SiteGround Security

Description

With the carefully selected and easy to configure functions the SiteGround Security plugin provides everything you need to secure your website and prevent a number of threats such as brute-force attacks, compromised login, data leaks, and more.

Login Settings

Here you can use the tools we’ve developed to protect your login page from unauthorized visitors, bots, and other malicious behavior.

Custom Login URL

Change the default login url to prevent attacks and have an easily memorisable login URL. You can also change the default sign-up url if you have that option enabled for your website.

Important!
You can revert to the default login type by using the following snippet.

add_action( 'init', 'remove_custom_login_url' );
function remove_custom_login_url() {
    update_option( 'sg_security_login_type', 'default' );
}

Login Access

Login Access allows you to limit the access of the login page to a specific IP’s or a range of IP’s to prevent malicious login attempts or brute-force attacks.

Important!
If you lock yourself out of your admin panel, you can add the following option to your theme’s function.php, reload the site and then remove it once you have gained access. Keep in mind that this will also remove all IP’s that are allowed to access the login page and a re-configuration will be needed:

add_action( 'init', 'remove_login_access_data' );
function remove_login_access_data() {
    update_option( 'sg_login_access', array() );
}

Two-factor Authentication

Two-factor Authentication for Admin User will force all admins to provide a token, generated from the Google Authentication application when logging in.

Important!
You can force other roles to use the Two-Factor authentication as well. Once enabled, you can add your filter as the following.

add_filter( 'sg_security_2fa_roles', 'add_user_roles_to_2fa' );
function add_user_roles_to_2fa( $roles ) {
    $roles[] = 'your_role';
    return $roles;
}

Disable Common Usernames

Using common usernames like ‘admin’ is a security threat that often results in unauthorised access. By enabling this option we will disable the creation of common usernames and if you already have one ore more users with a weak username, we’ll ask you to provide new one(s).

Limit Login Attempts

With Limit Login Attempts you can specify the number of times users can try to log in with incorrect credentials. If they reach a specific limit, the IP they are attempting to log from will be blocked for an hour. If they continue with unsuccessful attempts, they will be restricted for 24 hours and 7 days after that.

Important!
If you lock yourself out of your admin panel, you can add the following option to your theme’s function.php, reload the site and then remove it once you have gained access. Keep in mind that this will also remove the unsuccessful attempts block for all IP’s:

add_action( 'init', 'remove_unsuccessfull_attempts_block' );
function remove_unsuccessfull_attempts_block() {
    update_option( 'sg_security_unsuccessful_login', array() );
}

Site Security

With this toolset you can harden your WordPress аpplication and keep it safe from malware, exploits and other malicious actions.

Lock and Protect System Folders

Lock and Protect System Folders allows you to block any malicious or unauthorized scripts to be executed in your applications system folders.

Hide WordPress Version

When using Hide WordPress Version you can avoid being marked for mass attacks due to version specific vulnerabilities.

Disable Themes & Plugins Editor

Disable Themes & Plugins Editor in the WordPress admin to prevent potential coding errors or unauthorized access through the WordPress editor.

Disable XML-RPC

You can Disable XML-RPC protocol which was recently used in a number of exploits. Keep in mind that when disabled, it will prevent WordPress from communicating with third-party systems. We recommend using this, unless you specifically need it.

Force HTTP Strict-Transport-Security (HSTS)

HSTS (HTTP Strict-Transport-Security) is a response header. It allows the website to tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Тhis prevents “man-in-the-middle” attacks and ensures that regular visitors will redirected to the secure version of the website.

Disable RSS and ATOM Feeds

Disable RSS and ATOM Feeds to prevent content scraping and specific attacks against your site. It’s recommended to use this at all times, unless you have readers using your site via RSS readers.

Advanced XSS Protection

By enabling Advanced XSS Protection you can add an additional layer of protection against XSS attacks.

