Does Security Optimizer – The All-In-One Protection Plugin have any unpatched vulnerabilities?

No. All known vulnerabilities in Security Optimizer – The All-In-One Protection Plugin have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Security Optimizer – The All-In-One Protection Plugin compatible with WordPress 6.9.4?

According to WordPress.org data, Security Optimizer – The All-In-One Protection Plugin 1.5.9 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Security Optimizer – The All-In-One Protection Plugin compatible with PHP 7.0+?

Security Optimizer – The All-In-One Protection Plugin requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is Security Optimizer – The All-In-One Protection Plugin's security score?

Security Optimizer – The All-In-One Protection Plugin has a WP-Safety security score of 86/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Security Optimizer – The All-In-One Protection Plugin Security & Risk Analysis

wordpress.org/plugins/sg-security

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M active installs v1.5.9 PHP 7.0+ WP 4.7+ Updated Jan 15, 2026

firewallloginmalware-scannersecurityweb-application-firewall

A · Safe

CVEs total5

Unpatched0

Last CVENov 30, 2025

Plugin page Download

Safety Verdict

Is Security Optimizer – The All-In-One Protection Plugin Safe to Use in 2026?

Generally Safe

Score 86/100

Security Optimizer – The All-In-One Protection Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Nov 30, 2025Updated 2mo ago

Risk Assessment

The "sg-security" plugin v1.5.9 exhibits a mixed security posture. While it demonstrates good practices in areas like output escaping (97% proper) and using prepared statements for SQL (63%), significant concerns arise from its attack surface. Specifically, all three identified AJAX handlers lack authentication checks, creating an immediate and direct risk of unauthorized actions. The presence of one unsanitized path in the taint analysis, although not currently classified as critical or high, warrants further investigation as it could potentially lead to vulnerabilities.

The plugin's vulnerability history is a major red flag. With a total of 5 known CVEs, including one critical, two high, and two medium, it indicates a recurring pattern of security weaknesses. The types of past vulnerabilities, such as Missing Authorization, SQL Injection, and Authentication Bypass, directly correlate with the static analysis findings, particularly the unprotected AJAX handlers. The most recent vulnerability being in late 2025 suggests that while the plugin has had issues, some might be addressed, but the history of critical and high severity flaws is a significant concern.

In conclusion, the "sg-security" plugin has potential strengths in its handling of output and SQL queries. However, the critical issue of unprotected AJAX endpoints and a history of severe vulnerabilities necessitate caution. The overall risk is elevated due to the direct exploitable entry points without proper authorization and the recurring nature of past security flaws.

Key Concerns

All AJAX handlers lack auth checks
Unsanitized path in taint analysis
1 Critical CVE in history
2 High CVEs in history
2 Medium CVEs in history
Missing nonce checks on AJAX (implied by 3 without auth)

Vulnerabilities

Security Optimizer – The All-In-One Protection Plugin Security Vulnerabilities

CVEs by Year

2 CVEs in 2022

2022

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

5 total CVEs

CVE-2025-66121medium · 5.3Missing Authorization

SiteGround Security <= 1.5.8 - Missing Authorization

Nov 30, 2025 Patched in 1.5.9 (47d)

CVE-2024-38774medium · 4.3Missing Authorization

Security Optimizer – The All-In-One Protection Plugin <= 1.5.0 - Missing Authorization via hide_notice()

Jul 19, 2024 Patched in 1.5.1 (7d)

CVE-2023-0234high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

SiteGround Security <= 1.3.0 - Authenticated (Administrator+) SQL Injection

Jan 13, 2023 Patched in 1.3.1 (375d)

CVE-2022-0993high · 8.1Improper Authorization

SiteGround Security <= 1.2.5 - Authorization Weakness to Authentication Bypass

Apr 7, 2022 Patched in 1.2.6 (656d)

CVE-2022-0992critical · 9.8Authentication Bypass Using an Alternate Path or Channel

SiteGround Security <= 1.2.5 - Authentication Bypass via 2FA Setup

Apr 6, 2022 Patched in 1.2.6 (657d)

Code Analysis

Analyzed Mar 16, 2026

Security Optimizer – The All-In-One Protection Plugin Code Analysis

Dangerous Functions

Raw SQL Queries

32 prepared

Unescaped Output

234 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

63% prepared51 total queries

Output Escaping

97% escaped241 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

redirect_with_token (core\Custom_Login_Url\Custom_Login_Url.php:175)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Security Optimizer – The All-In-One Protection Plugin Attack Surface

