Sucuri Review – What Can This Free WordPress Security Plugin Do For You?

Posted on March 29, 2017 by in Tips & Tricks | 27 comments

Sucuri Review – What Can This Free WordPress Security Plugin Do For You?

A while back we talked about WordFence and whether it’s really the best WordPress security plugin on the market (as user numbers suggest). Yet, while popular, Wordfence is far from the only one of its kind.

In fact, with Sucuri GoDaddy recently acquired one of it’s main competitors. High time we did a detailed Sucuri review!

For the uninitiated, Sucuri is a company specialized in website security. They offer many different services such cleaning up hacked, compromised or blacklisted sites and protection from DDOS, brute force and other attacks.

It’s important to note that Sucuri is not a WordPress-specific company. They also offer their services for Joomla, Drupal, Magento and other sites.

However, they do seem to have a special interest in the WordPress platform. In fact, the company works closely with the WordPress security team and some plugin providers and make their research available to them.

Besides that, they have a security plugin in the WordPress directory, which is what we will mainly deal with in this article.

Let’s get started.

Sucuri Security – Installation and Setup

As the first step in this Sucuri review, we will install the plugin on our website and get it to work.

Install the Plugin

You can install Sucuri in the same fashion as other WordPress plugins. Just go to Plugins > Add New and search for Sucuri. The plugin you are looking for is in first place.

install sucuri security

Click Install Now, then activate once the download is finished.

Complete Setup

The first thing you will see after activation is a message to generate an API key.

sucuri review API reminder

Just click on the button, choose the correct user and hit Proceed to create one. While you are not obligated to do so, some features won’t work without. That’s it for setup.

Sucuri Security – Overview

In the next step, we will take a tour around the plugin and see what it has under the hood.

Dashboard

sucuri security dashboard

The dashboard shows the security status of your site. If activated, here you will see logs of everything that has been going on with your site.

For the beginning, it shows the core integrity of your site. That means, Sucuri scans your WordPress files for changes or unknown files and lists problems so you can address them.

Of course, if files appear in the list that you know are not a problem, you can exclude them from the next scan. For that, just check the items in question and use mark as fixed from the drop-down menu below. In the same place, you can also delete or restore files.

Malware Scan

sucuri review malware scanner

Similar to Wordfence, Sucuri Security contains a malware scanner. When you push the button, it will check your site for malware, errors and out-of-date components. It also checks whether you have been blacklisted by Google, Norton, AVG, Phishtank and other spam lists.

The scan will run automatically every three, twelve or twenty-four hours (depending on your settings). The default is twice daily.

Once it has run through, you get a detailed report of its findings. Any issues present on your site are listed on it so you can take appropriate action if necessary.

sucuri scanner results

Firewall

Of course, like any good security system, Sucuri also offers a firewall. When enabled, all site traffic first goes through Sucuri’s servers before coming to your website. That way, they can sort out hackers, DDOS attacks and all other undesirable traffic before it even reaches you.

Doing so protects your site as well as your server, prevents downtime and slow downs. It also protects you from database SQL injections, backdoors and many other threats.

However, the firewall is not included in the free plugin. In order to enable it, you need an API key for which you need to sign up to one of the paid plans.

Hardening

Under Hardening, Sucuri helps you take steps to fortify your website from outside threats. You can enable each feature comfortably with the click of a button.

  • Activate firewall — If you have the premium version, you can set up the firewall here.
  • Update WordPress — When your website or any of its components are not up to date, this section will warn you and prompt you to get the newest version.
  • Verify PHP version — Checks whether your server is running the latest version of PHP.
  • Remove WordPress version — Allows you to remove the version of your CMS from being publicly displayed.
  • Protect uploads directory — Disable the execution of PHP files inside your uploads directory. This can break certain plugins, so test beforehand.
  • Restrict wp-content access — Places an .htaccess file inside the wp-content to prevent external access.
  • Restrict wp-includes access — The same as above but for wp-includes.
  • Security keys — Checks for the presence of security keys inside wp-config.php. These make information stored inside cookies harder to crack.
  • Information leakage — Checks for the presence of a readme.html file on your site (which contains your WordPress version) and deletes it.
  • Default admin account — Checks for the admin user. This used to be standard in former times and is a favorite target for hackers.
  • Plugin & theme editor — Disable the plugin and theme editor to prevent access to sensitive files by other users (and possibly hackers who have broken into your site).
  • Database table prefix — Option to check and change whether your site runs with the standard wp_ database table prefix. Doing so makes it more vulnerable.

Besides that, you will also find the option to whitelist PHP files that have been blocked. Of course, you should only ever do this if you are certain.

