Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise
SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their description by claiming that you can “bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots.” One of the bullet pointed features is described as Advanced XSS Protection, which they say will “fortify your website against malicious attacks”. What that actually does is not explained anywhere else in the description, but further checking showed that isn’t offering protection, much less advanced protection.
On the plugin’s admin page where the feature can be enabled, it is suggested that this feature enables additional headers that are sent with pages sent by the website. The description reads: “Enabling this option will add extra headers to your site for protection against XSS attacks.” That still doesn’t provide much information on this.
XSS refers to cross-site scripting, which can be understood as an attacker being able to cause malicious JavaScript code on a web page.
As we further tested things out, we found a significant limitation on what they are offering. It only applies to frontend pages of the website. A lot of the risk of XSS would be on admin pages of the website, which makes that an odd choice.
On frontend pages we found it adds the two following security headers:
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
The X-XSS-Protection header instructed web browsers to enable their XSS protection. Or it did when they had that, but they no longer do. Even when they had that, it was already enabled by default. So this header doesn’t really seem to serve any purpose.
The other header, X-Content-Type-Options, with it set to no-sniff is used to prevent MIME sniffing. You don’t need to know what that is, but it doesn’t look to have any impact on practical XSS attacks against WordPress websites.
Calling this advanced protection seems more than misleading, calling this protection at all seems difficult to argue for. The dishonesty is made worse by the fact that other WordPress security plugins provide protection against this type of attack.
Other Plugins Provide Real XSS Protection
While Security Optimizer won’t stop XSS attacks, other WordPress security plugins provide varying levels of protection. They do this by detecting the payload of XSS attacks and blocking requests including them. We did tests against two different vulnerabilities of this type in March. In one test we found that four plugins provided protection and the other eight provided protection. Notably, many of those plugins are much less popular than SiteGround’s plugin.
More broadly, other WordPress security plugins provide protection against various types of attacks, which is something this plugin lacks. While the developer says those things are handled at the server-level (which isn’t always true), server-level security lacks the ability to stop a lot of attacks that a well-developed security plugin can. SiteGround claims their “plugin provides everything you need to secure your website”, despite lacking that protection.
Brute Force Attacks Are Not Happening
It also important to note that SiteGround is promoting this plugin as protecting against brute force attacks. That is despite those not happening. That is second popular security plugin we have looked at this week that is prominently claiming to protect against those despite them not happening. Like the other plugin, this plugin lacks protection against the real threat of exploitation of vulnerabilities in other plugin, despite it being a real threat that plugins can provide some protection for.