Entry Points3

Unprotected3

AJAX Handlers 3

authwp_ajax_dismiss_sg_security_noticecore\Loader\Loader.php:290

authwp_ajax_dismiss_sgs_2fa_noticecore\Loader\Loader.php:392

authwp_ajax_sgs_clear_logscore\Loader\Loader.php:459

WordPress Hooks 121

actionadmin_noticescore\Admin\Admin.php:81

actionlogin_form_jetpack-ssocore\Custom_Login_Url\Custom_Login_Url.php:236

actionadmin_menucore\Loader\Loader.php:106

actionadmin_initcore\Loader\Loader.php:108

filterallowed_optionscore\Loader\Loader.php:110

actionrest_api_initcore\Loader\Loader.php:113

actionadmin_initcore\Loader\Loader.php:132

actionwp_logincore\Loader\Loader.php:136

actionsiteground_data_collector_croncore\Loader\Loader.php:140

actionsiteground_data_collector_croncore\Loader\Loader.php:142

actioncron_schedulescore\Loader\Loader.php:144

actionupgrader_process_completecore\Loader\Loader.php:226

actioninitcore\Loader\Loader.php:230

actionadmin_menucore\Loader\Loader.php:240

filtercustom_menu_ordercore\Loader\Loader.php:241

filtermenu_ordercore\Loader\Loader.php:242

actionadmin_enqueue_scriptscore\Loader\Loader.php:243

actionadmin_enqueue_scriptscore\Loader\Loader.php:244

actionadmin_print_stylescore\Loader\Loader.php:245

actionadmin_initcore\Loader\Loader.php:246

filteradmin_footer_textcore\Loader\Loader.php:247

actioninitcore\Loader\Loader.php:256

action_core_updated_successfullycore\Loader\Loader.php:257

filterwp_die_handlercore\Loader\Loader.php:258

actionsgs_force_logoutcore\Loader\Loader.php:259

actionrest_api_initcore\Loader\Loader.php:268

filteruser_request_action_email_contentcore\Loader\Loader.php:282

filtersite_urlcore\Loader\Loader.php:283

filterwp_logoutcore\Loader\Loader.php:284

filternetwork_site_urlcore\Loader\Loader.php:285

filterwp_redirectcore\Loader\Loader.php:286

filterplugins_loadedcore\Loader\Loader.php:287

filterwp_new_user_notification_emailcore\Loader\Loader.php:288

actionupdate_option_users_can_registercore\Loader\Loader.php:289

actionadmin_noticescore\Loader\Loader.php:291

filterwpdiscuz_login_linkcore\Loader\Loader.php:292

actionwp_authenticate_usercore\Loader\Loader.php:293

actionlogin_initcore\Loader\Loader.php:294

filterum_custom_authenticate_error_codescore\Loader\Loader.php:295

filterum_submit_form_errorcore\Loader\Loader.php:296

actionillegal_user_loginscore\Loader\Loader.php:310

actionmap_meta_capcore\Loader\Loader.php:325

filterthe_generatorcore\Loader\Loader.php:340

actiondo_feedcore\Loader\Loader.php:359

actiondo_feed_rdfcore\Loader\Loader.php:360

actiondo_feed_rsscore\Loader\Loader.php:361

actiondo_feed_rss2core\Loader\Loader.php:362

actiondo_feed_atomcore\Loader\Loader.php:363

actiondo_feed_rss2_commentscore\Loader\Loader.php:364

actiondo_feed_atom_commentscore\Loader\Loader.php:365

actionwp_logincore\Loader\Loader.php:377

actionresetpass_formcore\Loader\Loader.php:378

actionvalidate_password_resetcore\Loader\Loader.php:379

actionpassword_resetcore\Loader\Loader.php:380

actionlogin_messagecore\Loader\Loader.php:381

filterpre_update_option_sg_security_sg2facore\Loader\Loader.php:390

actionadmin_noticescore\Loader\Loader.php:391

actionwp_logincore\Loader\Loader.php:399

actionwp_logincore\Loader\Loader.php:400

actionlogin_form_sgs2facore\Loader\Loader.php:401

actionlogin_form_sgs2fabccore\Loader\Loader.php:402

actionlogin_form_load_sgs2fabccore\Loader\Loader.php:403

actioninitcore\Loader\Loader.php:408

actioninitcore\Loader\Loader.php:409

actioninitcore\Loader\Loader.php:412

actionlogin_initcore\Loader\Loader.php:423

actionlogin_headcore\Loader\Loader.php:431

filterlogin_errorscore\Loader\Loader.php:433

filterwp_logincore\Loader\Loader.php:435

actionwp_insert_sitecore\Loader\Loader.php:445

actioninitcore\Loader\Loader.php:457

actionsiteground_security_clear_logs_croncore\Loader\Loader.php:461

actionadd_attachmentcore\Loader\Loader.php:464

actionedit_attachmentcore\Loader\Loader.php:465

actiondelete_attachmentcore\Loader\Loader.php:466

actionwp_insert_commentcore\Loader\Loader.php:469

actionedit_commentcore\Loader\Loader.php:470

actiondelete_commentcore\Loader\Loader.php:471

actionspam_commentcore\Loader\Loader.php:472

actionunspam_commentcore\Loader\Loader.php:473

