SiteGround Security - our new must-have WordPress plugin

The security of our clients’ websites has always been an extremely important part of our web hosting services. Some of the brightest technical minds in our team have been continuously dedicated to crafting unique security solutions and keep the safety level of our hosting infrastructure on an unmatched high level. We have been an industry pioneer in developing server level protections like account isolation, server health monitoring, anti-bot traffic prevention, etc. We also know that on top of the server level solutions, the security of each individual website should be strengthened on application level too. That is why we provide services like auto updates, backups and WAF protection to our clients. 

Today we are happy to introduce another tool that can greatly enhance any WordPress site security – our brand new SiteGround Security plugin. The SiteGround Security plugin is available for free download for anyone and it comes preinstalled with all new WordPress installations hosted at SiteGround and provides its users an easy way to protect a WordPress site from malicious attacks. It also includes valuable tools that can help a website owner react in case there is a suspicion that the site might have been compromised. Read below to learn how to make your site safer with our new plugin.

Protect your WordPress against common attacks

In the Site Security section of our plugin you will be able to easily switch on several rules that will harden your website security and prevent common malware, bruteforce and other security issues. Some of these rules, like hiding your WordPress version or deleting your default readme.txt, will make it harder for crawlers to detect you’re even using WordPress. Thus your website will not be easily identified as a possible attack victim when a vulnerability appears. Other rules in this section will add advanced XSS protection and protect your system folders from being injected with malicious files. 

Strengthen your login security 

In the Login Security section of our plugin you will be able to apply several methods that protect your login from unauthorised access. One of the most recommended methods to protect your login is the 2-factor authentication and with the SiteGround Security plugin, you can easily switch it on for your WordPress administrative area. Some simple, yet very effective protection measures like changing your login URL and not allowing “admin” to be used as a username can be also easily set here. You can also limit the number of login attempts from one and the same IP, which will block attackers trying to guess your password through brute force. And if you want to go even deeper in protecting your WordPress login, there are two more advanced options available. You can specify the IPs from which your login page can be accessed. The option should be used with caution if you use dynamic IP, so that you do not block yourself out. You can also specify certain periods of time when your login will not be accessible at all. For example if you know that no one ever logs in during the weekend, you can switch on an away mode for Saturday and Sunday and no one will really be able to access the administrative area on these days.

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Monitor your admin area activity log

One of the best plugin features is the detailed Activity log. It allows you to pinpoint things like bad IP addresses that try to access your website as well as registered users that are performing tasks they are not supposed to. For example, you can block with one click IPs that have numerous incorrect logins and at the same time find out which user has deleted that post you are missing. For the initial version, we keep the log 16 days back so it’s worth giving it a look every now and then especially if you have a busy site and number of users with the capabilities to edit content.

React if you suspect your site might have been compromised.

In the Post-hack section of the plugin you will find a set of actions that are useful, if you believe your site security has been compromised. Here you will be able to automatically log out all users and force them to change passwords. This way if any user was compromised, you may stop the malicious access through its account. You will also be able to reinstall all your current plugins. This will make sure you are using a clean copy of each plugin instead of a possible compromised one. Please bear in mind that although these post-hack actions are handy, they are not a substitute to a thorough site clean up that might need to be done by a WordPress security expert, if there are signs that your website might have been hacked.

How to get the SiteGround Security Plugin?

SiteGround Security plugin is available as any other free WordPress plugin. You can find it in the official WordPress plugin repository (https://wordpress.org/plugins/sg-security/) or install it directly through your WordPress admin area. If you host your next WordPress website at SiteGround, using the plugin comes right out-of-the-box, since all new WordPress installations now come with the SiteGround Security plugin preinstalled with some of its features enabled by default.

This is the first plugin we are releasing whose full functionality can be used by anyone, even people that are not hosted by SiteGround. This said, we haven’t done excessive testing on every other company so issues caused by their particular setup may occur. If that’s the case, don’t hesitate to post a thread in the plugin forum in the WordPress repository, we will do our best to make sure it works great on all platforms.

author avatar
Hristo Pandjarov

WordPress Initiatives Manager

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

WordPress

Comments ( 73 )

author avatar

Iréne

Jun 08, 2021

Thank you for the exciting new plugin! Can I use it with Wordfence?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 09, 2021

Generally it's not a good idea to duplicate functionality so I wouldn't advice you to use both together.

Reply
author avatar

Simon Carne

Jun 22, 2021

On the face of it, Wordfence offers a lot of functions that SG Security doesn't (yet) have. So, if a user already has Wordfence, should we stick with that (at least until the two plugins are a closer match).

