A while back we talked about WordFence and whether it’s really the best WordPress security plugin on the market (as user numbers suggest). Yet, while popular, Wordfence is far from the only one of its kind.
In fact, with Sucuri GoDaddy recently acquired one of it’s main competitors. High time we did a detailed Sucuri review!
For the uninitiated, Sucuri is a company specialized in website security. They offer many different services such cleaning up hacked, compromised or blacklisted sites and protection from DDOS, brute force and other attacks.
It’s important to note that Sucuri is not a WordPress-specific company. They also offer their services for Joomla, Drupal, Magento and other sites.
However, they do seem to have a special interest in the WordPress platform. In fact, the company works closely with the WordPress security team and some plugin providers and make their research available to them.
Besides that, they have a security plugin in the WordPress directory, which is what we will mainly deal with in this article.
Let’s get started.
Sucuri Security – Installation and Setup
As the first step in this Sucuri review, we will install the plugin on our website and get it to work.
Install the Plugin
You can install Sucuri in the same fashion as other WordPress plugins. Just go to Plugins > Add New and search for Sucuri. The plugin you are looking for is in first place.
Click Install Now, then activate once the download is finished.
The first thing you will see after activation is a message to generate an API key.
Just click on the button, choose the correct user and hit Proceed to create one. While you are not obligated to do so, some features won’t work without. That’s it for setup.
Sucuri Security – Overview
In the next step, we will take a tour around the plugin and see what it has under the hood.
The dashboard shows the security status of your site. If activated, here you will see logs of everything that has been going on with your site.
For the beginning, it shows the core integrity of your site. That means, Sucuri scans your WordPress files for changes or unknown files and lists problems so you can address them.
Of course, if files appear in the list that you know are not a problem, you can exclude them from the next scan. For that, just check the items in question and use mark as fixed from the drop-down menu below. In the same place, you can also delete or restore files.
Similar to Wordfence, Sucuri Security contains a malware scanner. When you push the button, it will check your site for malware, errors and out-of-date components. It also checks whether you have been blacklisted by Google, Norton, AVG, Phishtank and other spam lists.
The scan will run automatically every three, twelve or twenty-four hours (depending on your settings). The default is twice daily.
Once it has run through, you get a detailed report of its findings. Any issues present on your site are listed on it so you can take appropriate action if necessary.
Of course, like any good security system, Sucuri also offers a firewall. When enabled, all site traffic first goes through Sucuri’s servers before coming to your website. That way, they can sort out hackers, DDOS attacks and all other undesirable traffic before it even reaches you.
Doing so protects your site as well as your server, prevents downtime and slow downs. It also protects you from database SQL injections, backdoors and many other threats.
However, the firewall is not included in the free plugin. In order to enable it, you need an API key for which you need to sign up to one of the paid plans.
Under Hardening, Sucuri helps you take steps to fortify your website from outside threats. You can enable each feature comfortably with the click of a button.
- Activate firewall — If you have the premium version, you can set up the firewall here.
- Update WordPress — When your website or any of its components are not up to date, this section will warn you and prompt you to get the newest version.
- Verify PHP version — Checks whether your server is running the latest version of PHP.
- Remove WordPress version — Allows you to remove the version of your CMS from being publicly displayed.
- Protect uploads directory — Disable the execution of PHP files inside your uploads directory. This can break certain plugins, so test beforehand.
- Restrict wp-content access — Places an .htaccess file inside the wp-content to prevent external access.
- Restrict wp-includes access — The same as above but for wp-includes.
- Security keys — Checks for the presence of security keys inside wp-config.php. These make information stored inside cookies harder to crack.
- Information leakage — Checks for the presence of a readme.html file on your site (which contains your WordPress version) and deletes it.
- Default admin account — Checks for the admin user. This used to be standard in former times and is a favorite target for hackers.
- Plugin & theme editor — Disable the plugin and theme editor to prevent access to sensitive files by other users (and possibly hackers who have broken into your site).
- Database table prefix — Option to check and change whether your site runs with the standard wp_ database table prefix. Doing so makes it more vulnerable.
Besides that, you will also find the option to whitelist PHP files that have been blocked. Of course, you should only ever do this if you are certain.
This section of the plugin offers measures for when your site has been compromised:
- Reset security keys — This options will generate new SALTs inside wp-config.php.
- User password reset — Prompt chosen users to create new passwords.
- Reset plugins — In case plugins are infected, this allows you to re-install them at the touch of a button.
- Available updates — Shows all components on your site that can (and should) be updated.
Many of these actions are usually recommended to perform manually if your site has been hacked.
Here, Sucuri logs all the logins on your site. You can check on your admin users, who is currently logged into your site, failed login attempts and blocked users.
Naturally, the settings allow you to control everything about the plugin.
- General — Configure your API key, paths for data storage, reverse proxy and IP settings, whether to collect passwords from failed login attempts, monitor user comments for spam and enable audit logs in the dashboard. You can also set date and time and reset all options.
- Scanner — Configure the Sucuri malware scanner. Define which algorithm to use, the scanning frequency, whether to check for core integrity and various other settings.
- Alerts — Determine who to send security reports to, how often and in what events.
- API Service — All settings to do with the Sucuri API.
- Log exporter — Option to enable the export of security reports for further analysis.
- Ignore Scanning — In case your website is very large, here you can tell the scanner to ignore certain files and folders to avoid timeouts.
- Ignore alerts — By default Sucuri sends warning emails if certain post types are created or updated. This menu lets you switch off this alarm for any post type you want.
- Trust IP — Set up trusted IPs for which not to send alarms, especially if you are part of a local area network.
- Heartbeat — Settings for the Heartbeat API, which is a connection between browser and server.
Finally, this part contains everything Sucuri knows about your site. It includes information on your plugins and server, scheduled tasks, the integrity of your .htaccess file, variables like database name, table prefix, SALTs and more as well as settings for error logs.
Sucuri Security – User Friendliness
In general, Sucuri Security is easy to use. Everything is in the same menu item, settings are well structured and the plugin comes with sensible default configuration. Besides running a manual scan and going through the hardening options and settings once, there isn’t much to do for most users.
However, I found that some features are disabled by default that, in my opinion, shouldn’t be. For example, checks for core integrity and audit log statistics. However, the rest is pretty much set it and forget it.
The only real problem I ran into was that I was unable to create an API key. Although I clicked the button several times, the reminder to get my API key never vanished. Recovery via email also didn’t work. Nothing ever arrived in my inbox even though test emails for the security alarms did make it there.
So, Is Sucuri Worth It?
Overall, Sucuri offers a solid free security plugin for WordPress. It has a lot of great features, like the comprehensive scanning module, easy security hardening and help for hacked websites. Along with its monitoring tools, the plugin makes keeping your site safe quite easy.
The one thing that is missing, naturally, is the firewall. Other security plugins offer this feature for free but Sucuri users need to pay to use it for their website.
That’s understandable, since the firewall is Sucuri’s flagship product and the main reason for their stellar reputation on the web. If you are running a valuable high-traffic website, investing in this extra layer of security makes sense. Sucuri really know what they are doing and your site will be in good hands.
However, when it comes to free WordPress security plugins, Sucuri’s offer does not really stand out from the crowd. If you want to protect your site on a budget, you should check out iThemes security or Wordfence first. They offer many of the same features plus a firewall without costing anything.
We’d like to hear about your experience. Have you used Sucuri’s security plugin and/or their paid service in the past? If so, please tell us your thoughts in the comments section below!