Enhanced Protection Against WordPress Vulnerabilities with SiteGround Security Plugin Preinstalled

We have recently launched our own WordPress security plugin — SiteGround Security, which aims to protect WordPress users against the most common vulnerabilities plaguing the sites. It is available for anyone to download and use for free, regardless which hosting platform they use. To make sure that our WordPress sites are well protected on application level, however, we have started preinstalling SiteGround Security on all new installations on our platform with some of the features enabled by default. 

Default SiteGround Security Settings Against Common WordPress Vulnerabilities 

Having your site set up with security in mind from the start can easily protect you against some of the most popular vulnerabilities out there. To help you achieve that goal, when we preinstall the SiteGround Security plugin we enable the following settings:

WordPress Version is Hidden by default

Hackers often crawl websites scooping information about software versions used. That way, when they get to discover a vulnerability in any of those versions, they are able to reach to and quickly hack many sites in bulk using that information. For WordPress application this data is openly available in 2 places – in an HTML tag and in the readme.html file. 

By default, our plugin removes the HTML tag with the WordPress version and we strongly recommend that you also remove the readme.html file via the option in the SiteGround Security plugin.

Advanced XSS Vulnerability Protection enabled

The cross site script vulnerability, known as XSS, allows different apps and plugins to access information in your WordPress that they shouldn’t. Such attacks are often used to gather sensitive user data for example. By default the SiteGround Security plugin enables protection against XSS by adding headers instructing browsers not to accept JS or other code injections.

Disabled XML-RPC protocol to prevent many vulnerabilities and attacks

The XML-RPC is an old protocol used by WordPress to talk to other systems. It is getting less and less used since the appearance of the REST API. However, it is available in the application and many are using it for exploiting vulnerabilities, starting DDOS attacks and other troubles. That is why our SiteGround Security plugin disables this open access line to your WordPress application by default.

NOTE:

Jetpack plugin and mobile apps are valid users of the XML-RPC protocol. If you download Jetpack at some point, we will automatically enable the protocol back. You can also enable it yourself through the plugin interface.

Disabled RSS and ATOM Feeds 

Similar to XML-RPC, feeds are rarely used nowadays, but they are often used by attackers and bad bots to scrape your site content. So the SiteGround Security plugin disables them by default and unless you really need them, we recommend that they stay disabled.

Lock and Protect System Folders by default

Usually when an exploit happens, attackers try inserting and executing PHP files in public folders to add backdoors and further compromise your account. By design, those publicly accessible WordPress folders are used for uploading media content (images for example). Via the SiteGround Security plugin, we do not forbid the upload of files, but we stop PHP files and malicious scripts from being executed and causing problems for your sites.  This feature protects those system folders and prevents potentially malicious scripts from being executed from them.  

Disabled “Admin” Username 

The default username and one most widely used on all applications by their owners is “Admin.” Hackers know that and when they wish to bruteforce a login form, they will definitely try it. That is why we disable this username by default. 

Disabled Themes & Plugins Editor

Editing code through the plugins and themes editor poses direct security risks both from potential elevation of privileges attacks and errors made by a regular site administrator. If you want to edit your files, it is strongly recommended that you use the File Manager tool in Site Tools, or your preferred editor through FTP or SSH (ideally on a staging copy of your site). To help you avoid bad practices and attacks, we disable the themes & plugins editor by default.

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Recommended Vulnerabilities Protection Settings

There are a few settings, which you can control from the SiteGround Security plugin, which we have not enabled by default because they need your permission or they pose a risk on the way you use your app. Yet, we wish to encourage you to enable them consciously as they are quite powerful protection tools as well.

Two-Factor Authentication is a MUST

You already know that 2FA protects your login from bruteforce attacks and hijacking of login credentials. You can read more on the topic here and you can enable it easily using the SiteGround Security plugin.

Limit Login Attempts 

When someone tries to log in several times with wrong credentials, they are most likely trying to guess your logins. That is why it is strongly recommended to block such attempts after the first few – 3 or 5. You can set that in the SiteGround Security plugin interface and after that many times of wrong logins, the user gets blocked for 1hour the first time, then 24hours on the second trial, and finally for 7 days on their third trial. Again, since if you don’t know about this functionality, you may lock yourself out of the WordPress admin area, we are not enabling it by default for you, but you can do it easily in a click!

More Tools Against WordPress Vulnerabilities Coming Up

We’re continuing the development of the plugin and will add a lot of new functionality soon. Monitor the change log for new features added with the upcoming updates. There isn’t a strict roadmap that we can share at this point but some of the features coming next are custom login URLs, Strict Transport Security headers and X Frame options that will prevent page hijacking. As usual, we want to bring what’s usually difficult to implement technologies to everyone and with an interface easily accessible without having to spend hours researching the exact syntax of the necessary headers or other code.

author avatar
Hristo Pandjarov

WordPress Initiatives Manager

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

WordPress

Comments ( 85 )

author avatar

Caroline

Jun 21, 2021

Is SiteGround ISO27001 certified?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

All our hosting accounts are built on GCP. Although we are not certified, the Google services that we use are. I can assure you that we're following all the best security practices on our platform.

Reply
author avatar

PATRICK BIANCONI

Jun 22, 2021

Thanks Hristo.

Reply
author avatar

Mark MacAllister

Jun 22, 2021

I already use WordFence on my site. Is this new plug-in fully compatible with WordFence? Is it necessary if I have WordFence installed and configured correctly?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Please, check my previous comment on that subject.

Reply
author avatar

Tom

Jun 22, 2021

I have a WP site (with SG) that uses Wordfence - can your Plugin be used alongside Wordfence? Thanks

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Please, check my previous comment on that subject.

Reply
author avatar

Paul Guilfoyle

Jun 22, 2021

Can this be used in addition to Wordfence? Are there any conflicts?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

Not at this point but I can't tell if any Wordfence update won't break something in the future. I'd recommend using only the SiteGround Security plugin since overlapping functionality should be avoided every time possible.

Reply
author avatar

michelle

Jun 23, 2021

I read this article specifically to understand what, if any, overlaps exist with WordFence. I don't see anything to suggest the Siteground plugin acts as a firewall. So I wil keep WordFence until you add a firewall. In that situation which wordfence / siteground functionalities overlap.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

We have a WAF running on all SiteGround services by default and you don't need Wordfence if you are using it just for that. It will consume resouces that you can use for regular visits.

Reply
author avatar

Gerhard

Jun 22, 2021

Is Wordfence then no longer needed or can it be used in addition?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

I wouldn't recommend to use both. You can use only the SiteGround Security :)

Reply
author avatar

Howard

Jun 22, 2021

How will this affect “overall” site speed, generally speaking?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 22, 2021

It shouldn't affect your site speed at all, everything we do is with performance in mind so your site should not experience any negative impact from using the SiteGround Security plugin.

Reply
author avatar

Robert Graziani

Jun 22, 2021

I have All In One WordPress Security, and Black Hole for Bad Bots, and WPS Hide Login plugins already installed. Which of these, if any, should I de-activate?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

The first one and soon the hide login one :)

Reply
author avatar

Phil

Jun 22, 2021

Does SiteGround Security have all of the features of "the free version of" WordFence currently? I have multiple sites and I'm pretty comfortable with WordFence, but I your plugins and support are awesome.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Please, check my previous comment on that subject.

Reply
author avatar

Lynne

Jun 22, 2021

Hi, one of the options is the 'Login Access' and to enter safe IP addresses. I put in the IP address but it says it is not formatted correctly, but I can't find an example of how it should be fomratted, could you point me to some instructions please?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

The standard IP format xxx.xxx.xxx.xxx - you can use whatismyip.com to get your public IP address.

Reply
author avatar

Willem

Jun 22, 2021

Is it better than the free version of 'All in One WP security'? What are the differences?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Please, check my previous comment on that subject.

Reply
author avatar

Karim

Jun 22, 2021

Great plug-in. What’s the difference between this and Wordfence since the latter is very widely used among the WordPress community? Shall we say if we used yours there’s no need to think about Wordfence? The other quest is regarding the performance on the site itself, which one is lighter and better for site optimisation? Thanks for all the effort.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Our plugin is designed from the very beginning with performance in mind. This said, I don't want to go into feature comparisson with Wordfence. With this initial version and the SiteGround WAF running on all servers already your site will be protected well enough. Yes, we will introduce more features along the way but even now you're still covered.

Reply
author avatar

Cambs Digital

Jun 22, 2021

As a developer I have concerns that htaccess is indiscriminately written to. I have had sites taken down before due to this. I really would prefer to review additions to this file and add them manually. Also blocking the admin folder breaks many ecommerce sites using an ajax enabled cache as another example. So It's great to have this plugin but have been put off by maveric site editing behind the scenes. Generally what you need is the limiting login attempts Stop the application having editing access to the actual theme files Block ip addresses when you come across bad actors Block access to the admin folder with a whitelist and with the possibility to whitelist a file (to run ajax operations)

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

We have tested our plugin extensivelly to make sure it doesn't break functionality. Evrything you've mentioned can be achieved, just give it a try.

Reply
author avatar

David

Jun 22, 2021

How does this compare to SG Site Scanner? If this security plugin is used do we still need the SG Site Scanner?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

The plugin improves your site security while the scanner checks if your account has been compromised. Those are different things :)

Reply
author avatar

Pele Banugo

Jun 22, 2021

Hristo, this is both interesting and exciting. Why did SiteGround decide to build a security plugin when here are so many on the market?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

Because we believe we can make it better and faster than anyone else. Right now people use 2-3-4 plugins for things like stopping xml rpc, custom login urls, access log, etc. We want to replace those with a single, well built and maintained plugin.

Reply
author avatar

Vincent Poirier

Jun 22, 2021

Is it compatible with WordPress Multisite? (if yes) Are there network-wide configurations?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

Not in this version, we will add MS support on a later stage since there are a lot of custom needs to be met there.

Reply
author avatar

Judy

Jun 22, 2021

Will ManageWP still be able to access the websites to do updates and backups with your security plugin?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

If they do it in a legitimate way, yes. To be honest, I haven't tested it but there shouldn't be problems. If such exsist though, feel free to post a thread in the plugin forum at wp.org. We will happily assist you further.

Reply
author avatar

Lisa

Jun 22, 2021

What is the difference between Wordfence and Siteground Security? Do you send reports of attempted logins, potential hackers and their whereabouts as well as potential security breaches that should be addressed?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Please, check my previous comment on that subject.

Reply
author avatar

Sar

Jun 22, 2021

"... we disable the themes & plugins editor by default." To clarify, does this mean theme builder editors like Divi, Elementor, Beaver Builder, etc.. are disabled by default?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

No, we've disabled the ability to edit themes and plugins code through the backend editor. All page builders will work just fine.

Reply
author avatar

Emma

Jun 22, 2021

This is a great addition. I would actually like to see lockout after 1 try as an option though?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

That would be too harsh and cause more harm than good really.

Reply
author avatar

Emin

Jun 22, 2021

It would be great if this could allow renaming the default admin and login paths. I found that this is the best protection a WP site could get.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

Coming up shortly :)

Reply
author avatar

Lou Sniderman

Jun 22, 2021

Wordfence sends me an email every time there is an update for a plug-in or when someone logs in to the site as admin. Will your Security plugin do the same?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

We are working on email notification system, it is coming shortly.

Reply
author avatar

Lou Sniderman

Jun 23, 2021

Is it OK to continue to use Wordfence along with your Security plug in until the email notification is available? If I don't install your Security plug in now how will I know that the email notifications has been added to the plugin?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Best way is to check the changelog before updating. This said, check if you're not duplicating functionality. Otherwise there shouldn't be conflicts.

Reply
author avatar

Ian

Jun 22, 2021

Does this plug-in address the same vulnerabilities that Wordfence does? I would prefer to use plug-ins that are developed by Siteground (e.g. I prefer SG Optimizer over a third-party plug-in) so long as they deliver substantially the same functionality.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

My opinion is that with the SiteGround WAF running on all servers and the SiteGround security you don't need WordFence.

Reply
author avatar

Alan

Jun 22, 2021

I too use Word Fence. So the question of possible conflict has been answered. I use the IPs temporarily blocked by Word Fence to manually block the IPs across all my subdomain sites using SG site tools. It would be useful if your security plugin could do that automatically. Question: if the use of 'admin' is disabled, is there some way to avoid being locked out of those sites that currently use that login. Question: I do use Jetpack, so presumably XML-RPC protocol will not be deactivated? Thanks. Alan.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Everything is optional. If you really use Jetpack, then you can't disable XML-RPC since it uses it heavily and that would break it. As to Wordfence I don't think there will be conflict, just not much sense keeping two plugins that keep logs and provide the functionality to ban IPs. Last but not least, that's great suggestion. We actually plan on using that data from the plugin to apply global bans in a way our AI Anti-bot system bans IPs across our entire network once they are detected to cause malicious traffic even to a single server.

Reply
author avatar

Chris

Jun 22, 2021

I'm using Sucuri - free and paid versions on sites...any issues with having both? Also, I already have wp hide login in all my sites...what should I do now?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

The next plugin version will make WP Hide Login obsolete. You can keep it for now. As for the rest, we already have a WAF running on our servers so I would personally save from paying for premium plugins and rely only on SiteGround Security.

Reply
author avatar

John

Jun 28, 2021

Thanks! Does this mean you don't recommend your Sitescanner (Sucuri) service?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 28, 2021

The Site scanner is a completely different service. I totally recommend it :)

Reply
author avatar

Debbee

Jun 22, 2021

Sees what u said about Wordfence also apply to Sucuri?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Well yes, since they provide pretty much the same things.

Reply
author avatar

Fused

Jun 22, 2021

I have multiple clients using your managed Wordpress GoGeek services. Since most are not new installations, how do I add this security feature?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

You can install it as any other WordPress plugin, it's in the repo.

Reply
author avatar

Gene

Jun 23, 2021

I need to know if the Wordpress security you are promoting requires a static IP address. This would seem to be a simple question but not one that I can find in the supposed help system. Very frustrated that there seems to no way to get phone support. Just endless circles of things that don't help.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

It does not require a static IP address. However, if you have a dynamic IP I wouldn't recommend restricting the login to one IP since you may lock yourself out. Use the 2FA authentication instead or a VPN and only then restrict the access to its IP.

Reply
author avatar

Taina Pere

Jun 23, 2021

Hi! My websites are currently protected with Sucuri Security. Does SiteGround Security work well alongside Sucuri or do you recommend removing Sucuri when installing SiteGround Security?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

I would replace the plugin since it's not a good idea to duplicate functionality.

Reply
author avatar

Simon

Jun 23, 2021

We have found your hosting and support to be excellent in most cases, although we do have a security concern that port 3306 is open and there is no way of closing this. We are thinking of having to move hosting companies as our RiskXchange website security score is too low due to this port being open on our website hosted with you.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

We can't close this port on a shared server because many people use remote MySQL connections to databases on that server. If you need to close it although it's not a security risk at all (only IPs added through the Remote MySQL tool can connect) you can upgrade on Cloud where our support team can make this custom adjustment for you.

Reply
author avatar

Martin Mowat

Jun 23, 2021

Will it conflict with any of the THRIVE plugins please ?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

It should not conflict with any plugin if they aren't doing anything wrong. Give it a try, if there are problems, you can post a thread in the plugin's forum and we will help you out :)

Reply
author avatar

Geoff Telford

Jun 23, 2021

Hey! So I was testing the 5 login attempts with 'admin' as a user and now I can't get access to my site dashboard! What do I need to do to unlock it again! Thanks!

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 23, 2021

So it seems the test was a success :) Check out the plugin description page, we have provided instructions on how to proceed in this case: https://wordpress.org/plugins/sg-security/

Reply
author avatar

Geoff Telford

Jun 23, 2021

LOL! It sure did! Thanks very much!

Reply
author avatar

Mark Root-Wiley

Jun 23, 2021

Overall, this feels like a great new tool, and I expect I'll be implementing it on all the sites I host on SiteGround. I will say, though, that I'm a little disappointed about your encouragement to disable RSS feeds. RSS is a core technology for encouraging an open web that lets people follow WordPress websites through the tool of their choice. While RSS definitely isn't at its peak of popularity, it does seem to be having a bit of renaissance: https://css-tricks.com/tag/rss/. Site owners might assume that "nobody will subscribe to my blog", but I wish this plugin didn't encourage folks to remove that as an option. While scraping blogs is annoying (I've had it done to me with HTTrack, though not via RSS), I wouldn't exactly call it a security issue either. I assume it's too late to remove this feature, but maybe you could at least include information to help people make a measured decision about whether to turn those feeds off or not. I for one, want all the sites I visit to support RSS so I can engage with them.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Well, it is an option. You don't have to disable the RSS feeds. The thing is that the majority of people nowadays don't use WordPress for blogs. If you have a news site or a blog, by all means - use RSS :)

Reply
author avatar

Linda Darlene

Jun 23, 2021

For clarification, you aren't saying that the wp-admin feature is being removed, are you? And having to do something with the php to regain access sounds like a deal breaker for me. I never add or subtract anything to it.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

No, no, no :) You can still login the same way. We are working on a feature that will replace site.com/wp-admin with site.com/my-whatever-login-url which will stop most massive attacks that rely on that speciffic URL existing.

Reply
author avatar

Stephen Bentley

Jul 16, 2021

In theory, that may be correct. But in practice after I enabled 2FA I couldn't gain access to my wp-admin. After contacting SG Chat, I was told 'I double-checked and our security plugin was asking to access the website with admin account so I disabled it from the File Manager and that worked perfectly.' It did but I lost confidence in this new SG plugin so I have gone back to Wordfence.

Reply
author avatar

Gergana Zhecheva Siteground Team

Jul 19, 2021

It seems in your case, you were locked out of your Dashboard by a security rule that was added in the SiteGround Security menu earlier by you or another website administrator. We are sorry to hear that you were not satisfied with the plugin, as it was working as expected. In such cases, website owners can access the WordPress Dashboard via SiteTools interface auto login option.

Reply
author avatar

Neil Lizotte

Jun 24, 2021

With Wordfence I would get security alerts that theme or plug in files have been changed and I'm having trouble telling weather my website has been hacked or just an update. I hope your service is better and thank you, I have not been happy hearing of vulnerabilities in countless plug-in's and themes. Two factor login for all members via cell phone text codes would be awesome.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

Google Authenticator is super stable and works great. We have enabled 2FA for all users with editorial rights. SMS verification would be a paid feature for sure and I don't think it would be worth it since there's a free alternative.

Reply
author avatar

Senthil Murugan

Jun 24, 2021

Thanks for this new plugin, once we started using this new plugin, can we stop using these two plugins Disable Comments and Limit Login Attempts Reloaded. In this new plugin, If you give the option to mention the ip address for the login url, it will be great helpful

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 24, 2021

You can remove the Limit Login Attempts one. SiteGround Security doesn't have the option to disable comments.

Reply
author avatar

AeroStar

Jun 25, 2021

We have been using iThemes Security Pro for 5 years. In 5 years, we experienced nothing but delays or excuses from iThemes Customer Support to fix common issues. Further, iThemes Security Pro V7.0.0 was released yesterday which they considered "EPIC" in terms of usability, features, and protection. Unfortunately, the release turned out to be a fiasco. Bottom line, your timing in releasing SG Security could not have been better. We tested both iThemes Security Pro 7.0.0 and SG Security simultaneously with no conflicts. However (drum roll, please), after thorough testing and evaluation, we concluded that we no longer need iThemes Security Pro. So, now we only use SG Security and look forward to your future enhancements. If we had one suggestion to make, that would be to incorporate SG SiteScanner into your plugin and offer it at not charge to your SG customers. Doing this would keep your current customers VERY HAPPY and definitely get more prospects to use SiteGround Hosting Services. Job well done, Hristo!

Reply
author avatar

Samuel

Jul 18, 2021

I am using siteground GB but didn't see the security plugin automatically deployed as it is the case with SG cache plugin. I have asked the SG support numerous times weather to keep the current security plugin or not since SG claims to have robust web security in place, I was told to keep using WF security plugin as it gives extra layers of security. On top of this, we use primer paid version of cloudflair subscription through SG which does also the same things as the installed 3rd party security plugin. On top of this, we use another plugin for spam protection. I wish SG had a support article which clearly stated, if we are using siteground service if it would make sense to use additional external 3rd part security plugins.

Reply
author avatar

Gergana Zhecheva Siteground Team

Jul 20, 2021

The SiteGround Security plugin is added by default on all new WordPress applications installed via SiteTools. If you have an existing WordPress website hosted with us though, the plugin would not be auto-installed on it. As to what type of security mechanism is the best - you can use the security plugin and tool that best matches your needs and preferences. A general rule of thumb is avoiding the simultaneous use of features with identical functionalities for preventing any conflicts.

Reply
author avatar

Naomi

Jul 27, 2021

I have just installed this plug in on my Site Ground hosted site. Am I understanding that I can now uninstall Sucuri WP Plug In? It has notified me of several brute force attempts and I just want to be sure I am not deleting something I need. Thank you

Reply
author avatar

Hristo Pandjarov Siteground Team

Jul 28, 2021

Yes, you will be fine with SGS only. Just make sure you enable the limit login attempts functionality. Changing the default login and registration URL will help greatly too. Enabling 2FA auth is very good idea too and it's very easy to implement with our plugin.

Reply

Start discussion