SiteGround Security


With the carefully selected and easy to configure functions the plugin provides everything you need to secure your website and prevent a number of threats such as brute-force attacks, compromised login, data leaks, and more.

Login Settings

Here you can use the tools we’ve developed to protect your login page from unauthorized visitors, bots, and other malicious behavior.

Custom Login URL

Change the default login url to prevent attacks and have an easily memorisable login URL. You can also change the default sign-up url if you have that option enabled for your website.

You can revert to the default login type by using the following snippet.

add_action( 'init', 'remove_custom_login_url' );
function remove_custom_login_url() {
    update_option( 'sg_security_login_type', 'default' );

Login Access

Login Access allows you to limit the access of the login page to a specific IP’s or a range of IP’s to prevent malicious login attempts or brute-force attacks.

If you lock yourself out of your admin panel, you can add the following option to your theme’s function.php, reload the site and then remove it once you have gained access. Keep in mind that this will also remove all IP’s that are allowed to access the login page and a re-configuration will be needed:

add_action( 'init', 'remove_login_access_data' );
function remove_login_access_data() {
    update_option( 'sg_login_access', array() );

Two-factor Authentication

Two-factor Authentication for Admin User will force all admins to provide a token, generated from the Google Authentication application when logging in.

Disable the “admin” Username

Disabling the “admin” Username will make sure that existing users with that username will be prompted to change it. It will also prevent usage of that username, since hackers are relying on the existence of that username when they are performing brute force attacks.

Limit Login Attempts

With Limit Login Attempts you can specify the number of times users can try to log in with incorrect credentials. If they reach a specific limit, the IP they are attempting to log from will be blocked for an hour. If they continue with unsuccessful attempts, they will be restricted for 24 hours and 7 days after that.

If you lock yourself out of your admin panel, you can add the following option to your theme’s function.php, reload the site and then remove it once you have gained access. Keep in mind that this will also remove the unsuccessful attempts block for all IP’s:

add_action( 'init', 'remove_unsuccessfull_attempts_block' );
function remove_unsuccessfull_attempts_block() {
    update_option( 'sg_security_unsuccessful_login', array() );

Site Security

With this toolset you can harden your WordPress аpplication and keep it safe from malware, exploits and other malicious actions.

Lock and Protect System Folders

Lock and Protect System Folders allows you to block any malicious or unauthorized scripts to be executed in your applications system folders.

Hide WordPress Version

When using Hide WordPress Version you can avoid being marked for mass attacks due to version specific vulnerabilities.

Disable Themes & Plugins Editor

Disable Themes & Plugins Editor in the WordPress admin to prevent potential coding errors or unauthorized access through the WordPress editor.

Disable XML-RPC

You can Disable XML-RPC protocol which was recently used in a number of exploits. Keep in mind that when disabled, it will prevent WordPress from communicating with third-party systems. We recommend using this, unless you specifically need it.

Disable RSS and ATOM Feeds

Disabilita i feed RSS e ATOM per prevenire lo scraping dei contenuti e attacchi specifici contro il tuo sito. Si consiglia di utilizzarlo sempre, a meno che tu non abbia utenti che utilizzano il tuo sito tramite reader RSS.

Advanced XSS Protection

Abilitando la Protezione avanzata XSS puoi aggiungere un ulteriore livello di protezione contro gli attacchi XSS.

Delete the Default Readme.txt

Quando elimini il file Readme.txt predefinito, che contiene informazioni sul tuo sito web, riduci le possibilità che finisca in un elenco di siti potenzialmente vulnerabili, utilizzato dagli hacker.

Activity Log

Here you can monitor in detail the activity of registered, unknown and blocked visitors. If your site is being hacked, a user or a plugin was compromised, you can always use the quick tools to block their future actions.

You can set a custom log lifetime ( in days ), using the following filter we have provided for that purpose.

add_filter( 'sgs_set_activity_log_lifetime', 'set_custom_log_lifetime' );
function set_custom_log_lifetime() {
    return 'your-custom-log-lifetime-in-days';

Post-Hack Actions

Reinstall All Free Plugins

Se il tuo sito è stato violato, puoi sempre provare a ridurre il danno utilizzando Reinstalla tutti i plugin gratuiti. Questo reinstallerà tutti i tuoi plugin gratuiti, riducendo la possibilità di un altro exploit o il riutilizzo di codice dannoso.

Log Out All Users

Puoi disconnettere tutti gli utenti per impedire ulteriori azioni da loro eseguite.

Force Password Reset

Force Password Reset to force all users to change their password upon their next login. This will also log-out all current users instantly.