Delete the Default Readme.txt

When you Delete the Default Readme.txt which contains information about your website, you reduce the chances of it ending in a potentially vulnerable sites list, used by hackers.

Activity Log

Here you can monitor in detail the activity of registered, unknown and blocked visitors. If your site is being hacked, a user or a plugin was compromised, you can always use the quick tools to block their future actions.

Important!
You can set a custom log lifetime ( in days ), using the following filter we have provided for that purpose.

add_filter( 'sgs_set_activity_log_lifetime', 'set_custom_log_lifetime' );
function set_custom_log_lifetime() {
    return 'your-custom-log-lifetime-in-days';
}

Post-Hack Actions

Reinstall All Free Plugins

If your website was hacked, you can always try to reduce the harm by using Reinstall All Free Plugins. This will reinstall all of your free plugins, reducing the chance of another exploit or the re-use of malicious code.

Log Out All Users

You can Log Out All Users to prevent any further actions done by them or use.

Force Password Reset

Force Password Reset to force all users to change their password upon their next login. This will also log-out all current users instantly.

WP-CLI Support

In version 1.0.2 we’ve added full WP-CLI support for all plugin options and functionalities.

  • wp sg limit-login-attempts 0|3|5 – limits the login attempts to 3, 5, or 0 in order to disable it
  • wp sg login-access add IP – allows only specific IP(s) to access the backend of the website
  • wp sg login-access list all – lists the whitelisted IP addresses
  • wp sg login-access remove IP – removes IP from the whitelisted ones
  • wp sg login-access remove all – removes all of the whitelisted IP addresses
  • wp sg secure protect-system-folders enable|disable – enables or disables protects system folders option
  • wp sg secure hide-wordpress-version enable|disable – enables or disables hide WordPress version option
  • wp sg secure plugins-themes-editor enable|disable – enables or disables plugin and theme editor
  • wp sg secure xml-rpc enable|disable – enables or disables XML-RPC
  • wp sg secure rss-atom-feed enable|disable – enables or disables RSS and ATOM feeds
  • wp sg secure xss-protection enable|disable – enables or disables XSS protection
  • wp sg secure 2fa enable|disable – enables or disables two-factor authentication
  • wp sg secure disable-admin-user enable|disable – enables or disables usage of “admin” as username
  • wp sg log ip add|remove|list <name> --ip=<ip> – add/list/remove user defined pingbots listed in the activity log by ip
  • wp sg log ua add|remove|list <name> – add/list/remove user defined bots listed in the activity log by user agent
  • wp sg list log-unknown|log-registered|log-blocked --days=<days> – List specific access log for a specific period
  • wp sg 2fa reset id ID – Resets the 2fa setup for the user ID.

Requirements

  • WordPress 4.7
  • PHP 7.0
  • Working .htaccess file

Installation

Automatic Installation

  1. Go to Plugins -> Add New
  2. Search for “SiteGround Security”
  3. Click on the Install button under the SiteGround Security plugin
  4. Once the plugin is installed, click on the Activate plugin link

Manual Installation

  1. Login to the WordPress admin panel and go to Plugins -> Add New
  2. Select the ‘Upload’ menu
  3. Click the ‘Choose File’ button and point your browser to the sg-security.zip file you’ve downloaded
  4. Click the ‘Install Now’ button
  5. Go to Plugins -> Installed Plugins and click the ‘Activate’ link under the WordPress SiteGround Security listing

