Siteground Security? Do you send reports of attempted logins, potential hackers and their whereabouts as well as potential security breaches that should be addressed?
Hristo Pandjarov Siteground Team
Please, check my previous comment on that subject.
Sar
"... we disable the themes & plugins editor by default." To clarify, does this mean theme builder editors like Divi, Elementor, Beaver Builder, etc.. are disabled by default?
Hristo Pandjarov Siteground Team
No, we've disabled the ability to edit themes and plugins code through the backend editor. All page builders will work just fine.
Emma
This is a great addition. I would actually like to see lockout after 1 try as an option though?
Hristo Pandjarov Siteground Team
That would be too harsh and cause more harm than good really.
Emin
It would be great if this could allow renaming the default admin and login paths. I found that this is the best protection a WP site could get.
Hristo Pandjarov Siteground Team
Coming up shortly :)
Lou Sniderman
Wordfence sends me an email every time there is an update for a plug-in or when someone logs in to the site as admin. Will your Security plugin do the same?
Hristo Pandjarov Siteground Team
We are working on email notification system, it is coming shortly.
Lou Sniderman
Is it OK to continue to use Wordfence along with your Security plug in until the email notification is available? If I don't install your Security plug in now how will I know that the email notifications has been added to the plugin?
Hristo Pandjarov Siteground Team
Best way is to check the changelog before updating. This said, check if you're not duplicating functionality. Otherwise there shouldn't be conflicts.
Ian
Does this plug-in address the same vulnerabilities that Wordfence does? I would prefer to use plug-ins that are developed by Siteground (e.g. I prefer SG Optimizer over a third-party plug-in) so long as they deliver substantially the same functionality.
Hristo Pandjarov Siteground Team
My opinion is that with the SiteGround WAF running on all servers and the SiteGround security you don't need WordFence.
Alan
I too use Word Fence. So the question of possible conflict has been answered. I use the IPs temporarily blocked by Word Fence to manually block the IPs across all my subdomain sites using SG site tools. It would be useful if your security plugin could do that automatically. Question: if the use of 'admin' is disabled, is there some way to avoid being locked out of those sites that currently use that login. Question: I do use Jetpack, so presumably XML-RPC protocol will not be deactivated? Thanks. Alan.
Hristo Pandjarov Siteground Team
Everything is optional. If you really use Jetpack, then you can't disable XML-RPC since it uses it heavily and that would break it. As to Wordfence I don't think there will be conflict, just not much sense keeping two plugins that keep logs and provide the functionality to ban IPs. Last but not least, that's great suggestion. We actually plan on using that data from the plugin to apply global bans in a way our AI Anti-bot system bans IPs across our entire network once they are detected to cause malicious traffic even to a single server.
Chris
I'm using Sucuri - free and paid versions on sites...any issues with having both? Also, I already have wp hide login in all my sites...what should I do now?
Hristo Pandjarov Siteground Team
The next plugin version will make WP Hide Login obsolete. You can keep it for now. As for the rest, we already have a WAF running on our servers so I would personally save from paying for premium plugins and rely only on SiteGround Security.
John
Thanks! Does this mean you don't recommend your Sitescanner (Sucuri) service?
Hristo Pandjarov Siteground Team
The Site scanner is a completely different service. I totally recommend it :)
Debbee
Sees what u said about Wordfence also apply to Sucuri?
Hristo Pandjarov Siteground Team
Well yes, since they provide pretty much the same things.
Fused
I have multiple clients using your managed Wordpress GoGeek services. Since most are not new installations, how do I add this security feature?
Hristo Pandjarov Siteground Team
You can install it as any other WordPress plugin, it's in the repo.
Gene
I need to know if the Wordpress security you are promoting requires a static IP address. This would seem to be a simple question but not one that I can find in the supposed help system. Very frustrated that there seems to no way to get phone support. Just endless circles of things that don't help.
Hristo Pandjarov Siteground Team
It does not require a static IP address. However, if you have a dynamic IP I wouldn't recommend restricting the login to one IP since you may lock yourself out. Use the 2FA authentication instead or a VPN and only then restrict the access to its IP.
