Descripción

Bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots, with our free WordPress security plugin – Security Optimizer.

Proactively monitor your site’s security to detect any suspicious activity and take immediate actions to protect your site and prevent further damage with these essential features:

Enable 2FA (Two-Factor Authentication) for an extra layer of website security
Set Limitar los intentos de acceso to deter malicious login attempts and brute-force attacks
Change your default login URL to Custom Login URL to avoid attacks
Activate Protección XSS avanzada to fortify your website against malicious attacks
Bloquear y proteger las carpetas del sistema to ensure no unauthorized or malicious scripts can be executed in your system folders
Desactivar el editor de temas y plugins to safeguard your website from unauthorized access via the WordPress editor
Ocultar la versión de WordPress effortlessly, keeping it hidden from prying eyes
Use Registro de actividad to monitor your site and quickly prevent malicious actions
Post-Hack Actions to take immediate actions and prevent further damages

Developed by the website security experts at SiteGround and trusted by over 900,000 webmasters for its robust security shield and ease of use to safeguard WordPress applications from possible attacks on any hosting platform.

AWARDS:

Monster Awards 2022: Best WordPress Security Plugin 🥇
Monster Awards 2021: Best WordPress Security Plugin 🥇

Plugin Video

Plugin Tutorial

Unveil the vast array of features and unleash the full potential of our security plugin in our Security Optimizer Tutorial.

SITE PROTECTION FEATURES

Safeguard your WordPress application using our powerful site security toolset. Our comprehensive features are specifically designed to strengthen your website’s defenses against malware, exploits, and various malicious activities. With these tools at your disposal, you can ensure the utmost bot, malware and brute force protection for your website:

Bloquear y proteger las carpetas del sistema

Ensure the maximum security for your application’s system folders by preventing the execution of any unauthorized or malicious scripts. The Lock and Protect System Folders feature acts as a powerful shield against potential threats.

Ocultar la versión de WordPress

Protect your website from mass attacks by hiding the WordPress version, which helps to mitigate version-specific vulnerabilities.

Desactivar el editor de temas y plugins

Enhance the security of your WordPress admin area by disabling the Themes & Plugins Editor, preventing potential coding errors and unauthorized access through the editor.

Desactivar XML-RPC

Mitigate potential security risks by disabling the XML-RPC protocol, which has been exploited in various attacks. Please note that disabling XML-RPC will restrict WordPress from communicating with third-party systems. We recommend enabling this feature unless you have a specific need for it.

Desactivar feeds RSS y ATOM

Prevent content scraping and specific attacks on your site by disabling RSS and ATOM feeds. Unless you have readers accessing your site via RSS readers, it is recommended to keep this feature enabled.

Protección XSS avanzada

Add an extra layer of website security against cross-site scripting (XSS) attacks by enabling Advanced XSS Protection, bolstering the overall security of your website.

Delete Default Readme.html

Eliminate potential vulnerabilities by deleting the default readme.txt file, which contains information about your website. By removing this file, you reduce the risk of your site being listed in vulnerable sites targeted by hackers.

Login Security

Custom Login Url

Personalize your login URL to thwart potential attacks and create a strong entry point. Bid farewell to the default login URL and embrace a bespoke path of your choosing. Additionally, you have the freedom to modify the default sign-up URL as well.

Acceso al inicio de sesión

Restrict login page access to specific IP addresses or IP ranges, effectively thwarting malicious login attempts and deterring brute force attacks.

2FA (Two-Factor Authentication)

Immerse your website in an impenetrable shield of security with 2FA. This formidable feature demands that all admin users furnish a unique token, generated exclusively through the Google Authentication application, during the login process.

Desactivar nombres de usuario comunes

Don’t fall victim to predictable security breaches! The use of common usernames, such as ‘admin,’ poses a significant threat to the integrity of your website. Activate this option to disable the creation of common usernames. If any weak usernames already exist, we’ll prompt you to provide new, stronger alternatives.

Limitar los intentos de acceso

Maintain control over unauthorized access attempts with Limit Login Attempts. Set a specific threshold for the number of login failures users can endure before consequences arise. After reaching the limit, the IP address associated with the unsuccessful login attempts will be blocked for one hour. Persistent failures will result in longer restrictions, starting with 24 hours and escalating to a week.

