SiteGround Security - our new must-have WordPress plugin

The security of our clients’ websites has always been an extremely important part of our web hosting services. Some of the brightest technical minds in our team have been continuously dedicated to crafting unique security solutions and keep the safety level of our hosting infrastructure on an unmatched high level. We have been an industry pioneer in developing server level protections like account isolation, server health monitoring, anti-bot traffic prevention, etc. We also know that on top of the server level solutions, the security of each individual website should be strengthened on application level too. That is why we provide services like auto updates, backups and WAF protection to our clients. 

Today we are happy to introduce another tool that can greatly enhance any WordPress site security – our brand new SiteGround Security plugin. The SiteGround Security plugin is available for free download for anyone and provides its users an easy way to protect a WordPress site from malicious attacks. It also includes valuable tools that can help a website owner react in case there is a suspicion that the site might have been compromised. Read below to learn how to make your site safer with our new plugin.

Protect your WordPress against common attacks

In the Site Security section of our plugin you will be able to easily switch on several rules that will harden your website security and prevent common malware, bruteforce and other security issues. Some of these rules, like hiding your WordPress version or deleting your default readme.txt, will make it harder for crawlers to detect you’re even using WordPress. Thus your website will not be easily identified as a possible attack victim when a vulnerability appears. Other rules in this section will add advanced XSS protection and protect your system folders from being injected with malicious files. 

Strengthen your login security 

In the Login Security section of our plugin you will be able to apply several methods that protect your login from unauthorised access. One of the most recommended methods to protect your login is the 2-factor authentication and with the SiteGround Security plugin, you can easily switch it on for your WordPress administrative area. Some simple, yet very effective protection measures like changing your login URL and not allowing “admin” to be used as a username can be also easily set here. You can also limit the number of login attempts from one and the same IP, which will block attackers trying to guess your password through brute force. And if you want to go even deeper in protecting your WordPress login, there are two more advanced options available. You can specify the IPs from which your login page can be accessed. The option should be used with caution if you use dynamic IP, so that you do not block yourself out. You can also specify certain periods of time when your login will not be accessible at all. For example if you know that no one ever logs in during the weekend, you can switch on an away mode for Saturday and Sunday and no one will really be able to access the administrative area on these days.

Monitor your admin area activity log

One of the best plugin features is the detailed Activity log. It allows you to pinpoint things like bad IP addresses that try to access your website as well as registered users that are performing tasks they are not supposed to. For example, you can block with one click IPs that have numerous incorrect logins and at the same time find out which user has deleted that post you are missing. For the initial version, we keep the log 16 days back so it’s worth giving it a look every now and then especially if you have a busy site and number of users with the capabilities to edit content.

React if you suspect your site might have been compromised.

In the Post-hack section of the plugin you will find a set of actions that are useful, if you believe your site security has been compromised. Here you will be able to automatically log out all users and force them to change passwords. This way if any user was compromised, you may stop the malicious access through its account. You will also be able to reinstall all your current plugins. This will make sure you are using a clean copy of each plugin instead of a possible compromised one. Please bear in mind that although these post-hack actions are handy, they are not a substitute to a thorough site clean up that might need to be done by a WordPress security expert, if there are signs that your website might have been hacked.

How to get the SiteGround Security Plugin?

SiteGround Security plugin is available as any other free WordPress plugin. You can find it in the official WordPress plugin repository (https://wordpress.org/plugins/sg-security/) or install it directly through your WordPress admin area. This is the first plugin we are releasing whose full functionality can be used by anyone, even people that are not hosted by SiteGround. This said, we haven’t done excessive testing on every other company so issues caused by their particular setup may occur. If that’s the case, don’t hesitate to post a thread in the plugin forum in the WordPress repository, we will do our best to make sure it works great on all platforms.

author avatar
Hristo Pandjarov

WordPress Initiatives Manager

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

WordPress

Comments ( 11 )

author avatar

Iréne

Jun 08, 2021

Thank you for the exciting new plugin! Can I use it with Wordfence?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 09, 2021

Generally it's not a good idea to duplicate functionality so I wouldn't advice you to use both together.

Reply
author avatar

David

Jun 10, 2021

Hi, I have tried setting up the 2FA function. However, it keeps coming up with an error, when I scan the QR code. I don't use Google Authenticator, but Keeper Security. The TOTP function is supposed to be identical to that of Google's and all other 2FA codes work on other websites. This is the first TOTP issue I have ever had. So, I just wondered where the error may lie or if I am doing something incorrectly. Could you advise please?

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 11, 2021

Our 2FA authentication system works only with Google Authenticator. The QR code won't work with any other application.

Reply
author avatar

Christian Saborio

Jun 13, 2021

It also works with 1Password OTP feature flawlessly :-)

Reply
author avatar

Zaph

Jun 15, 2021

Do you have a roadmap for the development of this plugin? I would like to see the WP API locked down, protection against zero-day vulnerabilities, and a threat feed block list.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 16, 2021

Not a public one. We do have zero-day vulnerabilities protection on a server level. As for the API lockdown, we will consider it or at least the front-facing part because it is widely used, including for our own plugin interface based on React.

Reply
author avatar

Jim

Jun 16, 2021

Great work you guys. But I also use the WPS hide login plugin and that gave a critical error. Couldn't login in the backend anymore. I deactivated WPS and everything works fine now. Is this maybe an extra feature that can be integrated in SG security. Or do you know alternatives? Keep up the great work SG.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 16, 2021

Custom login URL functionality is coming up shortly with the next plugin update!

Reply
author avatar

Paul

Jun 17, 2021

I turned on the feature to prevent use of the admin username, but I am not prompted to change it when logging in. It still allows me to login with admin. On the users screen in wordpress, I am not allowed to change username at all. I tried turning off the "prevent admin" feature in the plugin, and it prompts me to change the username there, but when I put in a new username, I get an error and it won't let me save.

Reply
author avatar

Hristo Pandjarov Siteground Team

Jun 21, 2021

In this version the plugin does not rename existing users (that's coming up). We only block the creation of new users with admin as user.

Reply

Start discussion