Sucuri Review – Is This WordPress Security Plugin Worth Using?

What is Sucuri?

Sucuri is a website security tool. It is cloud-based, and it helps to secure a website against malicious codes and hackers. It filters all traffic before it can reach the server where your website is hosted.

It offers some interesting features, such as security hardening, integrity monitoring, and malware detection. All scans that Sucuri performs happen remotely. There are no server-level deep scans. This allows keeping the server load low.

For premium users, the service offers unlimited support for security incidents. In general, it offers performance improvements for websites, and also promises to protect them from all threats.

WordPress Security – Some Statistical Data

WordPress is, by far, the world’s most celebrated Content Management System (CMS). You can gauge its popularity by the fact that it powers 35% of all websites in this world. The problem with such immense popularity is that it also attracts a lot of troubles.

If you need an idea of the extent of the threat that WordPress users face, here is a set of data that will take you by surprise:

  • According to research by the Sucuri team and GoDaddy Security, 90% of all CMS-based websites hacked in 2018 were powered by WordPress.
  • According to CNN, Google blacklists 10,000 websites every day on an average. These websites are the ones that host and spread malware.
  • According to, blacklisted websites can lose up to 95% of their organic traffic.
  • According to WPTemplate, 41% of all WordPress-powered websites that are hacked fall prey to hackers because their hosting platforms have vulnerabilities.
  • According to, 60% of small businesses that become victims of cyber attacks shut down their businesses in as little as 60 days!

The problem is that majority of these cyber or hacking attacks actually happen on small as well as medium businesses.

Alarmed? Wait! There’s more to give you sleepless nights!

A Wordfence study found something interesting about the attack vectors (that is, the medium through which the attacks take place).

Here is a quick graphical representation of the study:

Image Source: Wordfence
Image Source: Wordfence

Look at the image again and again. It shows that vulnerabilities in plugins are the major culprits for the most number of hacks in the case of WordPress websites. Around 55.9% of all hacks are caused by faulty or outdated plugins.

The next biggest vector is the brute force attack that allows attackers to guess weak passwords. Yes, the password you set for your website can play an instrumental role.

Brute force attacks account for 16.1% of the hacking attempts.

According to Sucuri, 36.7% of all hacked WP sites were compromised because they used an older, outdated, and vulnerable version of the WordPress core software.

Other vectors also include the themes that you use, phishing attempts, FTP hacks, an insider job, workstation hacks, and more.

So, it is wise that you keep your plugins and themes updated. Especially when the developers are releasing security patches, never wait! Go ahead and update your theme or plugins.

Okay, now that you are aware of the extent of the threat that you face, you must know or learn how to secure your WordPress website.

The Standing Pillars of Website Security

Whether it is a WordPress website you are running or any other software-powered website, you should understand that you need to thwart hacking attempts actively. Restoring your website after a hack is nothing but a cure. It is always better to take preventive measures than going for treatment!

Here are the three pillars of any website security:

  1. Stage one: Prevent
  2. Stage two: Detect
  3. Stage three: Respond and recover

What do these mean? Let us find out!


Prevention is the first step and the most logical one. Why do you want to wait until your website is hacked? So, the first line of defense is always to keep malicious codes away from your WordPress website.

Some of the methods you can deploy include WAF or Web Application Firewall, antivirus, DDoS attack protection, email filters, bad bot detection, and prevention, etc.

You need to understand that while WordPress itself is very secure, the problem comes from plugins and themes. So, even though using WordPress is free, you need to invest in the security aspect, which, most of the time, is often the last priority for many website owners. Don’t be one of them.


The second phase comes only when prevention fails. The detection phase starts with full awareness of any security incidence as soon as it happens so that you can take action immediately so that you can stop significant damages.

To detect an incident, you need to use various tools like integrity monitoring, network scanning, and intrusion detection systems.

It is really important that your hosting provider as detection systems in place at a server level. You can also take advantage of various security plugins designed for WordPress, such as Wordfence, Sucuri, etc.

Respond and Recover

This is the last stage where you need to hope for the best by deploying quick and efficient countermeasures. However, when you start with recovery measures, you do have to keep yourself prepared for the worst outcome.

A proper recovery solution requires alienating the problems and cleaning up all malicious codes. Cleaning up is not the final solution. There has to be forensic work as well to identify the root cause that led to the incident in the first place.

The forensic study will help you to come up with a strategy that will prevent any future issues like that. You also need to come up with a backup plan so that in the event of similar incidents in the future, you will have a complete backup of your website, just in case recovery fails.

The Big Question and the Way Out

Now that you know how it all works, the next big question that bothers everyone (and that includes me) is how to approach the whole security aspect when you are not an expert in the field?

True! Not everyone can be an expert. So, there are solutions that you need to find. The basic solution that I use contains three core things:

  • Harden security from my end.
  • Pay a security service to keep guarding my websites.
  • When an incident occurs, ask the security service to do the cleanup and forensic task.

This is where Sucuri comes in for me.

One of the major reasons why I depend on Sucuri is that it is cloud-based. Wordfence or similar options are there, but going for any local (server-based) system is not a thing that I will prefer.

