Login

Tag Archives: SiteGround Security

22 Dec 2023

SiteGround Recommends Against Using WordPress Security Plugins That Actually Protect Against Vulnerabilities

A short time ago, we looked at how a feature of SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. While looking in to their response to our findings, we ran across troubling advice that SiteGround is giving. In response to the question of if the plugin is compatible with Wordfence Security, they responded this way:

The Security Optimizer was created both with securing and performance in mind from the start. Running two security plugins will simply slow down your website. [Read more]

21 Dec 2023

SiteGround’s Response to Their WordPress Plugins’ Tracking in Violation of WordPress Guidelines is to Continue Doing It

Last Friday, we noted that a major web host, SiteGround, was using their two 1+ million install WordPress plugins to collect data on websites using them in violation of the guidelines of the WordPress Plugin Directory by doing that without consent. On Monday, we noted that they also appeared to be inadvertently tracking users of the plugins, also in violation of those guidelines. We reached out to the team running the plugin directory on Friday about the first issue, but have yet to hear back from them and no change has been made. SiteGround has responded to part of the second issue, saying they will continue to do things in a way that causes unnecessary tracking and is in clear violation of the guidelines.

Making the situation a lot more problematic is, as we noted previously, that SiteGround sponsors one of the team reps for the team running the plugin directory. We reached out to that team rep about this on Twitter (X), but have gotten no response from them. At best, SiteGround is being allowed to sponsor a team member while not bothering to adhere to the guidelines of the plugin directory with their own plugins. [Read more]

6 Dec 2023

WordPress Security Optimizer Firewall Review: It Doesn’t Actually Contain One

Recently SiteGround rebranded their SiteGround Security plugin as Security Optimizer. Along with that new name came new marketing. While the new marketing text for it on the WordPress Plugin Directory doesn’t mention that it contains a firewall, it wouldn’t be possible to offer the claimed protection without one. It is claimed that with it you can “bulletproof your website security in a few clicks” and that it provides “Advanced XSS Protection to fortify your website against malicious attacks.” As we found last week, that Advanced XSS Protection doesn’t even provide protection, much less does it provide the level of XSS protection provided by various plugins that contain firewalls. It also claims that it will “proactively monitor your site’s security to detect any suspicious activity,” which would also require a firewall if it truly detected any suspicious activity.

In testing going back years, the plugin has failed to provide protection against any vulnerabilities in other plugins, despite other options providing protection in at least some of the tests. The reason for that is simple: it doesn’t actually contain a firewall. Despite that, on the WordPress Plugin Directory SiteGround tagged it as a “firewall” and a “web application firewall.” [Read more]

30 Nov 2023

Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise

SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their description by claiming that you can “bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots.” One of the bullet pointed features is described as Advanced XSS Protection, which they say will “fortify your website against malicious attacks”. What that actually does is not explained anywhere else in the description, but further checking showed that isn’t offering protection, much less advanced protection.

On the plugin’s admin page where the feature can be enabled, it is suggested that this feature enables additional headers that are sent with pages sent by the website. The description reads: “Enabling this option will add extra headers to your site for protection against XSS attacks.” That still doesn’t provide much information on this. [Read more]

27 Jan 2023

Not Really a WordPress Plugin Vulnerability, Week of January 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ SQLi in Website File Changes Monitor

Automattic’s WPScan claimed there had been an admin+ SQLi vulnerability in the plugin Website File Changes Monitor. They explained it this way: [Read more]