ACTIVITY MONITORING

Monitor your website and login page for unauthorized visitors and brute force attempts to prevent malicious actions

Registro de actividad

The Activity Log page provides you with a comprehensive view of the activities performed by registered, unknown, and blocked visitors. It allows you to closely monitor any suspicious behavior and take appropriate actions in case of a compromised user, plugin, or hacking attempt. You can leverage the quick tools available to swiftly block future attempts.

Weekly Security Reports

Receive a weekly traffic summary for your website directly to your inbox. This Weekly Security Report compiles data on both bot and human traffic, along with details about blocked login and visit attempts to proactively monitor traffic and promptly identify suspicious activity.

POST-HACK ACTIONS

Take immediate measures to protect your website if you suspect a compromise and prevent further damage. Here, you’ll find convenient solutions to address the situation effectively:

Reinstalar todos los plugins gratuitos

In the event of a hack, utilizing the Reinstall All Free Plugins feature can help mitigate potential harm. This action reinstalls all of your free plugins, reducing the likelihood of additional exploits or the reuse of malicious code.

Desconectar a todos los usuarios

To prevent any further unauthorized activities by users or attackers, you can choose to log out all users instantly using the Log Out All Users feature.

Forzar restablecimiento de contraseña

By enforcing a password reset, you can ensure that all users are prompted to change their passwords during their next login. This not only strengthens the security of their accounts but also immediately logs out all currently logged-in users.

Requisitos

WordPress 4.7
PHP 7.0
Archivo .htacces activo

Data Collection

Collection of technical data is optional and is listed here. This data is collected only for technical analysis, improvements and the possibility to contact the plugin user in case urgent issues need to be fixed (for example a critical security release that needs to be communicated to site owners). The plugin user can manage their preferences within the WP admin to control the collection of technical data. We advise opting in for this data collection, as it can enhance the plugin’s performance. You may find more information on data collection in our Plugins Privacy Notice.

Capturas

Instalación

Instalación automática

Ve a «Plugins > Añadir nuevo»
Search for «Security Optimizer by SiteGround»
Click on the Install button under the Security Optimizer by SiteGround plugin
Una vez esté instalado el plugin haz clic en el enlace de «Activar plugin»

Instalación manual

Accede a tu panel de administración de WordPress y ve a «Plugins -> Añadir nuevo»
Select the ‘Upload’ menu
Haz clic en el botón «Elegir archivo» y selecciona en tu explorador el archivo «sg-security.zip» que has descargado
Haz clic en el botón «Instalar ahora»
Go to Plugins -> Installed Plugins and click the ‘Activate’ link under the WordPress Security Optimizer by SiteGround listing

Reseñas

forgeeky 18 de junio de 2025

Tried many security plugins, but this one is really simple with clean UI. The amazing part is it has 2FA and also offer to change default login path free of cost.

Francesco 5 de junio de 2025 6 replies

I have been using the SiteGround Security Optimizer plugin to enhance the security of a WordPress site. While the plugin offers a useful suite of tools, I encountered a significant and frustrating obstacle with its «Lock and Protect System Folders» feature and the related PHP custom filter mechanism, which proved ineffective in my specific case. The Specific Problem: Activating the «Lock and Protect System Folders» option correctly identified and blocked direct access to a PHP JavaScript AJAX file (trp-ajax.php) belonging to a well-known and widely used multilingual translation plugin (TranslatePress). This block manifested as Apache AH01630: client denied by server configuration errors in the server logs. Although the basic translation of pages seemed to function initially, the persistence of these errors indicated an underlying malfunction that could compromise secondary but important AJAX functionalities of the translation plugin. Deactivating the «Lock and Protect System Folders» option immediately eliminated the errors, confirming that the block was imposed by this specific SG Optimizer feature. Troubleshooting Attempts Following Official SiteGround Documentation: Wanting to keep the folder protection active, I consulted SiteGround’s official guide «How to Use Security Optimizer’s Custom Filters» to create an exception (whitelist) for the legitimate file. The guide indicates using the sgs_whitelist_wp_content PHP filter. I implemented the necessary PHP snippet via a dedicated code snippet management plugin (Fluent Snippets), ensuring it was active, globally executed, and that all caches (SiteGround server-side, optimization plugins, browser, CDN if present) were meticulously cleared after each modification and before each test. The following path variations for the file to be added to the $whitelist[] array within the function hooked to the sgs_whitelist_wp_content filter were tested: Full relative path from the wp-content folder: Following the most common logic for WordPress filters operating on a base directory, I tried plugins/translation-plugin-name/includes/file-name.php. Base filename only: Literally interpreting the extremely simplified example (‘file_name.php’) provided in the SiteGround guide for the sgs_whitelist_wp_content hook, I tried adding only ‘file-name.php’. Intermediate variations or absolute paths (the latter are generally not used in WordPress filters but were tested for completeness in the initial stages). None of these attempts, despite scrupulously following the instructions and WordPress filter logic, succeeded in creating an effective exception. The trp-ajax.php file continued to be blocked, and the AH01630 errors persisted whenever the «Lock and Protect System Folders» protection was reactivated. Interactions with SiteGround’s AI Assistant: Seeking further assistance, I consulted SiteGround’s AI Assistant. The interactions can be summarized as follows: Initial Report: I described the problem, the error, and the failure of whitelisting attempts using the sgs_whitelist_wp_content filter as per their guide, specifying the path formats already tested. AI’s Responses: The AI Assistant repeatedly suggested the standard solutions already tried and communicated as ineffective: Using the sgs_whitelist_wp_content filter with only the base filename. Using the sgs_whitelist_wp_content filter with the full relative file path. Generic troubleshooting suggestions (clearing cache, testing in incognito, checking file permissions and .htaccess – the latter less relevant given the AH01630 error indicated a server/plugin configuration block, and the PHP filter was intended to manage that configuration). Despite clarifying multiple times that these methods had already been applied unsuccessfully, the AI continued to propose them, entering a loop and eventually suggesting contact with human technical support. Conclusions and Concerns: The experience demonstrates that, at least in my scenario (which I believe to be common: a PHP file from a popular plugin located in a subfolder of wp-content/plugins/), SiteGround Security Optimizer’s custom filter system, particularly sgs_whitelist_wp_content, does not function as documented or as one would expect. This leads to an unpleasant choice for the user: Disable a key security feature («Lock and Protect System Folders»), potentially reducing the site’s protection level. Accept the malfunctioning of legitimate and necessary plugins, with continuous errors in the logs. The official documentation on custom filters, regarding the sgs_whitelist_wp_content hook, appears to be oversimplified and does not provide clear or effective examples for files nested in subdirectories, which constitute the majority of plugin files. The AI Assistant, relying on such documentation, is unable to offer practical solutions for this problem. A review by SiteGround’s development team would be desirable, both of the sgs_whitelist_wp_content filter’s functionality to ensure it correctly handles full relative paths, and of the documentation to provide more accurate and applicable examples. Furthermore, a clear channel for reporting such product-related issues without the user being immediately directed to potentially paid support channels would be beneficial, especially when the problem seems to lie in a flaw or documentary shortcoming of the tool provided by the hosting itself. As it stands, for anyone using plugins with specific PHP files that are blocked by «Lock and Protect System Folders,» this aspect of the SiteGround Security Optimizer can be more of a hindrance than a help if one is unwilling to forgo that protection.

leopap 12 de diciembre de 2024 4 replies

The plugin is quite heavy and makes conflict with translate press. Variations and titles of products disappeared in the second language. After disabling all is back to normal.

Vedran Mandić 8 de noviembre de 2024

I like that this plugin involves all of the important things and does this in friendly manner ie. admin UI. Limit logins, 2fa, etc. Apart from speed optimizer a must have.

swinggraphics 19 de agosto de 2024 1 reply

Cannot unsubscribe from the emails without admin access. In my experience, this makes the plugin extremely annoying. They do not plan to fix this.

tinaponting 12 de agosto de 2024

A simple plugin, who does what it supose to do – Protecting:)

Leer todas las 145 reseñas

Colaboradores y desarrolladores

«Security Optimizer – The All-In-One Protection Plugin» es un software de código abierto. Las siguientes personas han colaborado con este plugin.

«Security Optimizer – The All-In-One Protection Plugin» ha sido traducido a 11 idiomas locales. Gracias a los traductores por sus contribuciones.

Traduce «Security Optimizer – The All-In-One Protection Plugin» a tu idioma.

¿Interesado en el desarrollo?

Revisa el código , echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios

Version 1.5.7

Release Date Nov 21st, 2024

Translation loading improvements

Version 1.5.6

Release Date: Oct 9th, 2024

Custom Login URL improvements
2FA improvements
Activity Log improvements

Version 1.5.5

Release Date: Sep 18th, 2024

Options improvements.
Block Service improvements.

Version 1.5.4

Release Date: Sep 10th, 2024

Activity log code improvements.
Salt Shaker code improvements.

Version 1.5.3

Release Date: Aug 27th, 2024

Code Improvements.

Version 1.5.2

Release Date: Aug 1st, 2024

Improved Custom Login Url handling
Improved Plugins Reinstall actions
Improved Translations
Improved plugin config
Fixed deprecated warnings in custom WP-CLI commands

Version 1.5.1

Release Date: July 17th, 2024

Improved Activity log bot detection
Improved Activity log logout handling
Improved 2FA with third-party custom logins
Improved compatibility with third-party plugins
Security improvements related to plugin notices

Version 1.5.0

Release Date: May 23rd, 2024

Improved support for PHP 8.2 and 8.3.
Improved plugin configuration.

Version 1.4.13

Release Date: Mar 27th, 2024

Plugin optimization.

Version 1.4.12

Release Date: Feb 20th, 2024

Bugfixes related to cookies and 2FA

Version 1.4.11

Release Date: Feb 14th, 2024

Security improvements related to cookies
Performance improvements

Version 1.4.10

Release Date: Jan 11th, 2024

Static assets are now part of the plugin package and load locally.
New users will be prompted to give their consent for the collection of technical data upon their initial use of the plugin.

Version 1.4.9

Release Date: Dec 12th, 2023

Improved detection of bots in activity log
Improved feature “Reinstall All Free Plugins” – deactivated plugins no longer get activated after the reinstall.

Version 1.4.8

Release Date: Nov 22nd, 2023

Dashboard visuals improvements
Readme file improvements
Weekly Security Report improved translations

Version 1.4.7

Release Date: Oct 24th, 2023

Data collection opt out option
Readme file formatting improvements
Plugin name formatting improvements
Weekly Activity Report Sending Schedule Randomisation

Version 1.4.6

Release Date: Sept 26th, 2023

Changing the name we use inside the plugin from SiteGround Security to Security Optimizer
Updating data collection process and Introducing a link in the plugin interface to the Plugin Privacy notice

Version 1.4.5

Release Date: May 4th, 2023

Improved log cleanup

Version 1.4.4

Release Date: May 3rd, 2023

Improved Visitors DB table indexing
Block service restored

Version 1.4.3

Release Date: Apr 27th, 2023

Block service temporally disabled

Version 1.4.2

Release Date: Apr 27th, 2023

Improved Activity Log process and filters
Improved restricted login response code
Improved PHP 8.2 compatibility
Alternative constant added for non-standard cron job usage

Version 1.4.1

Release Date: Feb 23rd, 2023

Internal configuration improvements

Version 1.4.0

Release Date: Feb 1st, 2023

Internal configuration changes

Version 1.3.9

Release Date: Jan 25th, 2023

Improved Foogra Theme support

Version 1.3.8

Release Date: Dec 6th, 2022

Improved Rest response
Improved Settings Page checks
Improved Disable Themes & Plugins Editor

Version 1.3.7

Release Date: Nov 15th, 2022

SG Security Dashboard bugfix
Improved 2FA Encryption key validation
Improved Custom Login/Register URL validation
Improved LiteSpeed Cache support
Option to use custom 2FA encryption key filepath

Version 1.3.6

Release Date: Nov 8th, 2022

Improved 2FA security with encryption
Improved Access Log filters
New WP-CLI command: reset all users 2FA setup

Version 1.3.5

Release Date: Oct 18th, 2022

Improved Custom Login URL
Improved Activity log

Version 1.3.4

Release Date: Oct 10th, 2022

Install service fix

Version 1.3.3

Release Date: Oct 10th, 2022

New Manage Activity Log option
New filter – Disable activity log
Improved Custom login url
Improved WP-CLI support
Improved Jetpack plugin support
Improved error handling
Minor bug fixes
Legacy code removed

Version 1.3.2

Release Date: Sept 21st, 2022

2FA Backup codes security strengthening

Version 1.3.1

Release Date: Sept 13th, 2022

2FA Authentication Security Strengthening
IP Address detection Security Strengthening

Version 1.3.0

Release Date: July 14th, 2022

Brand New Design
Improved 2FA Authentication compatibility with Elementor custom login pages
Improved data collection
Minor fixes

Version 1.2.9

Release Date: June 20th, 2022

NEW Filters for «Lock and Protect System Folders» excludes
Improved IP Ranges support
Improved Blocked IP addresses list
Improved Delete the Default Readme.html
Improved 2FA Authentication validation
Improved 2FA Authentication support for «My Account» login
Improved Data Collection
Minor fixes

Version 1.2.8

Release Date: May 18th, 2022

Improved plugin security

Version 1.2.7

Release Date: April 8th, 2022

Minor bug fixes

Version 1.2.6

Release Date: April 7th, 2022

2FA Refactoring

Version 1.2.5

Release Date: April 6th, 2022

2FA Authentication refactoring
Improved Weekly Emails
HTST service deprecated

Version 1.2.4

Release Date: March 16th, 2022

Improved Weekly Emails
Improved Woocommerce Payments plugin support
2FA Authentication Security Strengthening

Version 1.2.3

Release Date: March 11th, 2022

2FA Authentication Security Strengthening

Version 1.2.2

Release Date: March 11th, 2022

2FA Authentication Security Strengthening

Version 1.2.1

Release Date: March 9th, 2022

Improved Weekly reports
Improved HTTP Headers service
Code Refactoring

Version 1.2.0

Release Date: February 28th, 2022

NEW – Weekly Reports
Code Refactoring and General Improvements
Improved 2FA user role support
Improved error handling
Improved Limit Login IP Range support
Improved Event log
Improved Phlox theme support
Minor fixes
Improved WP-CLI support
Environment data collection consent added

Version 1.1.3

Release Date: October 1st, 2021
* Improved Hide WP version functionality

Version 1.1.2

Fecha de la versión: 20 de agosto de 2021
* Mejorada la funcionalidad de URL de acceso personalizada
* Mejorado el 2FA
* Mejorados los mensajes de éxito/error

Version 1.1.1

Fecha de lanzamiento: 12 de agosto de 2021
* Mejorado el 2FA
* Mejorada la funcionalidad de desconexión

Version 1.1.0

Fecha de la versión: 27 de julio de 2021
* ¡NUEVO! Añadidos códigos de respaldo 2FA a la págna de edición del perfil
* ¡NUEVO! URLs personalizadas de acceso y registro
* ¡NUEVO! Añadida generación automática de cabeceras HSTS
* Mejorado: Funcionalidad de desactivar nombres de usuario comunes
* Mejorado: Servicio de desconexión masivo
* Mejorado: Registro de actividad y añadido etiquetado personalizado
* Mejorado: Funcionalidad de restablecer contraseña

Version 1.0.4

Mejoras en el límite de intentos de acceso

Version 1.0.3

Corregido fallo de la caja de valoraciones en Safari
Servicio de desactivado de feeds RSS y Atom mejorado

Version 1.0.2

Añadido filtro para configurar la duración del registro
Añadida compatibilidad con WP-CLI
Mejora de cadenas

Version 1.0.1

Añadidos valores por defecto al instalar
Mejorada la compatibilidad con las traducciones
Añadida limpieza al desinstalar

Version 1.0.0

Primera versión estable.

Version 0.1

Versión inicial.

Minimislist, Lightweight and Secure

SG Optimizer: «Lock Folders» Feature Problematic, Custom Filters Ineffective

Incompatible with Translate press

Has all of it

Cannot unsubscribe from the emails

Works Great