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

I don't think there are any important functionality missing between the two. Especially, since we have a server-side WAF running already.

Reply
author avatar

Simon Carne

Jun 23, 2021

Thanks, Hristo. I'm not an expert on this area of WordPress, but Wordfence has a scanning function which checks, for example, whether plug-ins are obsolete or any files have deviated from the version at wordpress.org. I can't see that in SG Security. Am I not looking properly ... or are you saying it's not an important functionality to have?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

It's on the roadmap but not available in our initial release.

Reply
author avatar

Tony

Jun 29, 2021

Hi Simon, did you stay with Wordfence or change to the SG? I am wondering the same. What did you decide in the end?

Reply
author avatar

Samphy

Jun 23, 2021

How about Jetpack?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

Jetpack is a meta plugin, if you are using it only for security, you can replace it. Just don't duplicate functionality.

Reply
author avatar

David

Jun 10, 2021

Hi, I have tried setting up the 2FA function. However, it keeps coming up with an error, when I scan the QR code. I don't use Google Authenticator, but Keeper Security. The TOTP function is supposed to be identical to that of Google's and all other 2FA codes work on other websites. This is the first TOTP issue I have ever had. So, I just wondered where the error may lie or if I am doing something incorrectly. Could you advise please?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 11, 2021

Our 2FA authentication system works only with Google Authenticator. The QR code won’t work with any other application.

Reply
author avatar

Christian Saborio

Jun 13, 2021

It also works with 1Password OTP feature flawlessly :-)

Reply
author avatar

Tony Valamontes

Jun 22, 2021

the GA is a horrible 2FA, with no backup or recovery, but the AUTHY app is compatible with the GA and I never had issues for the past 3 years I used it as a GA alternative.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

Glad that your app works. I've been using GA for years for 2FA and it has never underperformed. We will consider adding different options in the future though.

Reply
author avatar

Mark Landeryou

Jul 07, 2021

Can I use my yubikey for 2fa with this plugin?

Reply
author avatar

Gergana Zhecheva Siteground Team

Jul 19, 2021

We have not tested the 2FA setup with this particular authenticator app type. If you set it up, please remember to save the QR code that you might need later for completing the setup on any additional yubikeys.

Reply
author avatar

Zaph

Jun 15, 2021

Do you have a roadmap for the development of this plugin? I would like to see the WP API locked down, protection against zero-day vulnerabilities, and a threat feed block list.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 16, 2021

Not a public one. We do have zero-day vulnerabilities protection on a server level. As for the API lockdown, we will consider it or at least the front-facing part because it is widely used, including for our own plugin interface based on React.

Reply
author avatar

Jim

Jun 16, 2021

Great work you guys. But I also use the WPS hide login plugin and that gave a critical error. Couldn't login in the backend anymore. I deactivated WPS and everything works fine now. Is this maybe an extra feature that can be integrated in SG security. Or do you know alternatives? Keep up the great work SG.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 16, 2021

Custom login URL functionality is coming up shortly with the next plugin update!

Reply
author avatar

WebkiwiNZ

Jun 23, 2021

Thumbs up to this feature from me. Its a standard setup item on most sites we manage. it rmeoves 90% of kiddy scripters trying to bludgeon the system to death.

Reply
author avatar

Paul

Jun 17, 2021

I turned on the feature to prevent use of the admin username, but I am not prompted to change it when logging in. It still allows me to login with admin. On the users screen in wordpress, I am not allowed to change username at all. I tried turning off the "prevent admin" feature in the plugin, and it prompts me to change the username there, but when I put in a new username, I get an error and it won't let me save.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 21, 2021

In this version the plugin does not rename existing users (that's coming up). We only block the creation of new users with admin as user.

Reply
author avatar

Asit Aithal

Jun 21, 2021

I'm on SG and I already have Defender Pro. Do I need this?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

You can save money and use only the SiteGround Security plugin :)

Reply
author avatar

David Adams

Jun 22, 2021

You say in your article above that, "..we provide services like auto updates, backups and WAF protection to our clients.". I wasn't aware that you provide a WAF service, in fact, I called recently about your SG Scanner addon service to ask whether this included a WAF, and the answer from your support team was 'No'. Could you please provide further details on your WAF service?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

The SG Scanner scans for malicious code and reports if there's an intrusion. Our WAF runs on all our servers together with the AI anti-bot system. You don't need to configure or purchase anything, it's there and working :)

Reply
author avatar

RRRBB

Jun 23, 2021

Yes, but is this advertised as part of SG hosting services? Seems odd that you would not promote that this valuable feature (WAF) is included in your hosting packages, especially given that you're not exactly the cheapest hosts.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Thanks for pointing this out, I will discuss it with the team to make it more clear on our hosting page that this is indeed a feature of our hosting service.