WP-CLI Support

In version 1.0.2 we’ve added full WP-CLI support for all plugin options and functionalities.

  • wp sg limit-login-attempts 0|3|5 – limits the login attempts to 3, 5, or 0 in order to disable it
  • wp sg login-access add IP – allows only specific IP(s) to access the backend of the website
  • wp sg login-access list all – lists the whitelisted IP addresses
  • wp sg login-access remove IP – removes IP from the whitelisted ones
  • wp sg login-access remove all – removes all of the whitelisted IP addresses
  • wp sg secure protect-system-folders enable|disable – enables or disables protects system folders option
  • wp sg secure hide-wordpress-version enable|disable – enables or disables hide WordPress version option
  • wp sg secure plugins-themes-editor enable|disable – enables or disables plugin and theme editor
  • wp sg secure xml-rpc enable|disable – enables or disables XML-RPC
  • wp sg secure rss-atom-feed enable|disable – enables or disables RSS and ATOM feeds
  • wp sg secure xss-protection enable|disable – enables or disables XSS protection
  • wp sg secure 2fa enable|disable – enables or disables two-factor authentication
  • wp sg secure disable-admin-user enable|disable – enables or disables usage of “admin” as username


  • WordPress 4.7
  • PHP 7.0
  • Working .htaccess file


Automatic Installation

  1. Go to Plugins -> Add New
  2. Search for “SiteGround Security”
  3. Click on the Install button under the SiteGround Security plugin
  4. Once the plugin is installed, click on the Activate plugin link

Manual Installation

  1. Login to the WordPress admin panel and go to Plugins -> Add New
  2. Select the ‘Upload’ menu
  3. Click the ‘Choose File’ button and point your browser to the file you’ve downloaded
  4. Click the ‘Install Now’ button
  5. Go to Plugins -> Installed Plugins and click the ‘Activate’ link under the WordPress SiteGround Security listing


2 Agosto 2021
This is the most helpful, easiest to use, and least annoying (some security plugins have a lot of pop up messages).
31 Luglio 2021
If you host your website with SiteGround, this is a breath of fresh air, because it's so easy to use. The default settings are well chosen, except that it shouldn’t disable XML-RPC by default. Some plugins require XML-RPC, notably Jetpack, which a great many installations use. This plugin is not a replacement for a firewall and antimalware. However, if your host is SiteGround, they run this in the background for you, so I found that using this plugin to replace my firewall and anti-malware made my life much simpler.
27 Luglio 2021
Hosting with SiteGround just got better with this plug-in.
15 Luglio 2021
This SG Security plugin worked great until I got locked out and had to ask SG Support to let me back in. They did and when I asked what had happened, they said, "I double-checked and our security plugin was asking to access the website with admin account so I disabled it from the File Manager and that worked perfectly." That's funny as I made no changes after I had enabled 2-step Google Authentication. But I didn't get that far because the webpage said - 'The access to that page has been restricted by the administrator of this website.' Now, I'm back to Wordfence only as I have lost trust in the SG Security plugin to work without locking me out again.
12 Luglio 2021
This is the best approach to what constitutes a solid WordPress security plugin. It has all the important features without hindering the performance of a website. The improvements are significant since switching from Wordfence. And from past experience with products from SG, it will probably get timely and useful updates over time as well. Highly recommended
Leggi tutte le recensioni di 19

Contributi e sviluppo

“SiteGround Security” è un software open source. Le persone che hanno contribuito allo sviluppo di questo plugin sono indicate di seguito.


“SiteGround Security” è stato tradotto in 6 lingue. Grazie ai traduttori per i loro contributi.

Traduci “SiteGround Security” nella tua lingua.

Ti interessa lo sviluppo?

Esplora il Codice segui il Repository SVN iscriviti al Log delle Modifiche. Puoi farlo tramite RSS con un lettore di feed.

Changelog (registro delle modifiche)

Version 1.1.0

Release Date: July 27th, 2021
* NEW! Added 2FA backup codes to the profile edit page
* NEW! Custom login and registration URLs
* NEW! Added automatic HSTS headers generation
* Improved Disable common usernames functionality
* Improved Mass Logout Service
* Improved Activity Logging and added custom labeling
* Improved Password Reset functionality

Version 1.0.3

  • Fixed rating box bug on safari
  • Improved RSS & ATOM Feed Disabler service

Version 1.0.2

  • Added filter to configure log lifetime
  • Added WP CLI support
  • Improved strings

Version 1.0.1

  • Added defaults on install
  • Improved translation support
  • Added cleanup on uninstall

Version 1.0.0

  • First stable release.

Version 0.1

  • Initial release.