SiteGround Security - our new must-have WordPress plugin
The security of our clients’ websites has always been an extremely important part of our web hosting services. Some of the brightest technical minds in our team have been continuously dedicated to crafting unique security solutions and keep the safety level of our hosting infrastructure on an unmatched high level. We have been an industry pioneer in developing server level protections like account isolation, server health monitoring, anti-bot traffic prevention, etc. We also know that on top of the server level solutions, the security of each individual website should be strengthened on application level too. That is why we provide services like auto updates, backups and WAF protection to our clients.
Today we are happy to introduce another tool that can greatly enhance any WordPress site security – our brand new SiteGround Security plugin. The SiteGround Security plugin is available for free download for anyone and it comes preinstalled with all new WordPress installations hosted at SiteGround and provides its users an easy way to protect a WordPress site from malicious attacks. It also includes valuable tools that can help a website owner react in case there is a suspicion that the site might have been compromised. Read below to learn how to make your site safer with our new plugin.
Protect your WordPress against common attacks
In the Site Security section of our plugin you will be able to easily switch on several rules that will harden your website security and prevent common malware, bruteforce and other security issues. Some of these rules, like hiding your WordPress version or deleting your default readme.txt, will make it harder for crawlers to detect you’re even using WordPress. Thus your website will not be easily identified as a possible attack victim when a vulnerability appears. Other rules in this section will add advanced XSS protection and protect your system folders from being injected with malicious files.
Strengthen your login security
In the Login Security section of our plugin you will be able to apply several methods that protect your login from unauthorised access. One of the most recommended methods to protect your login is the 2-factor authentication and with the SiteGround Security plugin, you can easily switch it on for your WordPress administrative area. Some simple, yet very effective protection measures like changing your login URL and not allowing “admin” to be used as a username can be also easily set here. You can also limit the number of login attempts from one and the same IP, which will block attackers trying to guess your password through brute force. And if you want to go even deeper in protecting your WordPress login, there are two more advanced options available. You can specify the IPs from which your login page can be accessed. The option should be used with caution if you use dynamic IP, so that you do not block yourself out. You can also specify certain periods of time when your login will not be accessible at all. For example if you know that no one ever logs in during the weekend, you can switch on an away mode for Saturday and Sunday and no one will really be able to access the administrative area on these days.
Comments ( 91 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Iréne
Thank you for the exciting new plugin! Can I use it with Wordfence?
Hristo Pandjarov Siteground Team
Generally it's not a good idea to duplicate functionality so I wouldn't advice you to use both together.
Simon Carne
On the face of it, Wordfence offers a lot of functions that SG Security doesn't (yet) have. So, if a user already has Wordfence, should we stick with that (at least until the two plugins are a closer match).
Hristo Pandjarov Siteground Team
I don't think there are any important functionality missing between the two. Especially, since we have a server-side WAF running already.
Simon Carne
Thanks, Hristo. I'm not an expert on this area of WordPress, but Wordfence has a scanning function which checks, for example, whether plug-ins are obsolete or any files have deviated from the version at wordpress.org. I can't see that in SG Security. Am I not looking properly ... or are you saying it's not an important functionality to have?
Hristo Pandjarov Siteground Team
It's on the roadmap but not available in our initial release.
Tony
Hi Simon, did you stay with Wordfence or change to the SG? I am wondering the same. What did you decide in the end?
Samphy
How about Jetpack?
Hristo Pandjarov Siteground Team
Jetpack is a meta plugin, if you are using it only for security, you can replace it. Just don't duplicate functionality.
David
Hi, I have tried setting up the 2FA function. However, it keeps coming up with an error, when I scan the QR code. I don't use Google Authenticator, but Keeper Security. The TOTP function is supposed to be identical to that of Google's and all other 2FA codes work on other websites. This is the first TOTP issue I have ever had. So, I just wondered where the error may lie or if I am doing something incorrectly. Could you advise please?
Hristo Pandjarov Siteground Team
Our 2FA authentication system works only with Google Authenticator. The QR code won’t work with any other application.
Christian Saborio
It also works with 1Password OTP feature flawlessly :-)
Tony Valamontes
the GA is a horrible 2FA, with no backup or recovery, but the AUTHY app is compatible with the GA and I never had issues for the past 3 years I used it as a GA alternative.
Hristo Pandjarov Siteground Team
Glad that your app works. I've been using GA for years for 2FA and it has never underperformed. We will consider adding different options in the future though.
