Sucuri sits at the top of the hill when it comes to the best WordPress security plugins. Every WordPress website should have a security plugin installed, and you can’t go wrong by installing the Sucuri scanner plugin. The company offers a premium subscription to those who need additional coverage, but many WordPress users (800,000+ at the time of this review) find the free version to be adequate at keeping their sites locked down. In this post, we are going to walk you through the major features of Sucuri and review the overall status of the plugin to help you determine whether or not it’s the best security plugin for your site.
Setting Up the Sucuri Security Plugin
Installing Sucuri is as easy as it can get. Head to the Sucuri’s page on the WordPress.org plugin repository and download it. Or go straight to Plugins – Add New in your WP admin panel. When activated, a new menu option appears titled Sucuri Security with a pop-out menu.
Sucuri’s First Review of Your Site
First thing, we suggest taking a look at your Dashboard. Before altering any settings, we feel it’s a good idea to check out your dashboard first to see what Sucuri tells you about the base security of your site.
The image above is a kind of worst-case scenario. Sucuri immediately noticed issues with the installation (1) that have been in place since 2011 (2). Big yikes. Luckily, (2) tells us that our server’s PHP and WP version are up-to-date.
Click on the Review False Positives link in (1) and compare it to the list in (3). For us, they match up. Which means the files are (likely) not malicious since Sucuri’s database has them flagged as false positives that also hit criteria for their scan (modified WP core files).
In this case, most the modified files are from the TinyMCE plugin (which is the base software for the Classic Editor before the introduction of Gutenberg/the Block Editor). With that in mind, we felt it was okay to delete them. Especially since the dates for modification were so long ago.
After that…voila! Sucuri then lets you review everything that just happened.
You should see a clean and secure site and what files were removed. You will also see specifically Sucuri scans for and that your site is not blacklisted by any services because it was compromised. This is the best-case scenario. Thanks, Sucuri!
How to Use Sucuri
After becoming comfortable with the dashboard, it’s time to run a full site scan. You will need to generate an API key. The button for which is found at the very top of the Sucuri dashboard.
You then need to review and confirm your information for Sucuri to generate the key.
With that done, your site will be registered into their database, and your dashboard will update accordingly with Sucuri’s key verification.
You can then click on the Refresh Malware Scan link in the dashboard to recheck the last scan, but for a new scan, you will need to go to Sucuri’s SiteCheck website. As long as your API key is active, you can enter the matching URL to start the scan.
Note this is a remote scan and Sucuri only has access to your files via API. This isn’t like a server-side scan or a scan in that it can access all the files locally. But it is incredibly thorough and picks up on major and minor threats to your site health.
Because of it being a remote scan, Sucuri does offer premium complete scans from their team of experts. That is definitely an upsell, but the free scan is absolutely safe and deep enough for most website owners.
Reviewing Sucuri’s Advanced and Essential Features
Let’s review other major features users can get from the free version of Sucuri. Login Tracking is absolutely at the top of those. Brute force attacks are common against WordPress sites, and compromised passwords and usernames are just as dangerous.
You can find the login protection and tracking under Sucuri Security – Last Logins in your WP admin panel. Keeping an eye on this is absolutely essential for full security.
Additionally, Website Hardening is incredibly useful at preventing unwanted intrusion and malware injections. Basically, Sucuri writes ruls into your site and .htaccess codes that prevent potentially dangerous actions from taking place. Such as PHP files in your /wp-content directory.
Hardening isn’t the same thing as a Web Application Firewall (WAF), where external intrusions are blocked and filtered, but it does basically put a shell around your website that prevents potentially dangerous stuff from just slipping in unhindered. Plus, if it causes a problem, you can revert the hardening whenever you want.
The primary benefit for purchasing a subscription to Sucuri is the Web Application Firewall (WAF).
A WAF is the primary defense most sites use against hackers and attackers, being a ruleset and reactionary plugin that prevents unwanted access in real-time. Sucuri doesn’t offer this for free, but includes it with their Premium platform or as a standalone subscription. Solo, you can get firewall support for $9.99 to $19.99.
Though the $9.99 tier doesn’t include SSL support, so nearly every site will need to bump to the $19.99 Pro subscription because SSL certificates are all but required for every site these days.
Additionally, for other premium features such as CDN integration, malware removal and cleanup, 6-12 hour scan intervals, and reputation monitoring, the price increases to $299.99 per year. While Sucuri offers a $199.99 annual plan, it also doesn’t support SSL certificates, which we feel makes it a non-starter.
Keep in mind that if you pay for the WAF monthly, you will be paying approximately $240 where as an annual payment with increased protection for ~$60 extra dollars per year. That, we feel is a worthwhile increase for the additional features included.
Who is Sucuri For?
In the end, Sucuri is an incredibly solid security platform. The free version of the plugin provides users a scan of their site with all the tools they need to manually remove threats and keep their site running smooth. The login monitoring is a must for almost everyone, and website hardening rules in a click are a rare find in WordPress security plugins. For those who need a quick update and check for their site, Sucuri can do that.
If you have it in your budget, the Sucuri premium platform is definitely worth it. Those who need a full security solution, such as larger sites and ecommerce storefronts, that includes real-time DDoS prevention and assisted removal and improved support will find it with Sucuri. Putting your trust in their team is not going to be misplaced.
Sucuri Review Summary
Every single WordPress site needs security. The CMS is far too ubiquitous and prone to attack to leave yourself unguarded. Sucuri is an excellent choice for people who think they might have had an intrusion already and want to harden the security all around. While the WAF isn’t free to protect against real-time threats, if you set the hardening rules on Sucuri, many threats will bounce right off your website like a rock off a turtle shell.
Let’s review your experiences been with Sucuri. Let us know in the comments!