Review of SiteGround
We'?€™ve used SiteGround for years and appreciated the performance and support until we encountered a serious server-level security issue.An external audit flagged our server (Business Cloud plan) as having port 5432 (PostgreSQL) publicly exposed. We do not use PostgreSQL at all our entire stack is WordPress and MySQL/MariaDB. Yet SiteGround would not close the port unless we purchased a Dedicated IP per site, even though:'?€ ? The service is unused'?€ ? The port is unrelated to any hosted domain'?€ ? This is a managed hosting planIn response, SiteGround confirmed that the port is intentionally left open to maintain their internal monitoring system and cannot be closed unless a Dedicated IP is purchased for each domain. They emphasized that PostgreSQL is '?€œsecured'?€ ? by requiring whitelisted IPs but this still means the service is installed, listening, and publicly discoverable.That'?€™s not considered secure-by-default. Hardened infrastructure disables unused services and closes unnecessary ports, especially in a shared cloud environment. Exposing unnecessary services even if authentication is required increases the attack surface and violates common hardening standards (CIS, OWASP, NIST).When we attempted to escalate, support ended the chat without acknowledgment. No engineering follow-up, no opt-out, no system-level solution. Just a sales path to pay for isolation.We'?€™re now migrating all of our client sites off SiteGround to infrastructure where unused services are never installed in the first place no upsells required for responsible defaults. We'?€™re doing so in phases, based on client security profiles and risk exposure. SiteGround still performs well in some areas, but their current security model and escalation path make them a poor fit for anyone managing professional, audit-sensitive, or client-facing sites.