In case you don’t know, such local scanning systems put a lot of pressure on the server, thereby significantly reducing the website speed.

As I keep saying always, I prefer fast websites. So, my websites must be fast as well. This is where cloud services play a significant role.

You need to understand one thing very clearly. Website security is not a destination that you will eventually reach. It is a never-ending journey. So, your task is to make your journey smoother with each step. The path you choose will define how smooth your journey will be.

Okay, out of philosophy mode! In this blurb, I am going to tell you all about Sucuri. So, have patience and stay till the very end. It will be important for the future of your website.

Sucuri Overview in a Table

So, what does the Sucuri service offers to people? Here is a quick table that will give you a quick overview:

Web Application Firewall (WAF)Available
Malware RemovalAvailable
Website Integrity ScanAvailable
SSL Support on WAFAvailable
DDoS ProtectionAvailable
Zero-Day Exploits PreventionAvailable
CDN for SpeedAvailable
Remote Scanning (Cloud-based)Available
Self-Hosted PlatformNot Available (because it is cloud-based)
Tweaks in System SecurityNot Available (everything controlled in the cloud)

Okay, now that you have a brief idea about the features that Sucuri offers, let me walk you through the WordPress plugin. In the process, I will let you know how it works.

Sounds good? Let’s begin!

How Sucuri Works?

Let me clarify it in the beginning. Sucuri is a great service, but it is not the final word in website security. You have to harden the security of your website as much as you can. Sucuri is an add on – an extra layer of security that will try to keep your website safe.

Remember that the hardening of the server is the job of the web hosting company (unless you are looking for dedicated servers). So, choose wisely.

I can suggest a few, but most of them are cloud hosting services. So, here is a quick list of hosting companies that I will suggest because they are known for offering great security features on the server-side:

Cloud HostingShared Hosting / WordPress Hosting
Digital OceanBluehost
Amazon Web ServicesDreamHost
Google Cloud HostingKinsta
CloudwaysInMotion Hosting
Liquid WebSiteGround

Now, getting back to Sucuri, there are three elements in the service. They are:

Sucuri Security: This is a WordPress plugin that is geared towards hardening the standard WordPress features. It will not give you access to the WAF. If you need WAF access, you have to upgrade.

WAF (Sucuri Firewall): This is a premium service. However, you can seamlessly integrate it with the Sucuri Security plugin using API. You can use both the Sucuri Security and the Sucuri Firewall as standalone features. This means that you don’t need the Sucuri Security plugin to run the Sucuri Firewall on your website.

Sucuri Firewall will give you WAF or Web Application Firewall, DDoS mitigation, IDS or Intrusion Detection System, load balancing to ensure high availability, and various other features.

Sucuri Platform: It includes a complete suite of cloud-based security tools and features. The Sucuri Platform will give you access to the Sucuri Firewall plus a host of other tools that include detection, monitoring, incidence response, etc.

If you sign up for the Sucuri Platform, they nerds out there will do everything from malware removal to brand reputation management (including blacklist monitoring). The Sucuri Platform is pricey, and the minimum price you need to pay $199 a year.

Sucuri works in a simple and efficient fashion. Here are the three steps that explain how Sucuri works:

Step 1: Traffic comes to your website. This traffic includes everything from spam, hackers, brute force attacks, SQL injections, DDoS attacks, bad bots, and good traffic.

Step 2: Sucuri Cloud will profile all traffic, check the signatures and heuristics, and correlation engine.

Step 3: Sucuri will filter out all bad traffic and send only the authentic traffic to your website.

That’s the simplest explanation I can give to you. However, you need to know that Sucuri will also track every change that is happening on your website and keep a log of the same. The logs are on the cloud servers of Sucuri.

You can always audit these logs to find out what changed and when it changed. This will tell you what went wrong (if at all anything went wrong). This insight will help you to quickly resolve the issue.

What Does Sucuri Offer for WordPress?

For WordPress, Sucuri has two main offerings:

  1. The free Sucuri Security plugin.
  2. The cloud-based Sucuri Firewall.

Let us take a look at each one of them separately.

Sucuri Plugin for WordPress

The Sucuri plugin is a free offering from Sucuri. You cannot get WAF with this option. However, you can purchase a WAF subscription separately and integrate it with ease.

The basic plan price starts at $9.99 a month. However, that’s not very effective in the sense that it will not give support for the SSL certificate. It is better that you opt for the Pro version that will cost you $19.98 per month.

Once you install the Sucuri plugin, you will be greeted with the dashboard, which will give you some interesting details on the WordPress integrity, Audit Logs, iFrames, Links, Scripts, etc.

Here is how it looks like:


In the dashboard, you can see the tabs for audit logs, iframes, links, and scripts.

This is where you will see every instance of scripts, links, iframes, etc. running on your website. The audit logs tab will show you all the changes that took place recently. It will also show you the list of failed login attempts and more.

Here is a quick look:

You can also see whether your website is clean or not, and whether it is blacklisted or not. Here is a closer look:

It is not unusual for Sucuri to show a false positive on the dashboard. It will tell you that there are a set of files that were modified and that they may indicate a hack or a broken file.

