Site Tools (vs. cPanel) – part 4: Security

… starting from the point where the story stopped.

Site Tools’ left column acts as a navigation bar which holds all tools, grouped by themes. There were 12 topic-specific sections in cPanel . . . There are now only nine themes in Site Tools: Dashboard, Site, Security, Speed, WordPress, Domain, Email, Statistics, and Devs.

Security

Server security is one of our top priorities.SiteGround

As acknowledged by SiteGround, the measures [they] have taken to keep [their] servers and your websites secure are not always enough. That is why it is always good to have additional means of protection. Interestingly, their article on basic security guidelines does not mention any of the tools available in the Security theme – for the simple reason that none of them will actually prevent attacks (except for one, maybe).

Backups

Granted backing up your data is the cornerstone of good digital security, but backups do not prevent the threats; they ensure that your critical data will survive any of the likely hazards.

Have a peace of mind knowing that you can easily restore your website and emails from the daily backups we make for you.SiteGround

You can indeed find the 30 daily backups under Manage Backups at the bottom of this section. For each of them, you can choose what to restore by clicking the Actions menu:

  • Restore All Files and Databases
  • Restore Files
  • Restore Databases
  • Restore Emails

The storage location is an important aspect of a good backup system. In this regard, SiteGround was already having off-site backups, meaning that the backups were stored off the main location of the host server. As of May 8, 2021, they will start the process of moving all backups to a different data center, i.e. they will no longer keep any account and its backup in one and the same geographic location. Clearly, adding geographical redundancy to their backup strategy is enhancing data protection. Well done!

SiteGround logo with a referral link to their website
Referral Link

In this section, you can also Create New Backup (instantly). According to their Knowledge Base, all you have to do is to go to Site Tools > Security > Backups > Create & Restore, fill in the Backup Name and click Create. The backup will be created after a few minutes. There should be 5 free instant backups per site each month. This article omits one detail, though. These 5 free instant backups are only available with the GrowBig and GoGeek plans; with a StartUp plan, you will have to purchase single backups!

Available Manual Backup Slots: 0

For this reason, I have not used SiteGround Backup tool – for instant backups – before (i.e. with cPanel) and I still cannot (and will not) use it in Site Tools. This is actually the topic of the previous mini-series:

Another big concern is that these backups (both manual and automated backups) cannot be downloaded locally; thus defeating the 3-2-1 backup rule (see Backup, Backup, Backup!). Wrong, try again!

Downloading a backup is not possible at the moment.Hristo Pandjarov

SSL Manager

Let's Encrypt Logo
Use the SSL Manager to easily install different SSL certificates, import existing ones, and manage all active certificates for your site in one place.SiteGround

This is the new version of the Let’s Encrypt certificate tool. From the Install tab of the Install New SSL section, you can indeed install a SSL certificate by choosing between the available options:

  • Let’s Encrypt
  • Let’s Encrypt Wildcard
  • Premium Wildcard

Be careful, if you do not select one of these options – after selecting one domain – and leave that section, Site Tools will crash! You will have to login again.

In Manage SSL below, you can see your installed certificate(s). There are two extra columns as compared to the cPanel version: “Certificate” and “Expires on”. While it is not particularly useful to know that I have R31 certificates, knowing when they will expire is definitively more important (see A (SiteGround) ticket to hell concl’d). Interestingly, the Enforce HTTPS is still available in the Actions menu, but it has its own section now (see below).

As alluded in SiteGround New Client Area and Site Tools – part 8, the Let’s Encrypt certificate status is also available in the Added Extras section of the Client Area (Client Area > Website > Extras; at the bottom). The table displayed here shows the following information: Extra (i.e. Let’s Encrypt SSL), Domain Name, Expiration Date, Status (i.e. ACTIVE), and Actions (in fact, an ellipsis with only one option: “Manage”). The “Manage” link will send you back to Site Tools > Security > SSL Manager.

SSL icon

The primary purpose of an SSL certificate is to keep information sent across the Internet encrypted so that only the intended recipients can access it. By encrypting your visitor’s information, you give them the peace of mind that hackers can’t easily steal their data. While the connection between the browser and the server is indeed entirely secure, having an SSL certificate does not make your website secure.

HTTPS Enforce

Use this tool to enforce your website to work over an encrypted and secure HTTPS connection. The HTTPS redirect is performed on a server level and works for any website with active SSL.SiteGround

Unfortunately, the new Knowledge Base is even less informative than the late Let’s Encrypt tutorial. The latter, although not explaining how to do so, was at least explaining that:

… in making your website work properly over HTTPS. You usually need some additional configuration so that your domain is not accessible both over http and https, in order to avoid duplicate content. Additionally you may need to rewrite any links to external content, so that your site does not show warnings for mixed content in the browser. The best way to do this [sic] changes are in your specific application.

Here is the full content of the knowledge base article How do I enforce HTTPS?:

To enforce HTTPS go to Site Tools > Security > HTTPS Enforce. Toggle the HTTPS Enforce button to On next to the chosen domain.

For more info on that matter, you might want to consider reading this article:

Protected URLs

You have an URL you don’t want to be accessible to anyone? Not a problem. You can easily limit access to specific URLs on your website with the Protected URLs tool. Here you can specify which URLs you want to password protect and manage the users that have access to them.SiteGround

This tool will make an URL (or your entire website if you wish) only accessible to people who know the credentials for accessing it. As I did not use the Password Protect Directories feature back in cPanel, I cannot compare it with the now-called Protected URLs tool.

Why didn’t I use this password protection feature?

