The SiteGround Security plugin was released in June of 2021 to improve the security of a WordPress installation. One highlighting feature of this plugin is that it can be used on any hosting (it’s not limited to SiteGround’s hosting unlike its SG optimizer Plugin).
In this post, I will take you through all of the features of the SiteGround Security plugin and will test out all of them.
Why A New Security Plugin?
As all of you might know, SiteGround has good WAFs built into their servers. They manually add new rules to the WAFs as soon as possible after a plugin/theme/WP Core exploit is found. So, why did SiteGround spend time and money for developing the SG Security plugin?
They decided to make this plugin because some of the common attacks on WordPress is really tricky to block automatically. But, they can be very easily blocked with a plugin. Also, they didn’t want others to be left in the dark. So, they made the plugin in such a way that it will work with any host.
SiteGround Security Plugin Overview
This is the main dashboard of the SG Security plugin. From here, you can see the last 5 unregistered and registered visitors and what page they visited. Also, there are shortcuts for accessing Site Security and Login Settings directly.
Site Security
From here, you can enable or disable the following things:
- Lock and Protect System Folders – By enabling this option you are ensuring that no unauthorised or malicious scripts can be executed in your system folders. This is an often exploited back door you can close with a simple toggle.
- Hide WordPress Version – Many attackers scan sites for vulnerable WordPress versions. By hiding the version from your site HTML, you avoid being marked by hackers for mass attacks.
- Disable Themes & Plugins Editor – Disable the option to edit themes and plugins code directly from the WordPress admin to prevent potential coding errors or unauthorised access via the WordPress editor.
- Disable XML-RPC – XML-RPC was designed as a protocol enabling WordPress to communicate with third-party systems but recently it has been used in a number of exploits. Unless you specifically need to use it, we recommend that XML-RPC is always disabled.
- Disable RSS and ATOM Feeds – RSS and ATOM feeds are often used to scrape your content and to perform a number of attacks against your site. Only use feeds if you have readers using your site via RSS readers.
- Advanced XSS Protection – Enabling this option will add extra headers to your site for protection against XSS attacks.
- Delete the Default Readme.html – WordPress comes with a Readme.html file containing information about your website. The Readme.txt is often used by hackers to compile lists of potentially vulnerable sites which can be hacked or attacked.
Login Security
From here, you can access or enable/disable the following settings:
- Login Access – Currently your WordPress login can be accessed by any IP. You can limit the access to specific IPs or range of IPs in order to prevent brute-force attacks or malicious login attempts.
- Two-factor Authentication for Admin & Editors Users – Two-factor authentication forces admin users to login only after providing a token, generated from the Google Authenticator application. When you enable this option, all admin & editor users will be asked to configure their two-factor authentication in the Authenticator app on their next login.
- Disable the “admin” Username – This option will disable the usage of “admin” as a username. If there’s an existing user called “admin”, you will be asked to provide a new username.
- Limit Login Attempts – Limit the number of times a given user can attempt to log in to your wp-admin with incorrect credentials. Once the login attempt limit is reached, the IP from which the attempts have originated will be blocked first for 1 hour. If the attempts continue after the first hour, the limit will then be triggered for 24 hours and then for 7 days.
Activity Log
The activity log can help you monitor your site and login page for unauthorised visitors or brute force attempts. You can easily block and unblock IPs or visitors that look suspicious and prevent them from malicious actions.
Post-hack Actions
If your website gets hacked, then these options will help you to regain access to your site and prevent the hacker(s) from further accessing your site.
- Reinstall All Free Plugins – Doing this will reinstall the same version of all free plugins you have installed in order to make sure that their codebase is not compromised by an attacker.
- Force Password Reset – All users will be required to change their passwords upon their next login. All currently logged in users will be instantly logged out.
- Log out All Users – This will log out all currently logged in users without asking them to change their passwords.
Verdict
All the the features provided by the plugin is extremely useful and also, the plugin is really easy to use. For the first time SG has made a plugin which will work in any hosting. So hats off to them! I highly recommend this plugin to anyone who is looking to quickly and easily increase WordPress performance.
I really hope that this post has helped you regarding SiteGround Security plugin. If you have any queries or suggestions, then please contact me.