Taina Pere
Hi! My websites are currently protected with Sucuri Security. Does SiteGround Security work well alongside Sucuri or do you recommend removing Sucuri when installing SiteGround Security?
Hristo Pandjarov Siteground Team
I would replace the plugin since it's not a good idea to duplicate functionality.
Simon
We have found your hosting and support to be excellent in most cases, although we do have a security concern that port 3306 is open and there is no way of closing this. We are thinking of having to move hosting companies as our RiskXchange website security score is too low due to this port being open on our website hosted with you.
Hristo Pandjarov Siteground Team
We can't close this port on a shared server because many people use remote MySQL connections to databases on that server. If you need to close it although it's not a security risk at all (only IPs added through the Remote MySQL tool can connect) you can upgrade on Cloud where our support team can make this custom adjustment for you.
Martin Mowat
Will it conflict with any of the THRIVE plugins please ?
Hristo Pandjarov Siteground Team
It should not conflict with any plugin if they aren't doing anything wrong. Give it a try, if there are problems, you can post a thread in the plugin's forum and we will help you out :)
Geoff Telford
Hey! So I was testing the 5 login attempts with 'admin' as a user and now I can't get access to my site dashboard! What do I need to do to unlock it again! Thanks!
Hristo Pandjarov Siteground Team
So it seems the test was a success :) Check out the plugin description page, we have provided instructions on how to proceed in this case: https://wordpress.org/plugins/sg-security/
Geoff Telford
LOL! It sure did! Thanks very much!
Mark Root-Wiley
Overall, this feels like a great new tool, and I expect I'll be implementing it on all the sites I host on SiteGround. I will say, though, that I'm a little disappointed about your encouragement to disable RSS feeds. RSS is a core technology for encouraging an open web that lets people follow WordPress websites through the tool of their choice. While RSS definitely isn't at its peak of popularity, it does seem to be having a bit of renaissance: https://css-tricks.com/tag/rss/. Site owners might assume that "nobody will subscribe to my blog", but I wish this plugin didn't encourage folks to remove that as an option. While scraping blogs is annoying (I've had it done to me with HTTrack, though not via RSS), I wouldn't exactly call it a security issue either. I assume it's too late to remove this feature, but maybe you could at least include information to help people make a measured decision about whether to turn those feeds off or not. I for one, want all the sites I visit to support RSS so I can engage with them.
Hristo Pandjarov Siteground Team
Well, it is an option. You don't have to disable the RSS feeds. The thing is that the majority of people nowadays don't use WordPress for blogs. If you have a news site or a blog, by all means - use RSS :)
Linda Darlene
For clarification, you aren't saying that the wp-admin feature is being removed, are you? And having to do something with the php to regain access sounds like a deal breaker for me. I never add or subtract anything to it.
Hristo Pandjarov Siteground Team
No, no, no :) You can still login the same way. We are working on a feature that will replace site.com/wp-admin with site.com/my-whatever-login-url which will stop most massive attacks that rely on that speciffic URL existing.
Stephen Bentley
In theory, that may be correct. But in practice after I enabled 2FA I couldn't gain access to my wp-admin. After contacting SG Chat, I was told 'I double-checked and our security plugin was asking to access the website with admin account so I disabled it from the File Manager and that worked perfectly.' It did but I lost confidence in this new SG plugin so I have gone back to Wordfence.
Gergana Zhecheva Siteground Team
It seems in your case, you were locked out of your Dashboard by a security rule that was added in the SiteGround Security menu earlier by you or another website administrator. We are sorry to hear that you were not satisfied with the plugin, as it was working as expected. In such cases, website owners can access the WordPress Dashboard via SiteTools interface auto login option.
Neil Lizotte
With Wordfence I would get security alerts that theme or plug in files have been changed and I'm having trouble telling weather my website has been hacked or just an update. I hope your service is better and thank you, I have not been happy hearing of vulnerabilities in countless plug-in's and themes. Two factor login for all members via cell phone text codes would be awesome.
