How to Protect WordPress Site with SiteGround Security Plugin?

SiteGround is one of the most popular companies for hosting WordPress websites. You can have lightning speed websites with Google Cloud platform and highly optimized caching setup. They also have a SiteGround Security plugin for protecting WordPress sites from malicious attacks. In this article, we will explain how to protect your WordPress site with SiteGround Security plugin and various features available.

Why SiteGround Security Plugin?

SiteGround already had a popular SG Optimizer plugin for optimizing the speed. This plugin was originally developed only for SiteGround users and subsequently made available for all hosting providers. SiteGround Security is also a generic plugin and you can install this plugin with any WordPress hosting company. You may wonder why to use SiteGround Security when there are many popular security plugins already existing like Wordfence, iThemes Security, etc.

• Unfortunately, there are not many WordPress security plugins completely offered for free. SiteGround Security is a complete free plugin with no upselling of premium features. Though you will see an eBook download link, you do not need to pay for that.
• Many plugins like the popular free security plugin All In One WordPress Security and Firewall (AIOWPS) needs you to understand technical stuff to use the plugin. SG Security is super easy to setup and you can finish the setup in just few minutes time.
• Good option for SiteGround users to combine with SG Optimizer.
• Features like disabling feed and activity monitor are useful to have it in a single plugin.

Features of SiteGround Security Plugin

Here are some of the prominent features you will get with the plugin at this point of item.

• Disable WordPress feed to protect your site from unnecessary content stealing.
• Protect login page to prevent brute force attack.
• Monitor activity logs to keep track of things going on your site.

We will explain the complete details in the following sections. Undoubtedly, you will get many other features in future based on our experience with SG Optimizer plugin.

Install SiteGround Security Plugin

As mentioned, you can use SiteGround Security plugin on any WordPress installation. This is a freely available plugin in WordPress and plugin repository and you can install the plugin from the admin panel like any other plugins.

After installing and activating the plugin, go to “SG Security” section to setup the plugin. The plugin has the following sections where you can navigate and customize different options.

• Dashboard
• Site Security
• Login Security
• Activity Log
• Post-hack Actions

You can simply turn on or off most of the options while some options need additional inputs like adding custom login URL.

Dashboard Section

The dashboard section will show you if there are any pending security actions. For example, you will see a notification if there are pending updates for plugins, themes or core WordPress.  

In addition, the dashboard section will show the quick links for managing security and login sections along with recent activities going on in your site.

Site Security

This section offers site level protection options and we recommend enabling all these options for improved security.

• Lock and protect system folders – this helps to prevent unauthorized access of core WordPress and hosting files.
• Hide WordPress version – WordPress by default shows the version you use in the header section of your pages using a meta tag. Using this setting, you can easily disable the generator meta tag in the header section to remove WordPress version. This will help to protect your site especially when you are using older WordPress versions due to any other compatibility reasons.
• Disable themes & plugins editor – you can access the theme and plugin files from the admin panel by navigating to “Appearance > Theme Editor” and “Plugins > Plugin Editor” respectively. In case, if you have wrongly given the admin panel access to someone, they can easily edit your theme and plugin files using these editors. Therefore, it is a good idea to disable them especially when you manage your WordPress blog with multiple authors.  

• Disable XML-RPC – XML-RPC is a data transmission mechanism WordPress follows to connect third-party applications. This is the most popular way to exploit WordPress websites and you can disable it using this option.
• Force HSTS – use this to force browsers to use HTTPS protocol instead. This option is removed in the latest plugin version, you can force HTTPS in SG Optimizer plugin.
• Disable feeds – if you are not using feedreader, then disable all WordPress RSS and ATOM feeds using this option. The plugin will redirect the feed pages to the parent page when this option is enabled.
• XSS protection – add additional headers to protect your site from XSS attacks.
• Delete readme.html file – this will delete the default readme.html file that you can view on the browser.

Login Security

Under this section, you can protect your login page from malicious attacks. As WordPress comes with a common login URL, you can these options to safeguard your site.

