Login

Tag Archives: SiteGround

4 Jan 2024

Effective WordPress Security Plugins Can Not Be Replaced With Something You Can Do Manually

Recently, we looked at one inaccurate recommendation by a major web host, SiteGround, suggesting that you shouldn’t use WordPress security plugins that can actually protect against vulnerabilities. Along those same lines, they have some troubling advice when it comes to whether you need a security plugin. They wrote this:

The answer depends on whether you’re willing to put in the work to secure your site manually. If you’re on board with that idea, then no. If you don’t feel like you can put in the work to secure your WordPress manually, then yes, installing an all-in-one security plugin [Read more]

22 Dec 2023

SiteGround Recommends Against Using WordPress Security Plugins That Actually Protect Against Vulnerabilities

A short time ago, we looked at how a feature of SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. While looking in to their response to our findings, we ran across troubling advice that SiteGround is giving. In response to the question of if the plugin is compatible with Wordfence Security, they responded this way:

The Security Optimizer was created both with securing and performance in mind from the start. Running two security plugins will simply slow down your website. [Read more]

21 Dec 2023

SiteGround’s Response to Their WordPress Plugins’ Tracking in Violation of WordPress Guidelines is to Continue Doing It

Last Friday, we noted that a major web host, SiteGround, was using their two 1+ million install WordPress plugins to collect data on websites using them in violation of the guidelines of the WordPress Plugin Directory by doing that without consent. On Monday, we noted that they also appeared to be inadvertently tracking users of the plugins, also in violation of those guidelines. We reached out to the team running the plugin directory on Friday about the first issue, but have yet to hear back from them and no change has been made. SiteGround has responded to part of the second issue, saying they will continue to do things in a way that causes unnecessary tracking and is in clear violation of the guidelines.

Making the situation a lot more problematic is, as we noted previously, that SiteGround sponsors one of the team reps for the team running the plugin directory. We reached out to that team rep about this on Twitter (X), but have gotten no response from them. At best, SiteGround is being allowed to sponsor a team member while not bothering to adhere to the guidelines of the plugin directory with their own plugins. [Read more]

18 Dec 2023

SiteGround’s 1+ Million Install WordPress Plugins Also Contain Apparently Inadvertent Tracking

On Friday, we noted the web host SiteGrounds 1+ million install WordPress plugins Security Optimizer and Speed Optimizer are collecting a lot of website data from those installing the plugin without consent. That is in violation of the guidelines of the WordPress Plugin Directory. SiteGround sponsors one of the team reps for the team running that. It turns out SiteGround is doing more tracking in those plugins, though it looks like this tracking is inadvertent, though also in violation of the guidelines.

Guideline 7, “Plugins may not track users without their consent.”, mentions as example of a violation, “Offloading assets (including images and scripts) that are unrelated to a service.” Someone going by the handle JCV posted on the support forum for Security Optimizer that some of the plugin’s “fonts or pics are externally hosted.” We confirmed that was the case, and that is unrelated to a service, so it is a clear violation of the guidelines. It also occurs with Speed Optimizer. [Read more]

18 Dec 2023

Developer of 1+ Million Install Security WordPress Plugin Lacks Conceptual or Practical Understanding of WordPress Security

Two weeks ago we looked at how a feature of web host SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. Their response to that managed to go a long way to explaining how that could happen, as they seem to lack a basic understanding of security when it comes to WordPress websites. That is a significant problem when their plugin is used on at least one million websites.

One of the problems we identified with what they called Advanced XSS Protection in their plugin is that it only applies to frontend pages of the website. Here is the beginning of SiteGround’s response to that: [Read more]

15 Dec 2023

Two 1+ Million WordPress Plugins From SiteGround, Sponsor of Plugin Review Team Rep, Collecting Website Data Without Consent

Guideline 7 of the WordPress Plugin Directory’s Detailed Plugin Guidelines, “Plugins may not track users without their consent”, states that an example of a violation would be “Automated collection of user data without explicit confirmation from the user.” That is being publicly stated to be violated by two 1+ million plugins right on the Plugin Directory. The first is Security Optimizer, which states at the end of its description:

Data Collection [Read more]

14 Dec 2023

SiteGround Labels Their WordPress Security Plugin as Web Application Firewall (WAF) Despite Not Having One

When it comes to the WordPress Plugin Directory, security isn’t being handled well. Earlier this week we noted how a plugin was allowed back in to that despite not having come close to properly resolving a serious security vulnerability that hackers were likely targeting. That is the kind of thing that would likely lead to more in the WordPress community looking for security plugins to help protect them. In looking into how some popular WordPress security plugins are being marketed in WordPress’ plugin directory recently, we saw that developers are often making efficacy claims that are far from reality. They are making those without presenting any evidence to back them up. That seems like something that WordPress could better handle, by requiring evidence to back up any efficacy claims being made about those plugins on the plugin directory.

One of the plugins that we looked at, which is being marketed outside of what it delivers, is the web host SiteGround’s security plugin. SiteGround recently rebranded that from SiteGround Security to Security Optimizer. As we documented recently, that has what they call Advanced XSS Protection, which doesn’t offer protection, much less advanced protection. Something else we noticed while looking into that plugin is that they have that plugin tagged on the plugin directory as a web application firewall (WAF): [Read more]

30 Nov 2023

Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise

SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their description by claiming that you can “bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots.” One of the bullet pointed features is described as Advanced XSS Protection, which they say will “fortify your website against malicious attacks”. What that actually does is not explained anywhere else in the description, but further checking showed that isn’t offering protection, much less advanced protection.

On the plugin’s admin page where the feature can be enabled, it is suggested that this feature enables additional headers that are sent with pages sent by the website. The description reads: “Enabling this option will add extra headers to your site for protection against XSS attacks.” That still doesn’t provide much information on this. [Read more]

15 Mar 2023

A Web Host’s ModSecurity WAF Probably Isn’t a Reliable Source of Protection for Your WordPress Website

When it comes to security solutions for WordPress websites, the results of testing we do to see if security plugins provide protection against real vulnerabilities in WordPress plugins are a strong indication that people are not using security solutions based on how much protection they offer, considering how few provide protection. In our latest test, only a quarter of the plugins tested provided protection against a widely exploited vulnerability. Almost all the most popular plugins tested didn’t provide protection. If people are not considering the protection plugins offer, they almost certainly are not considering the unnecessary problems they can cause. What we have seen over the years is that is a missed opportunity, as the problems they cause are often a good way to assess whether they are a good option.

Yesterday, we touched on an example of that where the response from the developer of the Wordfence security plugin to incorrectly blocking contact form submissions was to suggest disabling a core protection that their firewall offers. So there is a problem with their firewall’s protection, but they don’t have any interest in getting it fixed. It’s not a great look. [Read more]

16 Jan 2019

Vulnerability Details: Privilege Escalation in SG Optimizer

It probably shouldn’t come as a surprise that a web host that has partnered with the security company Sucuri, which doesn’t seem to understand security, doesn’t really have much concern for security of their customers. Unfortunately with the poor state of WordPress leadership it probably isn’t surprising either that said web host is one of three recommend by WordPress, despite the web host’s lack of concern for their customers security. That web host being SiteGround and their plugin being SG Optimizer.

[Read more]