How to use Security Optimizer Custom Filters
Table of Contents
In the realm of website management, security is paramount. We, at SiteGround, understand this, and thus we offer the powerful tool Security Optimizer. This plugin supports custom filters that allow you to enhance your WordPress website’s security in myriad ways.
Whether you need to revert a custom login URL to its default, clear allowed IP addresses, extend Two-Factor Authentication to additional users, or whitelist specific scripts, SiteGround’s custom filters have you covered.
In this article, we’ll show you how to leverage these custom filters to fortify your website’s security and ensure a safe and secure experience for your users.
Revert a custom login URL to its default
There are several instances when you might need to revert a custom WordPress login URL to its default. For instance, if you’ve forgotten the custom URL, reverting to the standard WordPress login URL can help you regain access to your admin dashboard. Additionally, certain plugins may conflict with a custom login URL, leading to functionality issues. In such cases, switching back to the default login URL can aid in troubleshooting.
Revert to the default login type by using the following snippet.
add_action( 'init', 'remove_custom_login_url' );
function remove_custom_login_url() {
update_option( 'sg_security_login_type', 'default' );
}Clear allowed IP addresses to regain access to the admin panel
If you lock yourself out of your admin panel, add the following option to your theme’s function.php file, reload the site, and regain access. Once access is restored, you can promptly remove the added option. However, note that this action will also remove all previously allowed IP addresses from accessing the login page. Therefore, a reconfiguration will be necessary to reinstate the desired IP access controls:
add_action( 'init', 'remove_login_access_data' );
function remove_login_access_data() {
update_option( 'sg_login_access', array() );
}Extend Two-Factor Authentication to additional users
You can extend the protection of Two-Factor Authentication to additional user roles as well. Once enabled, effortlessly enforce this enhanced security measure by employing the following filter in your setup:
add_filter( 'sg_security_2fa_roles', 'add_user_roles_to_2fa' );
function add_user_roles_to_2fa( $roles ) {
$roles[] = 'your_role';
return $roles;
}Change the 2FA encryption key file’s location
You can change the location of the 2FA encryption key file using SGS_ENCRYPTION_KEY_FILE_PATH constant defined in wp-config.php file. Make sure to use the full path to the file. Example:
// Custom path to Security Optimizer Encryption key file.
define ( 'SGS_ENCRYPTION_KEY_FILE_PATH', '/home/fullpathtofile/sgs_encrypt_key.php');Clear blocked IP addresses data
In the event that you unintentionally lock yourself out of the admin panel, you can add the following option to your theme’s function.php file and reload the site. Then promptly remove the added code once you’ve regained access. Note, that this action will also remove the IP block for unsuccessful login attempts from all IP addresses:
add_action( 'init', 'remove_unsuccessfull_attempts_block' );
function remove_unsuccessfull_attempts_block() {
update_option( 'sg_security_unsuccessful_login', array() );
}Whitelist a specific script from Lock and Protect System Folders
Lock and Protect System Folders allows you to block any malicious or unauthorized scripts from being executed in your applications system folders.
If the Lock and Protect System Folders option blocks a specific script used by another plugin on the website, you can easily whitelist the specific script by using the snippets provided below.
- Use this one to whitelist a file in the wp_includes folder:
add_filter( 'sgs_whitelist_wp_includes' , 'whitelist_file_in_wp_includes' );
function whitelist_file_in_wp_includes( $whitelist ) {
$whitelist[] = 'file_name.php';
$whitelist[] = 'another_file_name.php';
return $whitelist;
}- Use this one to whitelist a file in the wp_uploads folder:
add_filter( 'sgs_whitelist_wp_uploads' , 'whitelist_file_in_wp_uploads' );
function whitelist_file_in_wp_uploads( $whitelist ) {
$whitelist[] = 'file_name.php';
$whitelist[] = 'another_file_name.php';
return $whitelist;
}- Use the snippet below to whitelist a file in the wp_content folder:
add_filter( 'sgs_whitelist_wp_content' , 'whitelist_file_in_wp_content' );
function whitelist_file_in_wp_content( $whitelist ) {
$whitelist[] = 'file_name.php';
$whitelist[] = 'another_file_name.php';
return $whitelist;
}Set a Custom Log lifetime
For your convenience, we have provided a filter that allows you to set a custom log lifetime (in days). This gives you the flexibility to tailor the log retention period according to your specific needs:
add_filter( 'sgs_set_activity_log_lifetime', 'set_custom_log_lifetime' );
function set_custom_log_lifetime() {
return 'your-custom-log-lifetime-in-days';
}- Disable the activity log
If you need to disable the activity log, you can use the following filter. Keep in mind that this will also disable the Weekly Activity Log Emails.
add_action( 'init', 'deactivate_activity_log' );
function deactivate_activity_log() {
update_option( 'sg_security_disable_activity_log', 1 );
}- Fix issue with logs not being cleared on time
In case you have disabled the native WordPress Cron Job, and using UNIX cron setup instead, you can add the following rule to your website’s wp-config.php file in order to have the logs cleared on time:
define( 'SG_UNIX_CRON', true );Summary
This detailed guide delves into the various custom filters offered by SiteGround’s Security Optimizer to enhance your WordPress website’s security. We showed you how to revert a custom login URL to its default and clear allowed IP addresses for access recovery.
Additionally, the guide covers how to extend 2 Factor Authentication to user roles, whitelist specific scripts, or set a custom log lifetime. Each section includes code snippets for easy implementation. By leveraging these custom filters, you can effectively bolster your website’s security, providing a safe and reliable platform for your users.
Security Optimizer FAQs
Can other user roles be included in Two-Factor Authentication?
Yes, it is possible to enforce Two-Factor Authentication for other user roles as well. Once the feature is enabled, you can add a filter using the following code snippet:
add_filter( 'sg_security_2fa_roles', 'add_user_roles_to_2fa' );
function add_user_roles_to_2fa( $roles ) {
$roles[] = 'your_role';
return $roles;
}You can add additional fields if you would like more roles to be protected. You just need to substitute “your_role” with the exact user role that you would like to use.
I enabled Custom Login URL and a login page for customers redirects to 404
This usually happens if the customer’s login page still redirects to wp-login.php. When a Custom Login URL is set, it changes the default WordPress login URLs (/wp-admin, /wp-login.php) to the custom URL of your choice. Then all requests to the default login addresses will be redirected to 404 Not Found. To resolve the issue, you should change the link to the customer’s login page to match the Custom Login URL.