Post-Hack

sucuri recovering from hack

This section of the plugin offers measures for when your site has been compromised:

  • Reset security keys — This options will generate new SALTs inside wp-config.php.
  • User password reset — Prompt chosen users to create new passwords.
  • Reset plugins — In case plugins are infected, this allows you to re-install them at the touch of a button.
  • Available updates — Shows all components on your site that can (and should) be updated.

Many of these actions are usually recommended to perform manually if your site has been hacked.

Last Logins

Here, Sucuri logs all the logins on your site. You can check on your admin users, who is currently logged into your site, failed login attempts and blocked users.

Settings

sucuri settings

Naturally, the settings allow you to control everything about the plugin.

  • General — Configure your API key, paths for data storage, reverse proxy and IP settings, whether to collect passwords from failed login attempts, monitor user comments for spam and enable audit logs in the dashboard. You can also set date and time and reset all options.
  • Scanner — Configure the Sucuri malware scanner. Define which algorithm to use, the scanning frequency, whether to check for core integrity and various other settings.
  • Alerts — Determine who to send security reports to, how often and in what events.
  • API Service — All settings to do with the Sucuri API.
  • Log exporter — Option to enable the export of security reports for further analysis.
  • Ignore Scanning — In case your website is very large, here you can tell the scanner to ignore certain files and folders to avoid timeouts.
  • Ignore alerts — By default Sucuri sends warning emails if certain post types are created or updated. This menu lets you switch off this alarm for any post type you want.
  • Trust IP — Set up trusted IPs for which not to send alarms, especially if you are part of a local area network.
  • Heartbeat — Settings for the Heartbeat API, which is a connection between browser and server.

Site Info

Finally, this part contains everything Sucuri knows about your site. It includes information on your plugins and server, scheduled tasks, the integrity of your .htaccess file, variables like database name, table prefix, SALTs and more as well as settings for error logs.

Sucuri Security – User Friendliness

As you can see from the above, the plugin is chock full of useful features. However, how does it compare in terms of user friendliness?

In general, Sucuri Security is easy to use. Everything is in the same menu item, settings are well structured and the plugin comes with sensible default configuration. Besides running a manual scan and going through the hardening options and settings once, there isn’t much to do for most users.

However, I found that some features are disabled by default that, in my opinion, shouldn’t be. For example, checks for core integrity and audit log statistics. However, the rest is pretty much set it and forget it.

The only real problem I ran into was that I was unable to create an API key. Although I clicked the button several times, the reminder to get my API key never vanished. Recovery via email also didn’t work. Nothing ever arrived in my inbox even though test emails for the security alarms did make it there.

So, Is Sucuri Worth It?

Overall, Sucuri offers a solid free security plugin for WordPress. It has a lot of great features, like the comprehensive scanning module, easy security hardening and help for hacked websites. Along with its monitoring tools, the plugin makes keeping your site safe quite easy.

The one thing that is missing, naturally, is the firewall. Other security plugins offer this feature for free but Sucuri users need to pay to use it for their website.

That’s understandable, since the firewall is Sucuri’s flagship product and the main reason for their stellar reputation on the web. If you are running a valuable high-traffic website, investing in this extra layer of security makes sense. Sucuri really know what they are doing and your site will be in good hands.

However, when it comes to free WordPress security plugins, Sucuri’s offer does not really stand out from the crowd. If you want to protect your site on a budget, you should check out iThemes security or Wordfence first. They offer many of the same features plus a firewall without costing anything.

We’d like to hear about your experience. Have you used Sucuri’s security plugin and/or their paid service in the past? If so, please tell us your thoughts in the comments section below!

27 Comments

  1. +1 for WordFence and iThemes Security. Thanks for the review.

    • Nick Schäferhoff

      Thanks for the comment, Mary!

  2. As somebody who often cleans up hacked WordPress sites, I was a little underwhelmed with the Securi Malware scan option.

    I understand it’s incredibly hard to pinpoint every single compromised file throughout a website, but for such a ‘market leader’ it doesn’t inspire much confidence when it completely misses such files, in my experience.

    The rest of the features though – great, can’t complain.

    • Nick Schäferhoff

      Thanks for your input. It’s great to hear from someone who does website security professionally.

  3. Been using them for years. They have saved several sites that were compromised. Highly recommend them. Email support is good but would like to be able to talk to human when a sticky mess requires more efforts.

    • Nick Schäferhoff

      Thanks for the comment, Wayne! Happy to hear you like their service. Good to have some inside information.

  4. GoDaddy just acquired this company.

    I’m not going to knock them, but given the godaddy track record, I’m not going to trust this tool in for the long game.

