Login

Tag Archives: Security Optimizer

Plugin Security Scorecard Grade for Security Optimizer

Checked on April 3, 2025
F

See issues causing the plugin to get less than A+ grade

22 Jul 2024

WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy

For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our testing over the years has found is that very popular plugins often fail to provide much protection, if any. That is corroborated by the many complaints by those using those plugins that they failed to provide the promoted protection and websites got hacked. At the same time, there are much less popular plugins that are offering significantly more protection. What seems to be an obvious part of the explanation for this mismatch is that in the WordPress plugin directory, WordPress is allowing developers to make extraordinary claims of efficacy without even putting forward any supporting evidence for the claims. In other fields, this type of thing wouldn’t be allowed, because of the negative impact it has.

Take a plugin named Bad Bot Blocker. Here is the first paragraph of the description on the plugin directory (with our own emphasis): [Read more]

23 Jan 2024

Security Optimizer vs Wordfence Security

We recently noted that the developer of the 1+ million install WordPress security plugin Security Optimizer, SiteGround, was saying that you shouldn’t use the Wordfence Security plugin and instead use their plugin. They didn’t cite any evidence that their plugin is more effective. What would be most important to know is if it did a better job of protecting websites from vulnerabilities in other plugins. We have done just such testing.

Since 2021, we have done 16 tests of a large group of WordPress security plugins to see if they would protect against real vulnerabilities that had existed in other plugins. In those tests, Security Optimizer provided no protection in any of the tests. Wordfence Security did somewhat better, providing protection in six. The reason why Security Optimizer didn’t provide any protection is that the plugin doesn’t contain a firewall. The developer in some places makes it seem like it does and falsely claims to offer protection that would come from a firewall. [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

22 Dec 2023

SiteGround Recommends Against Using WordPress Security Plugins That Actually Protect Against Vulnerabilities

A short time ago, we looked at how a feature of SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. While looking in to their response to our findings, we ran across troubling advice that SiteGround is giving. In response to the question of if the plugin is compatible with Wordfence Security, they responded this way:

The Security Optimizer was created both with securing and performance in mind from the start. Running two security plugins will simply slow down your website. [Read more]

21 Dec 2023

SiteGround’s Response to Their WordPress Plugins’ Tracking in Violation of WordPress Guidelines is to Continue Doing It

Last Friday, we noted that a major web host, SiteGround, was using their two 1+ million install WordPress plugins to collect data on websites using them in violation of the guidelines of the WordPress Plugin Directory by doing that without consent. On Monday, we noted that they also appeared to be inadvertently tracking users of the plugins, also in violation of those guidelines. We reached out to the team running the plugin directory on Friday about the first issue, but have yet to hear back from them and no change has been made. SiteGround has responded to part of the second issue, saying they will continue to do things in a way that causes unnecessary tracking and is in clear violation of the guidelines.

Making the situation a lot more problematic is, as we noted previously, that SiteGround sponsors one of the team reps for the team running the plugin directory. We reached out to that team rep about this on Twitter (X), but have gotten no response from them. At best, SiteGround is being allowed to sponsor a team member while not bothering to adhere to the guidelines of the plugin directory with their own plugins. [Read more]

18 Dec 2023

SiteGround’s 1+ Million Install WordPress Plugins Also Contain Apparently Inadvertent Tracking

On Friday, we noted the web host SiteGrounds 1+ million install WordPress plugins Security Optimizer and Speed Optimizer are collecting a lot of website data from those installing the plugin without consent. That is in violation of the guidelines of the WordPress Plugin Directory. SiteGround sponsors one of the team reps for the team running that. It turns out SiteGround is doing more tracking in those plugins, though it looks like this tracking is inadvertent, though also in violation of the guidelines.

Guideline 7, “Plugins may not track users without their consent.”, mentions as example of a violation, “Offloading assets (including images and scripts) that are unrelated to a service.” Someone going by the handle JCV posted on the support forum for Security Optimizer that some of the plugin’s “fonts or pics are externally hosted.” We confirmed that was the case, and that is unrelated to a service, so it is a clear violation of the guidelines. It also occurs with Speed Optimizer. [Read more]

15 Dec 2023

Two 1+ Million WordPress Plugins From SiteGround, Sponsor of Plugin Review Team Rep, Collecting Website Data Without Consent

Guideline 7 of the WordPress Plugin Directory’s Detailed Plugin Guidelines, “Plugins may not track users without their consent”, states that an example of a violation would be “Automated collection of user data without explicit confirmation from the user.” That is being publicly stated to be violated by two 1+ million plugins right on the Plugin Directory. The first is Security Optimizer, which states at the end of its description:

Data Collection [Read more]

14 Dec 2023

SiteGround Labels Their WordPress Security Plugin as Web Application Firewall (WAF) Despite Not Having One

When it comes to the WordPress Plugin Directory, security isn’t being handled well. Earlier this week we noted how a plugin was allowed back in to that despite not having come close to properly resolving a serious security vulnerability that hackers were likely targeting. That is the kind of thing that would likely lead to more in the WordPress community looking for security plugins to help protect them. In looking into how some popular WordPress security plugins are being marketed in WordPress’ plugin directory recently, we saw that developers are often making efficacy claims that are far from reality. They are making those without presenting any evidence to back them up. That seems like something that WordPress could better handle, by requiring evidence to back up any efficacy claims being made about those plugins on the plugin directory.

One of the plugins that we looked at, which is being marketed outside of what it delivers, is the web host SiteGround’s security plugin. SiteGround recently rebranded that from SiteGround Security to Security Optimizer. As we documented recently, that has what they call Advanced XSS Protection, which doesn’t offer protection, much less advanced protection. Something else we noticed while looking into that plugin is that they have that plugin tagged on the plugin directory as a web application firewall (WAF): [Read more]

6 Dec 2023

WordPress Security Optimizer Firewall Review: It Doesn’t Actually Contain One

Recently SiteGround rebranded their SiteGround Security plugin as Security Optimizer. Along with that new name came new marketing. While the new marketing text for it on the WordPress Plugin Directory doesn’t mention that it contains a firewall, it wouldn’t be possible to offer the claimed protection without one. It is claimed that with it you can “bulletproof your website security in a few clicks” and that it provides “Advanced XSS Protection to fortify your website against malicious attacks.” As we found last week, that Advanced XSS Protection doesn’t even provide protection, much less does it provide the level of XSS protection provided by various plugins that contain firewalls. It also claims that it will “proactively monitor your site’s security to detect any suspicious activity,” which would also require a firewall if it truly detected any suspicious activity.

In testing going back years, the plugin has failed to provide protection against any vulnerabilities in other plugins, despite other options providing protection in at least some of the tests. The reason for that is simple: it doesn’t actually contain a firewall. Despite that, on the WordPress Plugin Directory SiteGround tagged it as a “firewall” and a “web application firewall.” [Read more]

30 Nov 2023

Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise

SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their description by claiming that you can “bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots.” One of the bullet pointed features is described as Advanced XSS Protection, which they say will “fortify your website against malicious attacks”. What that actually does is not explained anywhere else in the description, but further checking showed that isn’t offering protection, much less advanced protection.

On the plugin’s admin page where the feature can be enabled, it is suggested that this feature enables additional headers that are sent with pages sent by the website. The description reads: “Enabling this option will add extra headers to your site for protection against XSS attacks.” That still doesn’t provide much information on this. [Read more]