Hristo Pandjarov Siteground Team
Google Authenticator is super stable and works great. We have enabled 2FA for all users with editorial rights. SMS verification would be a paid feature for sure and I don't think it would be worth it since there's a free alternative.
Senthil Murugan
Thanks for this new plugin, once we started using this new plugin, can we stop using these two plugins Disable Comments and Limit Login Attempts Reloaded. In this new plugin, If you give the option to mention the ip address for the login url, it will be great helpful
Hristo Pandjarov Siteground Team
You can remove the Limit Login Attempts one. SiteGround Security doesn't have the option to disable comments.
AeroStar
We have been using iThemes Security Pro for 5 years. In 5 years, we experienced nothing but delays or excuses from iThemes Customer Support to fix common issues. Further, iThemes Security Pro V7.0.0 was released yesterday which they considered "EPIC" in terms of usability, features, and protection. Unfortunately, the release turned out to be a fiasco. Bottom line, your timing in releasing SG Security could not have been better. We tested both iThemes Security Pro 7.0.0 and SG Security simultaneously with no conflicts. However (drum roll, please), after thorough testing and evaluation, we concluded that we no longer need iThemes Security Pro. So, now we only use SG Security and look forward to your future enhancements. If we had one suggestion to make, that would be to incorporate SG SiteScanner into your plugin and offer it at not charge to your SG customers. Doing this would keep your current customers VERY HAPPY and definitely get more prospects to use SiteGround Hosting Services. Job well done, Hristo!
Samuel
I am using siteground GB but didn't see the security plugin automatically deployed as it is the case with SG cache plugin. I have asked the SG support numerous times weather to keep the current security plugin or not since SG claims to have robust web security in place, I was told to keep using WF security plugin as it gives extra layers of security. On top of this, we use primer paid version of cloudflair subscription through SG which does also the same things as the installed 3rd party security plugin. On top of this, we use another plugin for spam protection. I wish SG had a support article which clearly stated, if we are using siteground service if it would make sense to use additional external 3rd part security plugins.
Gergana Zhecheva Siteground Team
The SiteGround Security plugin is added by default on all new WordPress applications installed via SiteTools. If you have an existing WordPress website hosted with us though, the plugin would not be auto-installed on it. As to what type of security mechanism is the best - you can use the security plugin and tool that best matches your needs and preferences. A general rule of thumb is avoiding the simultaneous use of features with identical functionalities for preventing any conflicts.
Naomi
I have just installed this plug in on my SiteGround hosted site. Am I understanding that I can now uninstall Sucuri WP Plug In? It has notified me of several brute force attempts and I just want to be sure I am not deleting something I need. Thank you
Hristo Pandjarov Siteground Team
Yes, you will be fine with SGS only. Just make sure you enable the limit login attempts functionality. Changing the default login and registration URL will help greatly too. Enabling 2FA auth is very good idea too and it's very easy to implement with our plugin.
Kristin
I use Sucuri for their Firewall/caching. Now that I've migrated to Siteground, is all this functionality covered by Siteground Security plugin and also the caching I see has been turned on automatically? (which is awesome by the way) Thanks.
Hristo Pandjarov Siteground Team
We believe the SGS plugin and our security services cover everything you need to protect your website from attacks.
Cheryl
I happily switched to Siteground Security app but I noted from 7 April 2022 WordFence blog/newsletter that it had a serious vulnerability (which has now been resolved, it appears), but it would have been great to hear that from Siteground, too. Could you address this please. (thx)
Hristo Pandjarov Siteground Team
The issue was immediately fixed with a quick patched which was followed by a more complete fix (an actual refactoring of the functionality). Plus, we have updated all plugins on our infrastructure. The latest version is completely secure. The vulnerability they found was extremely difficult to be exploited and relied on a long chain of circumstances. We have no evidence it was used at all.
Dave
Can this be used in conjunction with iThemes Security (better protection) or should I use one or the other?
Gergana Zhecheva Siteground Team
As a rule of thumb, we recommend avoiding plugins and extensions with duplicate functionalities, as this might result in plugin conflicts or affect your website performance.
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through