Reviews

اپریل 13, 2022
A plugin of great value and easy configuration. Absolutely useful in production eshops and blogs.
اپریل 12, 2022
I don't write many reviews these days, however, fair is fair, and I have been using SiteGround for quite a few years now. I love simple, SiteGround; gives me that, plus a whole lot more. I'm not the most tech-savvy guy around, but I always seem to get the job done with a little help from my friends. This time I wanted to get this new blog I just started secured right from the start and hopefully keep it that way. I have five sites all together right now. I can't handle two dozen and I really wouldn't want to? I did it back in 2011 - 2013 and I made some money, but at the end of the day, all that jumping around for nothing really? Okay, SiteGround Security, I upload the plugin, activate it, go to the settings dashboard and all the settings are black letters on a white background, and all the settings that you need are highlighted over the word recommended so that anyone who doesn't know, should know, if your eyes are open. I just want to add this; I caught myself a few weeks ago spending money as fast as I was making it, and I stopped myself, and I have made a few changes. I took a good look at my other sites and I decided to keep everything in place except with this newest blog and another affiliate site on electronics I held back on any extra security measures except this SiteGround security plugin which from what I can tell seems to be doing a good job? Now like I said this is a brand new site, and the other site is only about four months old, but I have used this plugin before. As I started out I mentioned that I have been using SiteGround for quite a few years, but the point is that I have used this plugin quite a bit otherwise I wouldn't have taken the time to do this. What goes around, comes around.
اپریل 6, 2022
This message prompts in every sections/page in the plugin, very annoying and wasting the whole effort done in development, the weekly activity report should be off by default
مارچ 5, 2022
It's blocked my access to needed areas of my site I had no choice over it being installed and now even after turning those options off in the plugin they still aren't coming back this is totally infuriating
Read all 55 reviews

Contributors & Developers

“SiteGround Security” is open source software. The following people have contributed to this plugin.

Contributors

“SiteGround Security” has been translated into 7 locales. Thank you to the translators for their contributions.

Translate “SiteGround Security” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

Version 1.2.8

Release Date: May 18th, 2022

  • Improved plugin security

Version 1.2.7

Release Date: April 8th, 2022

  • Minor bug fixes

Version 1.2.6

Release Date: April 7th, 2022

  • 2FA Refactoring

Version 1.2.5

Release Date: April 6th, 2022

  • 2FA Authentication refactoring
  • Improved Weekly Emails
  • HSTS service deprecated

Version 1.2.4

Release Date: March 16th, 2022

  • Improved Weekly Emails
  • Improved Woocommerce Payments plugin support
  • 2FA Authentication Security Strengthening

Version 1.2.3

Release Date: March 11th, 2022

  • 2FA Authentication Security Strengthening

Version 1.2.2

Release Date: March 11th, 2022

  • 2FA Authentication Security Strengthening

Version 1.2.1

Release Date: March 9th, 2022

  • Improved Weekly reports
  • Improved HTTP Headers service
  • Code Refactoring

Version 1.2.0

Release Date: February 28th, 2022

  • NEW – Weekly Reports
  • Code Refactoring and General Improvements
  • Improved 2FA user role support
  • Improved error handling
  • Improved Limit Login IP Range support
  • Improved Event log
  • Improved Phlox theme support
  • Minor fixes
  • Improved WP-CLI support
  • Environment data collection consent added

Version 1.1.3

Release Date: October 1st, 2021
* Improved Hide WP version functionality

Version 1.1.2

Release Date: August 20th, 2021
* Improved Custom Login URL functionality
* Improved 2FA
* Improved success/error messages

Version 1.1.1

Release Date: August 12th, 2021
* Improved 2FA
* Improved logout functionality

Version 1.1.0

Release Date: July 27th, 2021
* NEW! Added 2FA backup codes to the profile edit page
* NEW! Custom login and registration URLs
* NEW! Added automatic HSTS headers generation
* Improved Disable common usernames functionality
* Improved Mass Logout Service
* Improved Activity Logging and added custom labeling
* Improved Password Reset functionality

Version 1.0.4

  • Improved Limit Login Attempts

Version 1.0.3

  • Fixed rating box bug on safari
  • Improved RSS & ATOM Feed Disabler service

Version 1.0.2

  • Added filter to configure log lifetime
  • Added WP CLI support
  • Improved strings

Version 1.0.1

  • Added defaults on install
  • Improved translation support
  • Added cleanup on uninstall

Version 1.0.0

  • First stable release.

Version 0.1

  • Initial release.