How to Keep Your Site Safe with Site Scanner Security Service (Webinar Video + Q&A)

As hackers become more and more ingenious, protecting your website is an on-going process. To help you boost your website security even further, we’ve recently enhanced our Site Scanner addon service with new features and introduced a Premium plan for ultimate website safety. As many of you wanted to learn more about this service improvement, we held a live webinar with our Product and Technology Lead, Daniel Kanchev. He explained how the latest Site Scanner update will boost your site security and replied to your most frequently asked questions. If you did not have a chance to attend, you can now catch up with the recording of our Site Scanner live webinar on YouTube. We also summarized some of the answers to your most popular questions, as well the ones that we didn’t have enough time to answer during the live webinar.

Why should you protect your website in the first place?

Contrary to popular belief, all websites – big or small – are targets to hacker attacks. At the end of the day, attackers don’t care whether you have a brochure website or a big eCommerce store, whether you have a couple of hundred users or hundreds of thousands of visitors. Their goal is to maximize the impact of the attack, causing harm to both your business and your users. Some of the ills they cause include stealing credit card details, sending spam emails, hosting malware on your site, storing files on your account, etc.

Bottom line is that everyone can be a target and get affected. That’s why it’s important to know how to protect your website. At SiteGround, we’re fanatical about the security of the websites hosted on our platform. We’re taking a multi-level approach to secure your sites on infrastructure, server, and application levels, but since the security of a website is also the responsibility of every website owner, we’re constantly adding new features and services to help you in this process and save you time, effort, and money, because dealing with the aftermath of a website attack is time consuming, generates losses and requires certain technical skills.

Isn’t SiteGround taking care of my website security?

SiteGround has adopted a security-first approach in our services and we are taking a comprehensive care of the websites hosted on our platform. Here are some of the things we do:

General website security measures

• Hosting account isolation makes sure that your site is secured and will not be affected in case another website on the same server gets hacked. It isolates your website from all other websites. If another client’s website gets hacked, this won’t affect your website. It’s good to keep in mind, though, that multiple applications within the same website (e.g. in different folders, or subdomains of the same website) will need some more attention, as they share the same isolated protected space. Hacking one of them might lead to exploiting the other application as well. Therefore, it’s a good idea to protect all your sites with strong passwords, and our SiteGround Security plugin for WordPress websites, for example.

• Web Application Firewall (WAF) rules, being written by our security experts, prevent your site from being hacked due to a security hole in a popular plugin, theme, etc. We write such smart firewall rules for a really big percentage of WordPress plugins, themes and other applications.

• Smart AI anti-bot system analyzes all servers, websites and traffic, and blocks illegitimate website requests, or shows a CAPTCHA, when it’s not 100% sure the requests are legitimate. Our AI anti-bot system also takes care of brute-force attacks.

• Geographically distributed backups to have your data safely available at another location, in case something happens to your server and data center.

• 24/7 server monitoring of the servers by our experienced system administrators to prevent security attacks, mitigate DDOS, and react in a timely manner against any known or unknown threat.

WordPress-specific website security measures

• We offer automatic WordPress core and plugin updates to make sure your website is up-to-date and secure.

• We have developed a free WordPress security plugin available to clients and non-clients alike – the SiteGround Security plugin. It allows you to put additional layers of security to your website and application.

Why do you need our Site Scanner security service then?

Even with all of the above security measures in place, there is always a chance that your site can be hacked by an attacker who has found a way to gain access to it.

Let’s imagine you’re connected to a public wifi network and you’re accessing your FTP account from it. If the hacker is on the same wifi network and it’s an open network, they can sniff the traffic and see your username and password. This is only one of the numerous examples of how attackers can “enter” the backdoor of your website.

That’s why our Site Scanner is useful – even if something happens to your site, it’ll notify you about the issue and you’ll be able to react, as it:

• Checks regularly for websites threats and detects malware
• Sends you timely threat alerts and notifications
• Gives you tools for reaction, if your site is under attack (NEW)

Site Scanner is a great add-on to everything else we do, because it gives you visibility and control, if something suspicious is going on with your website, and provides you with a mechanism for a timely reaction to limit the scope of an attack.

FAQs on how Site Scanner works to protect your website

With the latest Site Scanner update, we offer two different Site Scanner plans – Basic and Premium that provide your website with various security features. Here you’ll find the answers to the most frequently asked questions about these features:

How often does Site Scanner run?

Both versions of the Site Scanner security service run daily scans of the crawlable URLs, while the Premium version includes automated daily scans of the files uploaded for that website.

Does Site Scanner scan the subdomains as well, or only the main website?