    What I do recommend for devs, SMB’s and bloggers is this service: We Watch Your Website

    We have been using them for years on a shared hosting plan and a VPS. They have secured our sites even when they can’t be updated to the latest version of wordpress. All the magic is server side and you don’t have to worry about managing plugins or setting rules. They do all that in the background and they also fix hacked sites. If you try them, all I have to say is “Your welcome”.

    • Nick Schäferhoff

      Thanks for the tip Jaime. I have heard other people say they are worried about the acquisition. However, Godaddy also bought ManageWP and their users seem to not have any problems.

  5. This plugin is a great little tool for performing some extra post-hack checks, hardening and seeing who’s trying to login to the site.

    We use Sucuri’s external tool which is great for monitoring and firewall and you could pair it up with the plugin if wanting to. For people just wanting a plugin for it’s features this is good and if also wanting something for more thorough scanning they can use WordFence.

    For sites that have been hacked it can be worth throwing this on soon after plus Wordfence to run some extra checks to be on the safe side.

    • Nick Schäferhoff

      Thanks for the input, Steven!

  6. The one I found is by a Daniel Cid? Is that the one?

    • Thats the one.

  7. There should be no problem generating a free API Key for the Sucuri plugin. However, at the free level, you should uncheck the option for “Enable DNS lookups on startup,” as that’s for a premium plan. You can always reset the API key if needed.

    You can manage and test email addresses and notifications in the Sucuri Alerts Settings, and I’ve never had a problem with that. Just as with WordFence, alerts can be overwhelming, so good to check, tweak, and test.

    Keep in mind that the Sucuri Firewall is not a local server firewall, it’s a very powerful CloudProxy service that offers realtime protection along with CDN performance. You’d have to have a premium plan with WordFence to get realtime protection, but that’s not a proxy service, it’s still on the local server, and some report that WordFence may not play well with proxy setups.

    WordFence is a great service, as is Sucuri, they can run side-by-side, and they both have nice premium features. But the devil is in the details, and hackers like to play with the devil. Sucuri is a well-respected goto service for recovering hacked sites and for CloudProxy protection, while WordFence is a favorite for free local server protection.

    • Nick Schäferhoff

      David, thanks a lot for weighing in. I’m not sure what the problem with generating an API key was. As mentioned, other emails arrived without a problem. And yes, the Sucuri Firewall service seems stellar, however, you need the budget for it. Thanks also for letting us know about the possibility of using both plugins at the same time.

  8. Great article! I have to admit though that my heart sank a bit as I read that GoDaddy had acquired Sucuri. I have had dealings with websites hosted on GoDaddy, and it hasn’t been pretty. Hopefully, the things that have made Sucuri great will be continued in the new business model.

    • Nick Schäferhoff

      Hey Mike, I have heard that fear in other places. However, WPTavern stated that Sucuri will continue to work as a standalone entity. Also, as I mentioned in another comment, ManageWP users have had a positive experience even after the service was acquired by Godaddy.

  9. Best information.. Keep it up Sir.

    • Nick Schäferhoff

      Thank you, sir!

  10. Thank you. I was interested to see how it stacked up against Wordfence. Free version to free version.
    I’ll stick with Wordfence.
    Thanks again.

    • Nick Schäferhoff

      No problem, Ernest!

  11. Thanks for posting this comparison. I install WordFence on all the WordPress sites I can get my hands on. I found it to be effective. I have paid Sucuri to clean 4 WordPress sites so far. They are fast and helpful. They also give great webinars for free.

    • Nick Schäferhoff

      Thanks for the input, Dwayne! It’s important to have the right tools for each area. Glad you found yours.

  12. I have not used Sucuri as a plugin. After reading the comments for this article, I have to say I have also had issues with GoDaddy-hosted websites, so I think I’ll stick with WordFence.

    • Nick Schäferhoff

      Thanks, Frank! As long as it works for you. But Sucuri is pretty solid too.

  13. Have twice had Sucuri give me a false positive for malware. Both times I ran other checks as well as manually scanning my files for malicious code and came up empty. Both times when I questioned it with their support people, they just wanted me to pay to remove the malware that wasn’t actually there. I will never trust their service

    • Nick Schäferhoff

      Hey Trevor, thanks for weighing in. Sorry to hear you had a negative experience with Sucuri.

  14. IMHO, the best combination is Sucuri to harden and scan the site + Ninjafirewall WAF to protect it in real time.
    Both plugins in their free version give you many more options and better security than Wordfence premium! They are much faster too, and that’s another very important factor.

437,821 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest