Enhanced Protection Against WordPress Vulnerabilities with SiteGround Security Plugin Preinstalled
Table of Contents
We have recently launched our own WordPress security plugin — SiteGround Security (now named Security Optimizer), which aims to protect WordPress users against the most common vulnerabilities plaguing the sites. It is available for anyone to download and use for free, regardless which hosting platform they use. To make sure that our WordPress sites are well protected on application level, however, we have started preinstalling SiteGround Security on all new installations on our platform with some of the features enabled by default.
Default SiteGround Security Settings Against Common WordPress Vulnerabilities
Having your site set up with security in mind from the start can easily protect you against some of the most popular vulnerabilities out there. To help you achieve that goal, when we preinstall the SiteGround Security plugin we enable the following settings:
WordPress Version is Hidden by default
Hackers often crawl websites scooping information about software versions used. That way, when they get to discover a vulnerability in any of those versions, they are able to reach to and quickly hack many sites in bulk using that information. For WordPress application this data is openly available in 2 places – in an HTML tag and in the readme.html file.
By default, our plugin removes the HTML tag with the WordPress version and we strongly recommend that you also remove the readme.html file via the option in the SiteGround Security plugin.
Advanced XSS Vulnerability Protection enabled
The cross-site script vulnerability, known as XSS, allows different apps and plugins to access information in your WordPress that they shouldn’t. Such attacks are often used to gather sensitive user data for example. By default, the SiteGround Security plugin enables protection against XSS by adding headers instructing browsers not to accept JS or other code injections.
Disabled XML-RPC protocol to prevent many vulnerabilities and attacks
The XML-RPC is an old protocol used by WordPress to talk to other systems. It is getting less and less used since the appearance of the REST API. However, it is available in the application and many are using it for exploiting vulnerabilities, starting DDOS attacks and other troubles. That is why our SiteGround Security plugin disables this open access line to your WordPress application by default.
Jetpack plugin and mobile apps are valid users of the XML-RPC protocol. If you download Jetpack at some point, we will automatically enable the protocol back. You can also enable it yourself through the plugin interface.
Option to Disable RSS and ATOM Feeds
Similar to XML-RPC, feeds are rarely used nowadays, but they are often used by attackers and bad bots to scrape your site content. So the SiteGround Security plugin allows you to disable them easily. Unless you really need them, we recommend using this option and disable them as soon as possible.
Lock and Protect System Folders by default
Usually, when an exploit happens, attackers try inserting and executing PHP files in public folders to add backdoors and further compromise your account. By design, those publicly accessible WordPress folders are used for uploading media content (images for example). Via the SiteGround Security plugin, we do not forbid the upload of files, but we stop PHP files and malicious scripts from being executed and causing problems for your sites. This feature protects those system folders and prevents potentially malicious scripts from being executed from them.
Disabled “Admin” Username
The default username and one most widely used on all applications by their owners is “Admin.” Hackers know that and when they wish to bruteforce a login form, they will definitely try it. That is why we disable this username by default.
Disabled Themes & Plugins Editor
Editing code through the plugins and themes editor poses direct security risks both from potential elevation of privileges attacks and errors made by a regular site administrator. If you want to edit your files, it is strongly recommended that you use the File Manager tool in Site Tools, or your preferred editor through FTP or SSH (ideally on a staging copy of your site). To help you avoid bad practices and attacks, we disable the themes & plugins editor by default.
Recommended Vulnerabilities Protection Settings
There are a few settings, which you can control from the SiteGround Security plugin, which we have not enabled by default because they need your permission or they pose a risk on the way you use your app. Yet, we wish to encourage you to enable them consciously as they are quite powerful protection tools as well.
Two-Factor Authentication is a MUST
You already know that 2FA protects your login from brute force attacks and hijacking of login credentials. You can read more on the topic here and you can enable it easily using the SiteGround Security plugin.
Limit Login Attempts
When someone tries to log in several times with wrong credentials, they are most likely trying to guess your logins. That is why it is strongly recommended to block such attempts after the first few – 3 or 5. You can set that in the SiteGround Security plugin interface and after that many times of wrong logins, the user gets blocked for 1hour the first time, then 24hours on the second trial, and finally for 7 days on their third trial. Again, since if you don’t know about this functionality, you may lock yourself out of the WordPress admin area, we are not enabling it by default for you, but you can do it easily in a click!
More Tools Against WordPress Vulnerabilities Coming Up
We’re continuing the development of the plugin and will add a lot of new functionality soon. Monitor the change log for new features added with the upcoming updates. There isn’t a strict roadmap that we can share at this point but some of the features coming next are custom login URLs, Strict Transport Security headers and X Frame options that will prevent page hijacking. As usual, we want to bring what’s usually difficult to implement technologies to everyone and with an interface easily accessible without having to spend hours researching the exact syntax of the necessary headers or other code.