The part of Site Scanner that opens up the website in a browser and browses through pages works for the domain name for which you ordered the service. If you ordered a Site Scanner for yourname.com, then it will scan pages on this website. If you have subdomains like blog.yourname.com, they won’t be scanned by Site Scanner in this way – the service will only open the main website in a browser and scan through it.

On the Site Scanner Premium plan, the file scans will work for all the subdomains you have as part of this website. That’s because from a folder structure point of view, all the public HTML folders (the web root folders of the websites) are in one site.

Can Site Scanner scan files, as well as index.php, .htaccess, .txt? How does it work with old HTML sites?

No matter if it’s a PHP, .html, CSS, JavaScript, Python, Pearl, Go, or another type of file, the file scan will be performed. Our Site Scanner scans and looks for malicious patterns through the whole file system, no matter what type of files are in the folders.

If you have an HTML site, chances are that you will not be a target of an attack so often in comparison to a dynamic website; yet, HTML websites can still be hacked and malicious code can be inserted in the HTML. For example, if you have an index.html, someone can inject malicious JavaScript in those html pages, but Site Scanner will detect those.

Does Site Scanner affect website speed or CPU usage?

Site Scanner is lightweight and consists of two main things. The first one is the scanning from a browser perspective, and it runs on a different infrastructure, not on your server. Every day, it opens your website and browses through some pages, generating about 10 or 15 page hits per day which is quite minimal and can be ignored. Second, there are the file scans and the file upload scans. These are things that run on your hosting server, but they’re lightweight and consume very little CPU time. Thus, neither website loading speed, nor CPU usage are affected by Site Scanner.

Is Site Scanner white-labeled?

If you’re reselling services, your end users will see the Site Scanner interface inside Site Tools (it’s white-labeled in that way), but they will not get the email reports. These reports will be delivered to the owner of the website only (the SiteGround client that owns the website). Your clients will also be able to use the quarantine option, they will be able to see the history of scans, as these are also white-labeled.

How to activate Site Scanner?

You can simply log in to your SiteGround Client Area > Marketplace > Hosting services > Additional services and select Site Scanner. You will then see the comparison table between the Basic and Premium plans to choose from, along with their respective prices.

Site Scanner vs. SiteGround WordPress Security plugin

Site Scanner protects your website by detecting threats, attacks and vulnerabilities, sends you notifications, and gives you tools to react. The SiteGround Security plugin on the other hand gives you the ability to increase the level of security of your WordPress website by placing more firewall rules, e.g. you can enable 2FA, block an IP address that is trying to access your website too many times, etc. 

While the plugin increases the security of your WordPress website, Site Scanner works for non-WordPress websites as well. If you have a WordPress website, we recommend that you get the plugin to boost your site security and also get Site Scanner to have a peace of mind that if something happens, you will be notified, able to react easily through the Site Scanner interface and do it on time.

Does 2FA work for the content users on WordPress?

In the SiteGround Security plugin, 2FA can only be enabled for users with elevated privileges, such as administrators, publishers, editors, etc. Once you enable 2FA, these users would have to fill in a token, generated on their Google Authenticator application, to be able to proceed with the login process.

We surely recommend enabling 2FA for your registered users. The only thing that you need to keep in mind is that this might require you to spend some more time supporting end users, when they don’t have access to their phone/email address.

At the end of the day, it depends on your business – if you want your clients to have easy access to your website and to the information you provide, it doesn’t make much sense to enable 2FA. If the website provides access to confidential information that should be protected, then it makes a lot of sense to enable 2FA for the end users of the website.

Does SiteGround have something similar to the “Limit Login Attempts” blacklist feature and how effective is it?

We have this feature in the SiteGround Security plugin and it has proven effective for preventing brute-force attacks.

Can you use Site Scanner and SiteGround Security plugin, if your website is hosted elsewhere?

Our Site Scanner service can be used only for websites that are hosted on our platform. However, the SiteGround Security plugin can be used for any WordPress website, regardless of your web hosting provider, so installing it is the least you can do for your WordPress website security.

What is the best way to prevent visitors or bots from sending emails that appear to come from the domain of your website?

When attackers forge the ‘From’ email address, that’s called email spoofing. There is no way to completely prevent that, but you can restrict it. To do that, you need to specify in the DNS zone of each of your domains which mail servers/IPs are authorized to send emails on behalf of that domain by creating these DNS records: SPF, DKIM, DMARC. In this way, the mail servers of the recipients will be able to better distinguish if the emails are legitimate ones, which were sent from your mailboxes, or phishing attempts.