Reply
author avatar

Sanjog

Jun 22, 2021

Hi, Have installed plugin on one of my website, but Google Authenticator doesnt work while login. How do I connect GA with login.?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

You need to enable the 2FA authenticator and logout. Then, on the first login, simply scan the QR code with the GA application and your site will be synced.

Reply
author avatar

Daan

Jun 22, 2021

Is it comparable with Wordfence?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

With the SiteGround Security plugin and the SiteGround WAF already running on all servers you don't need Wordfence. Having two security plugins will only slow your site down. No, there won't be a conflict but that doesn't make it a good idea to use both.

Reply
author avatar

morgan fackrell

Jun 22, 2021

Hi, I've been using Cerber secruity plugin will it conflict with this plugin?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

I would recommend replacing it with ours instead of using both.

Reply
author avatar

Chrilles Wybrandt

Jun 22, 2021

Would you recommend All-in-one SiteGround Security Plugin instead of the free version of Wordfence and IThemes Security? What are the benefits with All-in-one SiteGround Security Plugin comparted to Wordfence and IThemes Security?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

Our plugin is designed to secure and protect your site without harming its loading speeds. Even if we still lack few functionalities, you can safely use it instead of any combination of other plugins out there.

Reply
author avatar

Vera Schäfer

Jun 22, 2021

Let's say I limit login to a range of IP's and I need SG to take a look at a site. Do I have to temporarily disable that option or not?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Yes, although our support team should be able to bypass that restriction :)

Reply
author avatar

Kate

Jun 22, 2021

My Wordpress site is hosted by Siteground. Do I need this security plug-in ?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

Yes, I would totally recommend using it.

Reply
author avatar

Ben

Jun 22, 2021

Greetings, Thanks for your initiative to develop this plugin. I already have AIO WPS installed and set up, though I do not know the details. Will your security plugin interfere with AIO WPS? Do you expect that AIO WPS be de-activated and deleted before downloading and setting up your plugin (or afterward)? Regards, Ben

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

I would recommend replacing it with our plugin and not duplicate functionality since that may cause conflicts.

Reply
author avatar

Vickie

Jun 22, 2021

Thrilled that SG continues to provide such great tools for users. Thank you! Can this plugin block by country or just IPs? Do you recommend using this and the paid Site Scanner together or overkill?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

You can use both, they do different things :) As to the GeoIP blocking it is on the roadmap but I can't give you an ETA when it will happen.

Reply
author avatar

Thomas G.

Jun 22, 2021

Will we be able to block certain countries in the future?

Reply
author avatar

Siaki

Jun 22, 2021

Does it work on multisite?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

Not yet, we will soon have features specifically for MS.

Reply
author avatar

N'Teasha Uganda Brownlee

Jun 22, 2021

Cerber has an anti-spam feature. So this plugin provide that as well?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

It's coming up shortly :)

Reply
author avatar

Robert

Jun 22, 2021

+1 vote on changing the admin directory! Tried turning on IP restriction but still says any IP can login so having tech check it out. Great tool and looking forward to additional features to keep us safe.

Reply
author avatar

Gerard van Seventer

Jun 22, 2021

I am on SG and use Bullet Proof Security Pro. Has it the same functionality and level of protection?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

We believe our pluigin has everything you need. I am not sure about the one you mention. If you don't have any crucial functionality missing, you can safely replace it.

Reply
author avatar

amy

Jun 22, 2021

i am not ready yet to let go of wordfence, can the plugin work side by side with wordfence ?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Yes, as long as you don't duplicate functionality. Check out the settings and make sure you're not doing the same through both plugins.

Reply
author avatar

Jarrett Gucci

Jun 23, 2021

Where is the activity log data stored and how bloated will it make the database? There does not seem to be a way to clear it.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

It's stored in the database in an optimized way. There is log rotation se to 16 days by defailt that can be adjusted through a filter to store less data.

Reply
author avatar

Don

Jun 23, 2021

You mentioned it is possible to change the login URL with this plugin but I don't see the option. Can you point me in the right direction?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

It's coming up in the next update!

