Is there a way to clear the log files, so start logs again?

Hi,
where are the unknown logs saved on the ftp? Can I download a txt file (or other format) of all the logs saved on my ftp for the last 12 days instead of searching for them via filter? If so, where is this file located?

Thanks

I manage several sites on SiteGround and I receive Weekly Reports on my email. Sometimes they come with the title Security Optimizer by SiteGround as the sender and sometimes it shows the website name as the sender instead. I would like ALL emails to show the same title (Security Optimizer by SiteGround) instead since I can Identify the site by the Subject. How do I do that on dashboard? Here is an example of my inbox: https://share.zight.com/xQuJj6Ov

No matter what I enter for the “Custom Login URL” I get the message “Invalid Format”

If I want to change the login URL from https://www.text.com/wp-admin to https://www.test.com/customurl-admin, what would I enter?

Hi there,

there seems to be a Bug with the capabilities in the activity log for unknown users.
I have a custom user role, which has all admin capabilities, but is not the role administrator, if I try to view the activity log, tab “unknown”, I get an Error, which states, “Could not connect to WordPress REST-API”.

If I change my role back to “administrator” everythings works fine. This happens only in the unknown tab, not in the registered nor the blocked tab.

Could you please investigate on that and perhabs deploy a fix?

Thanks!

On my admin login screen which is using the Custom login url using the SG Security Optimizer I am some times getting a solve a math problem below the login area. Is there a reason this is showing sometimes? Also this solve a math problem does not always work as it some times does not allow you to enter a number.

Thanks

“You are receiving this email because you have SiteGround Security Optimizer plugin installed on one or more of your WordPress sites. If you no longer wish to receive these emails, you can unsubscribe.”

The unsubscribe link only works if you have a user account on the website. The unsubscribe link needs to work without being required to log in.

Not sure if this plugin is still maintained or if the QA team quit, but its not possible to update the first or last name of admins with this plugin.

Error: Sorry, that username is not allowed.

Pretty well documented that if you’re making changes to your WP site, you’ll have to disable siteground bloatware.

@etheos has already reported this issue

Almost all the clients for whom I have installed and configured the custom login URL, have complained quite a bit about this issue.

I made a patch to solve this problem.
https://gist.github.com/luistar15/03b592d39f1e2c269d8e22a521f7d427

I understand I can use a code snippet to whitelist a file – is it possible to whitelist all php files in a certain folder using a code snippet or do I have to have another htaccess file to override the SG one?

I’m using the block folders and files which I’d like to leave enabled. I was able to use the FileMatch syntax showing in a previous request to unblock a specific file, however I need to unblock the entire folder for a plugin and I am getting stuck on the syntax. I believe it uses Directory instead of FileMatch, but then I was getting a 500 error so I obviously had something wrong.

Thank you for your help in providing an example of how to do this.

Hey guys,

I really love your plugin, but recently came across to a couple of issues and wondering if there’s a way to fix it.

I started using the GTranslate plugin for automated Google translation. The plugin adds a few rewrite rules to the .htaccess to create the subdirectory structure for the URL’s like this:

### BEGIN GTranslate config ###
RewriteRule ^(af|sq|am|ar|hy)/(.*)$ /$1/$3 [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(af|sq|am|ar|hy)/(.*)$ /wp-content/plugins/gtranslate/url_addon/gtranslate.php?glang=$1&gurl=$2 [L,QSA]
RewriteRule ^(af|sq|am|ar|hy)$ /$1/ [R=301,L]
### END GTranslate config ###

But now Security Optimiser causes these URL’s such as ‘ domain.com/af ‘ inaccessible resulting in 403 error.

Is there any way to go about this?

Many thanks

The activity log for both Unknown and Registered users shows only one IP address for all activity: 127.0.0.1

Every so often, this IP is added to the blocked IP list, which causes me to be unable to access the log in page (because my visit to the log in page is also logged as coming from IP 127.0.0.1). The only way around it is to disable the plugin via a file manager, log in, re-enable the plugin and unblock the localhost IP.

Please advise, why are IPs of visitors not being displayed/captured properly?

Hello, is it possible to apply a different value than 3/5 to the Limit Login Attempts fetaure? I’d like it to block at the 1st wrong authentication, and if it’s an admin user send an email with an unblocking link (like Wordfence does). Thank you.

Hi, I notice a wrong date of moment when Security Optimizer blocked an IP-address. It shows a date few days in the future. The date shown in column Blocked on is 2024-07-24 but this is a date in the future. Does dit date mean the moment the IP-address wil be unblocked? Or is it a bug in calculating the date?

Hi!

I’ve found a bug with your plugin and the kadence modal login. If you set a custom url with siteground security and then you try to use de modal login, it redirects you to a 404 page. But if I change the login url with another plugin, the modal login works fine.

Here you can see a video that I made to the Kadence support where I go through the problem https://www.loom.com/share/ba58c3a27413450d94ccc1a81541c6aa?sid=e950d72f-868c-40f7-aa07-8824ebf0aaab

Any chance you could improve the changelog with actual, useable information? A lot of times we have to add custom code into functions.php to exclude certain components from optimisation in your plugin. We always report these to your team but never know if they’re actually ‘fixed’ so we could remove the custom code because your changelog just has top-level info like ‘improved XYZ’ but not what was actually improved…

Any chance of adding line graphs of the logs for a quick glance of all the results?

*** Public Service Announcement ***

Issue:

After complete removal of the plugin, NitroPack, the servers and/or IPs associated with NitroPack continue to ping or scrape websites for information via the user agent: Nitro-Webhook-Agent.

Attacking IPs:

46.101.77.196
159.65.180.53
178.62.81.205

Click here for more information.

