Hello @markmacallister and thanks for reaching out to us!
At Wordfence, we are always excited when hosting companies focus on security. The announcement from SiteGround about their new plugin is no exception. We have received several requests to look at it closer, so we installed it on a test site to take a deeper look.
Please note that I am comparing the free version of Wordfence with this plugin when I make a comparison to be fair. The features in Wordfence Premium go beyond what SiteGround’s plugin can offer. Overall, this is a great small step in the right direction, however, many of the features provided are feel-good security options without any substantive protection.
The SG-Security plugin takes a simplistic approach to security. The interface is very clean and easy to read, too. For users without much technical know-how, this will be an attractive offering. The options are broken down into different pages to make it easy for users to find what they are looking for, for the most part. These pages are named Dashboard, Site Security, Login Security, Activity Log, and Post-Hack Actions.
The Dashboard page is a little like the Wordfence Dashboard page. It shows a summary of recent activity, lets you know if you have updates that need to be done (by clicking a button that takes you to your blog’s update page), and has links to the Site Security and Login Security pages.
The Site Security page has options that are fairly easy fixes, like removing your Readme.html file that comes in WordPress. You can also disable the theme and plugin editors, hide the WordPress version, Disable XML-RPC, Disable RSS and ATOM feeds, and enable “Advanced XSS Protection” to protect the site from common cross side scripting attempts. It’s important to note that these are not done using a firewall. XSS protection and disabling XML-RPC are done by adding code to the .htaccess file, something we try to avoid doing since what may look like a simple change could unwittingly break the entire site.
The Login Security page has features for two-factor authentication and the ability to Limit Login Attempts, both of which are available in the free Wordfence plugin. The two nice features are the ability to lockdown logins to certain IPs, and a feature that will force a name change if you are using the standard ‘admin’ username that WordPress uses.
Following the same simplistic approach, the Activity Log page is like Wordfence’s Live Traffic page without as much detail about where the visits came from, what the User-Agent was, etc. It does log registered user actions like adding a post, enabling a plugin, etc.
The Post-Hack page gives you three choices. You can reinstall all free plugins on the site, force all users on the site to change their password, and you can log everyone out immediately. These are obviously not the only things you would want to do after you got hacked, but they are a small step in the right direction.
The things in the plugin that make it more of a feel-good option and less of a serious security suite include:
* No web application firewall. The lack of a proper Web Application Firewall. XSS (Cross Side Scripting) attacks are only a small portion of the number of malicious exploits tried on sites. Trying to prevent them with .htaccess code isn’t going to catch the wide array of attacks that the Wordfence firewall protects against.
* No malware scanner. With no scanner to detect changed plugins and themes, this plugin misses out on a huge opportunity to catch a compromise when it first happens. If a hacker steals your FTP or cPanel credentials and adds malicious code to the file, it does not appear that the SG-Security plugin will detect this malicious activity since it is done outside of WordPress and at the server level. Wordfence scans for many specific malware threats that attackers are actively using. Backed by our threat intelligence team, the Wordfence scanner is the best in the WordPress space.
* No Rate Limiting. Limiting bots and scripts to keep them from abusing your bandwidth is a huge part of the feature set Wordfence offers.
* No cleanup tools. If the worst happens and your site was hacked, Wordfence offers tools to allow you to clean up your site immediately. There’s no way to quickly compare valid files or analyze malware using SiteGround’s plugin.
* Plugin updating can create issues. Updating a lot of plugins at one time means you could lose the custom code you added which may cause issues on the site or cause the site to crash if one of the updates fails or is incomplete.
* Logging everyone out of the site or forcing them to change their password works for WordPress users but would not affect a hacker who accessed the site using FTP or cPanel credentials.
Wordfence is used by over 4 million WordPress site owners across various platforms, hosting providers, and setups. We’ve worked hard to ensure that our customers have all of the tools they need to stay safe, prioritizing by the best WAF available for WordPress, the most robust malware scanner available, and expansive login security tools. Wordfence is backed by the best Threat Intelligence available, and we’re entirely focused on WordPress.
WordPress Security is all we do. That gives us an unprecedented edge on other security solutions. Wordfence gives you peace of mind and the confidence to know that your site is protected and safe.
We hope that this has given you a good overview of SiteGround’s offering. Again, we’re thrilled to see this type of security solution available for SiteGround’s customers, and we applaud their efforts.
Thank you for using Wordfence.