Reply
author avatar

Tim

Jun 23, 2021

Ideally, what I'd love to be able to do is provide my clients with a white-labellesweekly or monthly report showing how effective my security(this plugin's security, hopefully) is. As Cerber does. This would really be a killer addition for my monthly maintenance clients. 1) Can you consider this? 2) Could it be as comprehensive or something like Cerbers' weekly report: Weekly Report 1520 Malicious activities mitigated 1 Spam comments denied 0 Spam form submissions denied 447 Malicious IP addresses detected 28 Lockouts occurred Activity details Request to XML-RPC API denied 2001 Login failed 1751 Attempt to access prohibited URL 730 Attempt to log in with non-existing username 665 Probing for vulnerable code 118 IP blocked 28 Request to REST API denied 27 Malicious request denied 6 Spam comment denied 1 Attempts to log in with non-existing usernames team-sitename 507 admin 139 admin-2 19

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

We're working on scheduled notifications that are configurable and include only the information you actually want to receive. As to the plugin being whitelabeled, we don't have such plans at this moment.

Reply
author avatar

Jamie Richards

Jun 23, 2021

You guys are incredible! NO WEB HOST does what you do. Thank you for these extra kick-ass products and services. If you're unhappy with your current host or just want more features while paying the same amount you are now OR cheaper, take 10 minutes and read these 3 reviews done in 2021: - https://www.wpbeginner.com/hosting/siteground/ - https://inlinehostblogger.com/siteground-review/ - https://digital.com/web-hosting/siteground/ If you're a "Sitegrounder" already and you haven't submitted a review, SHAME ON YOU! I've submitted 3 of them. Take 5 min and do one now! https://www.trustpilot.com/review/www.siteground.com If you develop WordPress websites, do yourself a favor and at least look into these guys. The data you find will convince you!

Reply
author avatar

AeroStar

Jun 25, 2021

Wow! Kudos to SiteGround for developing and releasing this plugin, SG Security. Up to this point, we were using iThemes Security Pro but their latest upgrade - V7.0.0 - has been a flop. So, after thorough testing and evaluation, we have decided to drop iThemes Security Pro and use SG Security instead. We are confident SiteGround will continuously update SG Security until it catches up and surpasses all other security plugins in the market. Way to go, SiteGround. Jog well done!

Reply
author avatar

Pablo Daniel Perez

Jun 30, 2021

Hi! I installed it today but when i click on the right pannel on SG Security everything is empty, blank, nada :(

Reply
author avatar

Gergana Zhecheva Siteground Team

Jul 05, 2021

Based on your description, it seems there is an incompatibility between the new plugin installed and the ones already in use. In such cases, deactivating the installed plugins one by one would help to isolate the culprit.

Reply
author avatar

Sccs

Jul 03, 2021

Would you guys can make a post for sitegound plugins vs jetpack? I'm not sure that should I install both or sitegound plugins is enough?

Reply
author avatar

Gergana Zhecheva Siteground Team

Jul 05, 2021

In this case, we would recommend the general rule of thumb, which is not to duplicate functionalities. If you are using Jetpack solely for its security features, feel free to use our SiteGround Security plugin instead.

Reply
author avatar

Huy Hoa

Jul 05, 2021

Is it optimize for the only SiteGround hosting users or it can work on any hosting platform? I have some site on Siteground now but some other site on VPS, so wondering if I can install it on some WordPress site on VPS. For now, I'm comparing between SiteGround Security and Itheme Security

Reply
author avatar

Gergana Zhecheva Siteground Team

Jul 05, 2021

The plugin is free for installation and usage. You can take advantage of it, even if your websites are not hosted with SiteGround currently. :)

Reply
author avatar

VFlor

Jul 21, 2021

Hi, so thrilled about this new plugin and thank you for continuing to add value to your users. Just wanted to share something to consider for the roadmap. If there is a way to hide wordpress as much possible, that would be great. For example, hiding the login page and the theme and plugin names from view. The bad guys won't know which ones are vulnerable. It doesn't change the location of files, but just the access to it.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jul 23, 2021

Thanks for the kind words :) That's coming literally in the next release!

Reply
author avatar

Javier Labbe

Jul 27, 2021

I've just recently noticed the option to use a custom login url. Are there any instructions with examples and/or a tutorial? Thank you in advance,

Reply
author avatar

Hristo Pandjarov Siteground Team

Jul 28, 2021

Please, check our SiteGround Security tutorial: https://www.siteground.com/tutorials/wordpress/sg-security/ we will update it later today with the new functionalities added.

Reply

Start discussion