If you have WordPress installation with enabled permalinks, it is not possible to use Password Protect Directories option in cPanel.Namecheap

Beyond the above statement (I am using Pretty Permalinks by the way), and the possibility that WordPress can have some minor conflicts with password protecting files due to the changes in its default .htaccess rules, there are other reasons why I did not try the late Password Protect Directories feature.

Typically, you can use this feature to protect:

  • your site until it’s ready for public viewing
  • your WordPress admin area and/or login screen
  • downloads and/or files, that you only want specific people to access
  • sensitive information present on a site’s page

However, there are either better/safer alternatives or potential issues with these approaches.

Concerning the first use case (i.e. when a site is in development), the better method would be to develop your website offline or to stage it. However, this requires specific tools and/or services, that I did not have2 when I started. Instead, I have simply checked the Search Engine Visibility option in the Reading Settings of WordPress (see Configuring WordPress (Multisite) Settings).

The second use – i.e. hardening WordPress security – is actually the only real security application (i.e. the exception; see my comment at the beginning concerning the tools in this theme) as it might prevent attacks. Adding server-side password protection to the wp-admin directory can indeed add a second layer of protection. However, this can actually break some WordPress functionality3. In fact, password protecting wp-admin can break any plugin that uses ajax on the front end; therefore, according to WordPress3, it’s usually sufficient to just protect wp-login.php. Beware, there are many old, recycled4 articles promoting this method – Protecting WordPress Admin with a Password – without warning you about the harmful consequences. Owing to the serious concerns with this approach5, I have opted instead for 1) very strong credentials for my WordPress administrator dashboard and 2) a plugin that prevents Brute Force Attacks, among other strategies.

Please stop password protecting your /wp-admin folder because it breaks public AJAX for WordPress.Mark Maunder

Admittedly, this feature is useful when you need to limit access to a certain part of your site (i.e. third use case). However, if you need fully-featured user access to paid-for content, you’ll need a membership plugin instead – according to Web Training Wheels. I do not have such a need, at least not yet. Therefore, I did not explore this use case further.

As for the last scenario, may I remind you that WordPress is already fully equipped to password protect any selected pages you like (see Using Password Protection). As you may already know, I have used this feature for the post about the birth of my baby boy, but as you will not be able to access it, you may want to consider reading this other post for more info.

Blocked IPs

There are cases when blocking an IP can significantly improve your website’s performance or even prevent it from being hacked. If you have noticed any suspicious activity (posting malicious content or using too much bandwidth for example), you can block the IP the activity is coming from, by using this tool.SiteGround
By SiteGround

As for the previous tool, I did not use the IP Address Deny Manager feature back in cPanel, so I cannot compare it with the now-called Blocked IPs tool. There are two reasons for that. First, I have a security plugin that allows me to do just that: block attackers by IP or build advanced rules based on IP Range, Hostname, User Agent and Referrer. Second, blocking IP addresses is not always the best solution as detailed in this article. In short, for the most part, [attackers] used an IP address just once, with less than a third being used twice or more. I concur; in my case, blocking Referrers (i.e. the websites traffic arrives from) is clearly more effective.

SiteScanner

The SiteScanner is a malware detection and early warning system. The system enables you to perform on demand scans of your website and performs comprehensive daily scans to detect domain blacklisting and malware. The malware database is constantly updated, enabling the SiteScanner to detect even the latest threats.SiteGround

Site Scanner was the only upsell when I get my hosting plan. I didn’t opt for this paid extra, but instead went for the aforementioned security plugin. In addition to its Firewall, it comes with a Security Scanner!

Beware, Site Scanner will not protect your website; it will only detect if the latter has been compromised by Malware threats. If there is an issue, you will receive an email notification – that is it. You will have to clean up your site from malicious content on your own. Moreover, this paid service is not even available for subdomains: “it is not possible to purchase the SG Site Scanner extra service for a subdomain. It can be ordered and activated for site primary domains only.”

Intermediate verdict

As far as I am concern, there is not much difference between the Security section of cPanel and its counterpart in Site Tools. Besides, with the exception of the SSL certificates (i.e. Let’s Encrypt), I was not using any of these tools; not even the Hotlink Protection that did not survive the migration.

The Hotlink Protection tool, which allows you to prevent other sites from directly linking to files from your site, is not available in Site Tools.SiteGround

I like…

I don’t like… that there is even less information on HTTPS Enforce.

To be continued…


1 As explained here, under normal circumstances, certificates issued by Let’s Encrypt will come from ‘R3’, an RSA intermediate. In other words, everything looks fine! As for the meaning of RSA, it’s a cryptographic algorithm – named after the mathematicians who invented it in 1978 – that encrypts and decrypts the data. ^
2 For instance, the staging feature is not available with the StartUp plan. Nonetheless, a new feature in Site Tools might be of interest; I did not experiment with it yet, though. This feature, which was advertised during the webinar about Site Tools (see SiteGround New Client Area and Site Tools – part 3), should allow you to use a temporary URL created by SiteGround during the development of your website, and then later on, change it to an actual domain name. ^
3 See Hardening WordPress and Brute Force Attacks. ^
4 How many times will I have to complain about the dishonest practice of recycling articles without updating the content? While some limits their deceit to changing automatically the published date (or the modified date), others go as far as to updating the title as well; of course without modifying the content (e.g. “How to Keep Your WordPress Website Safe and Secure in 2021”). It’s time to reiterate my word of caution: you can’t trust everything you read! On that matter, you may want to consider checking the “Evaluation of sources” section of my How to podcast? post. ^
5 Now, if you really want to add server-side password protection to the wp-admin directory, you should allow front-end Ajax functionality. I have found this article explaining how to do so. Beware, I did not test their code; use it at your own risk! ^

What do you think?
  • Like 
  • Agree 
  • Disagree 
  • Thank you