Mark Landeryou
Can I use my yubikey for 2fa with this plugin?
Gergana Zhecheva Siteground Team
We have not tested the 2FA setup with this particular authenticator app type. If you set it up, please remember to save the QR code that you might need later for completing the setup on any additional yubikeys.
Zaph
Do you have a roadmap for the development of this plugin? I would like to see the WP API locked down, protection against zero-day vulnerabilities, and a threat feed block list.
Hristo Pandjarov Siteground Team
Not a public one. We do have zero-day vulnerabilities protection on a server level. As for the API lockdown, we will consider it or at least the front-facing part because it is widely used, including for our own plugin interface based on React.
Jim
Great work you guys. But I also use the WPS hide login plugin and that gave a critical error. Couldn't login in the backend anymore. I deactivated WPS and everything works fine now. Is this maybe an extra feature that can be integrated in SG security. Or do you know alternatives? Keep up the great work SG.
Hristo Pandjarov Siteground Team
Custom login URL functionality is coming up shortly with the next plugin update!
WebkiwiNZ
Thumbs up to this feature from me. Its a standard setup item on most sites we manage. it rmeoves 90% of kiddy scripters trying to bludgeon the system to death.
Paul
I turned on the feature to prevent use of the admin username, but I am not prompted to change it when logging in. It still allows me to login with admin. On the users screen in wordpress, I am not allowed to change username at all. I tried turning off the "prevent admin" feature in the plugin, and it prompts me to change the username there, but when I put in a new username, I get an error and it won't let me save.
Hristo Pandjarov Siteground Team
In this version the plugin does not rename existing users (that's coming up). We only block the creation of new users with admin as user.
Asit Aithal
I'm on SG and I already have Defender Pro. Do I need this?
Hristo Pandjarov Siteground Team
You can save money and use only the SiteGround Security plugin :)
David Adams
You say in your article above that, "..we provide services like auto updates, backups and WAF protection to our clients.". I wasn't aware that you provide a WAF service, in fact, I called recently about your SG Scanner addon service to ask whether this included a WAF, and the answer from your support team was 'No'. Could you please provide further details on your WAF service?
Hristo Pandjarov Siteground Team
The SG Scanner scans for malicious code and reports if there's an intrusion. Our WAF runs on all our servers together with the AI anti-bot system. You don't need to configure or purchase anything, it's there and working :)
RRRBB
Yes, but is this advertised as part of SG hosting services? Seems odd that you would not promote that this valuable feature (WAF) is included in your hosting packages, especially given that you're not exactly the cheapest hosts.
Hristo Pandjarov Siteground Team
Thanks for pointing this out, I will discuss it with the team to make it more clear on our hosting page that this is indeed a feature of our hosting service.
Sanjog
Hi, Have installed plugin on one of my website, but Google Authenticator doesnt work while login. How do I connect GA with login.?
Hristo Pandjarov Siteground Team
You need to enable the 2FA authenticator and logout. Then, on the first login, simply scan the QR code with the GA application and your site will be synced.
Daan
Is it comparable with Wordfence?
Hristo Pandjarov Siteground Team
With the SiteGround Security plugin and the SiteGround WAF already running on all servers you don't need Wordfence. Having two security plugins will only slow your site down. No, there won't be a conflict but that doesn't make it a good idea to use both.
morgan fackrell
Hi, I've been using Cerber secruity plugin will it conflict with this plugin?
Hristo Pandjarov Siteground Team
I would recommend replacing it with ours instead of using both.
Chrilles Wybrandt
Would you recommend All-in-one SiteGround Security Plugin instead of the free version of Wordfence and IThemes Security? What are the benefits with All-in-one SiteGround Security Plugin comparted to Wordfence and IThemes Security?
Hristo Pandjarov Siteground Team
Our plugin is designed to secure and protect your site without harming its loading speeds. Even if we still lack few functionalities, you can safely use it instead of any combination of other plugins out there.
Vera Schäfer
Let's say I limit login to a range of IP's and I need SG to take a look at a site. Do I have to temporarily disable that option or not?
Hristo Pandjarov Siteground Team
Yes, although our support team should be able to bypass that restriction :)
Kate
My Wordpress site is hosted by Siteground. Do I need this security plug-in ?
Hristo Pandjarov Siteground Team
Yes, I would totally recommend using it.
Ben
Greetings, Thanks for your initiative to develop this plugin. I already have AIO WPS installed and set up, though I do not know the details. Will your security plugin interfere with AIO WPS? Do you expect that AIO WPS be de-activated and deleted before downloading and setting up your plugin (or afterward)? Regards, Ben
Hristo Pandjarov Siteground Team
I would recommend replacing it with our plugin and not duplicate functionality since that may cause conflicts.
Vickie
Thrilled that SG continues to provide such great tools for users. Thank you! Can this plugin block by country or just IPs? Do you recommend using this and the paid Site Scanner together or overkill?
Hristo Pandjarov Siteground Team
You can use both, they do different things :) As to the GeoIP blocking it is on the roadmap but I can't give you an ETA when it will happen.
Thomas G.
Will we be able to block certain countries in the future?
Siaki
Does it work on multisite?
Hristo Pandjarov Siteground Team
Not yet, we will soon have features specifically for MS.
N'Teasha Uganda Brownlee
Cerber has an anti-spam feature. So this plugin provide that as well?
Hristo Pandjarov Siteground Team
It's coming up shortly :)
Robert
+1 vote on changing the admin directory! Tried turning on IP restriction but still says any IP can login so having tech check it out. Great tool and looking forward to additional features to keep us safe.
Gerard van Seventer
I am on SG and use Bullet Proof Security Pro. Has it the same functionality and level of protection?
Hristo Pandjarov Siteground Team
We believe our pluigin has everything you need. I am not sure about the one you mention. If you don't have any crucial functionality missing, you can safely replace it.
amy
i am not ready yet to let go of wordfence, can the plugin work side by side with wordfence ?
Hristo Pandjarov Siteground Team
Yes, as long as you don't duplicate functionality. Check out the settings and make sure you're not doing the same through both plugins.
Jarrett Gucci
Where is the activity log data stored and how bloated will it make the database? There does not seem to be a way to clear it.
Hristo Pandjarov Siteground Team
It's stored in the database in an optimized way. There is log rotation se to 16 days by defailt that can be adjusted through a filter to store less data.
Don
You mentioned it is possible to change the login URL with this plugin but I don't see the option. Can you point me in the right direction?
Hristo Pandjarov Siteground Team
It's coming up in the next update!
Tim
Ideally, what I'd love to be able to do is provide my clients with a white-labellesweekly or monthly report showing how effective my security(this plugin's security, hopefully) is. As Cerber does. This would really be a killer addition for my monthly maintenance clients. 1) Can you consider this? 2) Could it be as comprehensive or something like Cerbers' weekly report: Weekly Report 1520 Malicious activities mitigated 1 Spam comments denied 0 Spam form submissions denied 447 Malicious IP addresses detected 28 Lockouts occurred Activity details Request to XML-RPC API denied 2001 Login failed 1751 Attempt to access prohibited URL 730 Attempt to log in with non-existing username 665 Probing for vulnerable code 118 IP blocked 28 Request to REST API denied 27 Malicious request denied 6 Spam comment denied 1 Attempts to log in with non-existing usernames team-sitename 507 admin 139 admin-2 19
Hristo Pandjarov Siteground Team
We're working on scheduled notifications that are configurable and include only the information you actually want to receive. As to the plugin being whitelabeled, we don't have such plans at this moment.
Jamie Richards
You guys are incredible! NO WEB HOST does what you do. Thank you for these extra kick-ass products and services. If you're unhappy with your current host or just want more features while paying the same amount you are now OR cheaper, take 10 minutes and read these 3 reviews done in 2021: - https://www.wpbeginner.com/hosting/siteground/ - https://inlinehostblogger.com/siteground-review/ - https://digital.com/web-hosting/siteground/ If you're a "Sitegrounder" already and you haven't submitted a review, SHAME ON YOU! I've submitted 3 of them. Take 5 min and do one now! https://www.trustpilot.com/review/www.siteground.com If you develop WordPress websites, do yourself a favor and at least look into these guys. The data you find will convince you!
AeroStar
Wow! Kudos to SiteGround for developing and releasing this plugin, SG Security. Up to this point, we were using iThemes Security Pro but their latest upgrade - V7.0.0 - has been a flop. So, after thorough testing and evaluation, we have decided to drop iThemes Security Pro and use SG Security instead. We are confident SiteGround will continuously update SG Security until it catches up and surpasses all other security plugins in the market. Way to go, SiteGround. Jog well done!
Pablo Daniel Perez
Hi! I installed it today but when i click on the right pannel on SG Security everything is empty, blank, nada :(
Gergana Zhecheva Siteground Team
Based on your description, it seems there is an incompatibility between the new plugin installed and the ones already in use. In such cases, deactivating the installed plugins one by one would help to isolate the culprit.
Sccs
Would you guys can make a post for sitegound plugins vs jetpack? I'm not sure that should I install both or sitegound plugins is enough?
Gergana Zhecheva Siteground Team
In this case, we would recommend the general rule of thumb, which is not to duplicate functionalities. If you are using Jetpack solely for its security features, feel free to use our SiteGround Security plugin instead.
Huy Hoa
Is it optimize for the only SiteGround hosting users or it can work on any hosting platform? I have some site on Siteground now but some other site on VPS, so wondering if I can install it on some WordPress site on VPS. For now, I'm comparing between SiteGround Security and Itheme Security
Gergana Zhecheva Siteground Team
The plugin is free for installation and usage. You can take advantage of it, even if your websites are not hosted with SiteGround currently. :)
VFlor
Hi, so thrilled about this new plugin and thank you for continuing to add value to your users. Just wanted to share something to consider for the roadmap. If there is a way to hide wordpress as much possible, that would be great. For example, hiding the login page and the theme and plugin names from view. The bad guys won't know which ones are vulnerable. It doesn't change the location of files, but just the access to it.
Hristo Pandjarov Siteground Team
Thanks for the kind words :) That's coming literally in the next release!
Javier Labbe
I've just recently noticed the option to use a custom login url. Are there any instructions with examples and/or a tutorial? Thank you in advance,
Hristo Pandjarov Siteground Team
Please, check our SiteGround Security tutorial: https://www.siteground.com/tutorials/wordpress/sg-security/ we will update it later today with the new functionalities added.
Andy
REstricting the ip address only works if I have a static IP. Can you put a range in, allowing for /16 /24 addresses. this will cover ip addresses in my local cable company nework.
Hristo Pandjarov Siteground Team
Thanks for the recommendation, we will do our best to add it as soon as possible.
Peter Wilkinson
Hi Hristo, I am running the Securi plugin and use Securi WAF. Do they provide the same features as sg-security? Thanks in advance. Peter
Hristo Pandjarov Siteground Team
You can check the different plugins feature pages, I don't have one to provide. We believe SiteGround provides everything you need to run on your application.
Christian
Hi, the plugin causes some issues on my page design. The page looks different in the Elementor editing preview then in the live version. I deactived and reactivated all plugins and identified that this plugin is causing the issue. When I deactivate it, the issue is gone. How can I solve this? Thanks, Christian
Hristo Pandjarov Siteground Team
Please, post a thread in the plugin forum providing the necessary info to recreate it and we will do our best to assist you further with this: https://wordpress.org/plugins/sg-security/
Myles
Hi there, Does this plugin work with Google Ads Bot crawler?
Hristo Pandjarov Siteground Team
I should give it a try, if it's a properly written plugin there shouldn't be a conflict.
Rich Stieg
This looks very interesting. Do you have a projected date for the next update?
Hristo Pandjarov Siteground Team
At this point we don't keep a public roadmap.
Adam Turner
I'm using the Porto Wordpress theme and have today updated it, on doing so my product filters on the category pages stopped loading and the product pages also stopped loading. I narrowed the problem down to be when the 'hide wordpress version' is activated. Now I've disabled this the website is working fine again. Would you like any further details to investigate?
Hristo Pandjarov Siteground Team
Please, use the plugin forum to report such issues, we are looking into each thread very carefuly: https://wordpress.org/plugins/sg-security/
ManlioMa
Hi, I'd like to solve these issues that I have on every website hosted on Siteground with Siteground security installed. - Cookie Does Not Contain The "secure" Attribute - Slow HTTP POST vulnerability Is it possible with your plugin?
Hristo Pandjarov Siteground Team
The first issue should be addressed by your application while the protection for the second one is server-based :) Neither should be covered by the plugin.
Gio
I wanted to avoid automated/bots forgot password requests so I tried to change the path to login url, the problem is that the system still uses the same url wp-login.php?action=lostpassword is there any way to work better for me?
Hristo Pandjarov Siteground Team
Please, post a thread in the SGS forum and we will look into your particular case.
Jean Paul
What about the speed / server load. I know Wordfence's server load does slow down your website. How about the SG Site Scanner, does it affect the website speed perfomance in the slightest way?
Hristo Pandjarov Siteground Team
SiteGround security does not impact your site performance unlike similar plugins. Our WAF is running on server level and will not slow down your pages.
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through