Enhanced Protection Against WordPress Vulnerabilities with SiteGround Security Plugin Preinstalled
Table of Contents
We have recently launched our own WordPress security plugin — SiteGround Security, which aims to protect WordPress users against the most common vulnerabilities plaguing the sites. It is available for anyone to download and use for free, regardless which hosting platform they use. To make sure that our WordPress sites are well protected on application level, however, we have started preinstalling SiteGround Security on all new installations on our platform with some of the features enabled by default.
Default SiteGround Security Settings Against Common WordPress Vulnerabilities
Having your site set up with security in mind from the start can easily protect you against some of the most popular vulnerabilities out there. To help you achieve that goal, when we preinstall the SiteGround Security plugin we enable the following settings:
WordPress Version is Hidden by default
Hackers often crawl websites scooping information about software versions used. That way, when they get to discover a vulnerability in any of those versions, they are able to reach to and quickly hack many sites in bulk using that information. For WordPress application this data is openly available in 2 places – in an HTML tag and in the readme.html file.
By default, our plugin removes the HTML tag with the WordPress version and we strongly recommend that you also remove the readme.html file via the option in the SiteGround Security plugin.
Advanced XSS Vulnerability Protection enabled
The cross site script vulnerability, known as XSS, allows different apps and plugins to access information in your WordPress that they shouldn’t. Such attacks are often used to gather sensitive user data for example. By default the SiteGround Security plugin enables protection against XSS by adding headers instructing browsers not to accept JS or other code injections.
Disabled XML-RPC protocol to prevent many vulnerabilities and attacks
The XML-RPC is an old protocol used by WordPress to talk to other systems. It is getting less and less used since the appearance of the REST API. However, it is available in the application and many are using it for exploiting vulnerabilities, starting DDOS attacks and other troubles. That is why our SiteGround Security plugin disables this open access line to your WordPress application by default.
Jetpack plugin and mobile apps are valid users of the XML-RPC protocol. If you download Jetpack at some point, we will automatically enable the protocol back. You can also enable it yourself through the plugin interface.
Option to Disable RSS and ATOM Feeds
Similar to XML-RPC, feeds are rarely used nowadays, but they are often used by attackers and bad bots to scrape your site content. So the SiteGround Security plugin allows you to disable them easily. Unless you really need them, we recommend to use this option and disable them as soon as possible.
Lock and Protect System Folders by default
Usually when an exploit happens, attackers try inserting and executing PHP files in public folders to add backdoors and further compromise your account. By design, those publicly accessible WordPress folders are used for uploading media content (images for example). Via the SiteGround Security plugin, we do not forbid the upload of files, but we stop PHP files and malicious scripts from being executed and causing problems for your sites. This feature protects those system folders and prevents potentially malicious scripts from being executed from them.
Disabled “Admin” Username
The default username and one most widely used on all applications by their owners is “Admin.” Hackers know that and when they wish to bruteforce a login form, they will definitely try it. That is why we disable this username by default.
Disabled Themes & Plugins Editor
Editing code through the plugins and themes editor poses direct security risks both from potential elevation of privileges attacks and errors made by a regular site administrator. If you want to edit your files, it is strongly recommended that you use the File Manager tool in Site Tools, or your preferred editor through FTP or SSH (ideally on a staging copy of your site). To help you avoid bad practices and attacks, we disable the themes & plugins editor by default.