Recommendations:

1. Requesting Team SiteGround investigate in more detail this finding for comments and/or update their WAF rules for additional user protection.
2. Until the issue is solved (permanently) by the developers of NitroPack, highly recommend blocking the above IPs and User Agent via Security Optimizer and/or CDN (via WAF rule).

Thank you!

Hey team!

I work on the Jetpack plugin team, and wanted to suggest an update to the Security Optimizer plugin codebase.

The Security Optimizer plugin relies on the Jetpack_SSO class in core/Sg_2fa/Sg_2fa.php. That class was deprecated a few months ago, in this Pull Request. It was replaced by Automattic\Jetpack\Connection\SSO.

I think it would be nice to make the change in the Security Optimizer plugin, to avoid deprecation notices, and also to avoid missing functionality when the deprecated class is eventually removed from the Jetpack plugin.

Let me know if you have any questions about the change!

I received an email today that said my site had 135,019 human traffic, I went to the dashboard and tried to click on View All Logs and get a critical error message that pops out and has html code with it.. Also my GA only says I had 112 visitors to the site. What could be going on?

Hey folks,

A site of a client had both Security Optimizer and WPML, and the following setting was enabled in WPML:

– Allow translating the login and registration pages

This setting injects the following to the .htaccess (inside the core WP rules):

RewriteRule ^en/wp-login.php /wp-login.php [QSA,L]
RewriteRule ^fr/wp-login.php /wp-login.php [QSA,L]
RewriteRule ^de/wp-login.php /wp-login.php [QSA,L]
RewriteRule ^it/wp-login.php /wp-login.php [QSA,L]
RewriteRule ^pt/wp-login.php /wp-login.php [QSA,L]
RewriteRule ^pt-pt/wp-login.php /wp-login.php [QSA,L]
RewriteRule ^es/wp-login.php /wp-login.php [QSA,L]

Which effectively breaks 2FA and shows the errors many users reported to you:

The username field is empty.
The password field is empty.

Disabling the option (and then flushing the rewrite rules at /wp-admin/options-permalink.php) fixes the issue. Hope this helps!

Dear SG agent,

Does this plugin adds security headers like Content-Security-Policy Permissions-Policy Referrer-Policy Strict-Transport-Security X-Content-Type-Options X-Frame-Options ?

Or is it on the roadmap?

Looking forward to your reply.

• This topic was modified 5 months ago by Flint.

Hi,

I have an issue related to the Activity Log section of the plugin. While the Unknown section loads all the logs correctly, if I go to the Registered section it gets stuck loading and finally returns a 504 Gateway Time-out error in console (Network section).

Also, compare a popup with this message:

COULD NOT CONNECT TO THE WORDPRESS REST API: Either a security plugin, custom function, or rules in your .htaccess file is preventing the WordPress REST API from working properly. SiteGround Optimizer is using it to store its options and other functionalities so please make sure it works properly.

Thank you

• This topic was modified 5 months ago by andreDane.
• This topic was modified 5 months ago by andreDane.
• This topic was modified 5 months ago by andreDane.

Hello.
I’ve been at SiteGround for some time now and I didn’t start using Security Optimizer until today.
I used another tool for custom login URL
I also used another tool for 2-factor authentication.
When I removed these tools today and started using Security Optimizer tools, the problems have started.

Details:
1st – The QR to connect with Google Authenticator was not displayed.
The SiteGround team did their thing on my site, and it was up and running.
2nd – When I log in with the custom URL and 2-factor authentication, it works from an office computer.
But when I perform the same operation from a mobile device, it never gives me access to the administrator panel.
I go back to the custom URL and 2-factor authentication, but it takes me back to the website, without access to the WordPress admin panel.

I tested it with several devices, on Android and iPhone, in Chrome and Safari, and it didn’t work in any of the cases.
I could use another plugin, but this one is supposed to be very good and works very well on SiteGround.
Did you have a case similar to this?
can you help me?
The SiteGround team apparently sees no problem
Thank you

Hi,

I really appreciate the 2FA feature in Security Optimizer, but I sometimes forget to enable it for additional user roles (e.g. ‘shop_manager’ in WooCommerce) with the provided filter ‘sg_security_2fa_roles’.

To keep an overview and ensure all relevant users are using 2FA, could you implement a way to view if 2FA is successfully set up per user? Ideally, it would be great to have a column in the User screen, similar to below screenshot from the popular Two-Factor plugin:

https://app.screencast.com/74RggrLUab2gb

Thanks!

Hi,

currently it’s possible to enable / disable 2FA for specific user roles, using 'sg_security_2fa_roles' hook.

It would be useful to have the ability to disable it for specific users (e.g., those who are unfamiliar with Google Authenticator or 2FA).

Thanks

Hello there,

Due to the option “Lock and Protect System Folders” being active, the TranslatePress plugin is unable to access the needed php script for the translations (/wp-content/plugins/translatepress-multilingual/includes/trp-ajax.php). Gives a 403 error (forbidden).

I was able to pinpoint the issue by disabling plugins consecutively and within Security Optimizer going through the options.

The link added regarding the page I need help with is just an example since the issue happens sitewide.

Is there a way to keep the lock in place but to exclude specifically the Translate Press folder?

Thank you in advance,

Antonio

Given you make it utterly impossible to contact you for a non-specific reason that doesn’t need some sort of paid account addon, I have no option but to put this here.

You really need to allow non-alpahnumeric characters in the custom login url. I have to use alpha chars only, and then edit the login in phpMyAdmin, or it will not save in the plugin settings. Given it works perfectly after manual editing, there’s clearly no objection to using special characters

I cant log in to my backend because the Log in mask always says email and passowrrd is not filled in