actiontrash_commentcore\Loader\Loader.php:474

actionuntrash_commentcore\Loader\Loader.php:475

actiontransition_comment_statuscore\Loader\Loader.php:477

action_core_updated_successfullycore\Loader\Loader.php:480

actionexport_wpcore\Loader\Loader.php:483

actionupdated_optioncore\Loader\Loader.php:486

actionactivated_plugincore\Loader\Loader.php:489

actiondeactivated_plugincore\Loader\Loader.php:490

filterupdate_option_recently_editedcore\Loader\Loader.php:491

actionupgrader_process_completecore\Loader\Loader.php:492

actionupgrader_process_completecore\Loader\Loader.php:493

actiondelete_postcore\Loader\Loader.php:496

actiontransition_post_statuscore\Loader\Loader.php:497

actioncreated_termcore\Loader\Loader.php:500

actionedited_termcore\Loader\Loader.php:501

actiondelete_termcore\Loader\Loader.php:502

actionswitch_themecore\Loader\Loader.php:505

filterupdate_option_recently_editedcore\Loader\Loader.php:506

actionupgrader_process_completecore\Loader\Loader.php:507

actionupgrader_process_completecore\Loader\Loader.php:508

actiondelete_site_transient_update_themescore\Loader\Loader.php:509

actioncustomize_savecore\Loader\Loader.php:510

actionwp_logincore\Loader\Loader.php:513

actionwp_logoutcore\Loader\Loader.php:514

actiondelete_usercore\Loader\Loader.php:515

actionuser_registercore\Loader\Loader.php:516

actionprofile_updatecore\Loader\Loader.php:517

filterwidget_update_callbackcore\Loader\Loader.php:520

filtersidebar_admin_setupcore\Loader\Loader.php:521

actionsgs_email_croncore\Loader\Loader.php:539

actionsgs_email_croncore\Loader\Loader.php:542

actionsgs_email_croncore\Loader\Loader.php:545

actionafter_setup_themecore\Loader\Loader.php:555

actionupgrader_process_completecore\Loader\Loader.php:557

actioninitcore\Loader\Loader.php:567

actioninitcore\Loader\Loader.php:578

actionwp_headerscore\Loader\Loader.php:589

filterrest_post_dispatchcore\Loader\Loader.php:591

action_core_updated_successfullycore\Loader\Loader.php:601

actionupdated_optioncore\Loader\Loader.php:616

actionadded_optioncore\Loader\Loader.php:617

Scheduled Events 1

siteground_security_clear_logs_cron

Maintenance & Trust

Security Optimizer – The All-In-One Protection Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 15, 2026

PHP min version7.0

Downloads31.9M

Community Trust

Rating90/100

Number of ratings153

Active installs1.0M

Alternatives

Security Optimizer – The All-In-One Protection Plugin Alternatives

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs

BulletProof Security

bulletproof-security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K 12 CVEs

RSFirewall!

rsfirewall

Based on the success of the most popular firewall for Joomla!, RSFirewall! is now available to protect your WordPress website as well.

4K 2 CVEs

Bearmor Security

bearmor-security

100

Lightweight, powerful WordPress security for small businesses. Malware scanning, login protection, 2FA, hardening - most features FREE.

50 No CVEs

Dotsquares Custom Login URL & Security Suite

custom-login-url-login-designer

100

Change your WordPress login URL, design the login page, and enhance your site's security with built-in protection tools.

0 No CVEs

Developer Profile

Security Optimizer – The All-In-One Protection Plugin Developer Profile

SiteGround

4 plugins · 2.1M total installs

trust score

Avg Security Score

95/100

Avg Patch Time

483 days

View full developer profile

Detection Fingerprints

How We Detect Security Optimizer – The All-In-One Protection Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sg-security/assets/css/main.min.css/wp-content/plugins/sg-security/assets/js/admin.js/wp-content/plugins/sg-security/assets/js/main.min.js/wp-content/plugins/sg-security/assets/js/admin_nonce.js

Script Paths

/wp-content/plugins/sg-security/assets/js/admin.js/wp-content/plugins/sg-security/assets/js/main.min.js/wp-content/plugins/sg-security/assets/js/admin_nonce.js

Version Parameters

sg-security/assets/css/main.min.css?ver=sg-security/assets/js/admin.js?ver=sg-security/assets/js/main.min.js?ver=sg-security/assets/js/admin_nonce.js?ver=

HTML / DOM Fingerprints

JS Globals

window.sg_security_settings

REST Endpoints

/wp-json/sg-security/

FAQ