• Change login URL to disable the default wp-login.php and /wp-admin/ access from the browser frontend.
• Whitelist IP address for login access.
• Enable two-factor authentication to add additional security layer for login to your site.
• Disable commonly used names as usernames like admin.
• Limit the number of login attempts to stop automatic bots trying to login to your site with random combination of username and password.

In order to change the login URL, click on the “Configure” button against that option. On the pop-up that appears, click on the “Custom” option and enter the slug of your login page. Click “Confirm” button to save your changes and you can use the custom login URL from next time onwards.

Similarly, you can manage login access by whitelisting your IP address against “Login Access” section.

Activity Log

SiteGround Plugin will automatically record all live activities on your site. Activities include accessing the page, posting a comment, installing a plugin, etc. You can disable logging under “Log Settings” tab and set the number of days to retain the log in database if you enable this option.

• Get the details of whether the user is a bot or human.
• You can view the timestamp, IP address and page URL visited.
• See the HTTP response code from your server. Using this you can monitor 404 events and setup redirects accordingly.

• You can click on the actions button and view all traffic from that particular IP address.

• Similarly, you can block the IP address if you suspect something is going wrong from that IP address.

You can also get a weekly report in email to any specific address mentioned under “Weekly Reports” tab.

Post-Hack Actions

The plugin also offers some post-hack recovery options that you can use after recovering the site from an attack.

• Restore all previously installed free plugins from WordPress repository.
• Force all users to log out and force password reset.

SG Security plugin support WP-CLI for major functions. You can use this Command Line Interface to change the parameters like toggling options without going to the admin panel settings.

Problems with SiteGround Security

The plugin is easy to setup and starts protecting your site right from the moment you activate on your site. However, here are some of the points, you need to remember when using SiteGround Security plugin.

• The plugin will be pre-installed on all WordPress installations with SiteGround hosting. This may annoy you when you want to use any other plugin. It is always a good idea to give an option to users instead of forcing them to use a generic plugin.
• The plugin will create log entries in two database tables  – wp_sgs_log_events and wp_sgs_log_visitors. If you find these tables are growing in size, make sure to reduce the number of days to keep the log under “SG Security > Activity Log > Log Settings” section.
• There are lot of missing security options that you can get with other free plugins.

Customizing SiteGround Security Pugin

As with any security plugins, you may face certain problems with SiteGround Security plugin also. Fortunately, here are the code snippets you can use to resolve those problems. You can add the snippet in your theme’s functions.php file using FTP or File Manager app from hosting account.

Use the below code if you are logged out due to custom login URL.

add_action( 'init', 'remove_custom_login_url' );
function remove_custom_login_url() {
    update_option( 'sg_security_login_type', 'default' );
}

If you are logged out when whitelisting IPs with login access option:

add_action( 'init', 'remove_login_access_data' );
function remove_login_access_data() {
    update_option( 'sg_login_access', array() );
}

Use the below code when having trouble with limit login attempts function.

add_action( 'init', 'remove_unsuccessfull_attempts_block' );
function remove_unsuccessfull_attempts_block() {
    update_option( 'sg_security_unsuccessful_login', array() );
}

Remember, all these snippets will remove the originally stored settings like custom URL, IP addresses and blocked login attempts. This is the way to gain access to your admin panel and you need reconfigure these settings once you are in the admin panel. Finally, the plugin by default allows to set 1 to 12 days for activity logging which you can change by using the following snippet. 15 in the code indicates, fifteen days of lifetime for logs which you can change as per your need.

add_filter( 'sgs_set_activity_log_lifetime', 'set_custom_log_lifetime' );
function set_custom_log_lifetime() {
    return '15';
}

Final Words

SiteGround Security is a complete free plugin for protecting your WordPress site. We hope SiteGround guys will not commercialize this plugin or later change the scope only for SiteGround hosting users. If they add additional features like comment spam protection and other optimizations then the plugin will be super useful.