This is what you will look at:

You should still check all of them, and if they are indeed a false positive, you can ignore it, or you can mark them as fixed.

Once you mark them as fixed, the warning will disappear. This is what you will see:

Next time Sucuri runs a scan, it will remember the settings for the files and will not give false positives for them.

Switching over to the Settings segment, you will find several tabs that will allow you to finetune Sucuri for your website.

Here is how the settings panel looks like:

Note that there is no API Key present. You need to get this API key to get web services. You don’t need to pay for this API Key. All you have to do is to click on the Generate API Key button on the tab, and you will receive the API key directly in your email.

Enter the key using the Manual Activation button. Once you do that, this is what you will see:

The API key will prevent hackers from deleting all audit logs (in case they get access to your WordPress site). This is because all the logs will be stored on Sucuri servers. You can access them anytime.

This general settings tab will also give you the option of exporting audit logs to your local storage (your computer’s hard disk). There are other options like Reverse Proxy, IP Address Discoverer, Timezone Override, and Sucuri settings import and export options.

In case you are not aware of what Reverse Proxy means and how it works, it is better that you leave it enabled (which is the default setting). It is more useful when the Sucuri Firewall is enabled.

It is better that you don’t change anything in this tab. Sucuri determines what is best for your website and offers the necessary settings by default.

Moving on to the scanner tab, you can see the set of scanning tasks that are scheduled. Here is how the tab and the scheduled scan looks like:

You can determine how frequently you want to run scans.

In the scanner tab, you can also see the option of WordPress Integrity Diff Utility. You should enable this. It allows you to compare two versions of WordPress files in case there are some changes made to certain files.

It will also give you the list of false positives that you marked as solved. On this tab, you can also set the files and folders that you want to exclude from the Sucuri scan.

Now, moving on to the Hardening tab, you will see a set of options that you can either enable or disable. This is how it looks like:

The first option will remain red unless you include a Firewall API key. You need to purchase this option.

The rest of the settings are included in the free option. I will suggest that you apply hardening to all the options you see.

However, when you apply hardening to all the features, there may be instances where your website breaks. This happens because hardening will prevent access to various folders and directories that various plugins and themes use.

If your site breaks, you can create exceptions and whitelist some PHP files that are required by the plugins and themes to keep the functionality of your website intact. This is what the segment looks like:

I cannot tell you which one to whitelist and which one not to whitelist, because that will depend on the plugins and themes that you are using. You have to figure it out by yourself.

The next tab is Post-Hack. It is a handy one. If your website was hacked, and you managed to recover it, this is the tab where you can update all secret key, change user passwords, reset plugins, update themes and plugins, etc.

This is how the post-hack tab looks like:

Moving on to the next tab (Alerts), you will be able to set who gets the alerts and at what interval and frequency. You can also add a trusted IP address and set how may alerts you get every hour.

Choose wisely. The problem here is that if you increase the frequency, your email inbox will be filled with hundreds of Sucuri emails. That can be truly frustrating.

This is how the tab looks like:

There is nothing much to explain here. Take your time to finetune the settings in this tab.

Moving on to the next tab, we have the API Service Communication. This is how the tab looks like:

This tab is primarily for developers. So, it is better that you do not make any changes here. This tab allows developers to access the remote API service of Sucuri.

The final tab is called Website Info. This is where you will get all the technical information about your website, which includes things like the Sucuri plugin version, server operating system, server type, PHP version, etc. There is nothing to do here.

This is how the tab looks like:

That’s all about the Sucuri Security plugin.

Cloud-Based Sucuri Firewall

Now moving forward, there is a Sucuri Firewall service available for WordPress. You can go ahead and purchase a plan if you want to use it.

The premium service does a stellar job in protecting your website from DDoS attacks and gives bad bot protection. It also filters out all the junk traffic.

If you go for the Sucuri Firewall, you don’t even need the Sucuri WordPress plugin (and that is what I will recommend keeping lower the server load).

All you have to is to point your DNS to Sucuri nameservers! That’s all!

To point your website to their nameservers, you need to go ahead and point your website’s A record to the IP address provided by Sucuri. You can do this by altering the domain host zone files from your domain registrar’s dashboard. The dashboard differs from registrar to registrar.

Remember that DNS propagation can take up to 48 hours (sometimes 72 hours). So, be patient. Once the propagation is complete, you can log into your Sucuri dashboard and set the security rules under the “Security” tab. This is how it will look like:

Be careful about enabling Emergency DDoS protection. You should enable it only when you think your website is under DDoS attack. Sucuri’s HTTP flood protection will prevent any person from using a Javascript-disabled browser to access your website (barring major search engines).

Once you see things are normalized, turn off the feature, because keeping it on will create an additional HTTP request that will add to the initial document load, and that’s not a good thing because it will increase your page load time.

You can then move on to the “Performance” tab to enable caching. Unless you are running an e-commerce site, I will say that you used the recommended cache setting. In case you are protecting an e-commerce site with Sucuri, use the site caching option.

Also, do not forget to enable compression. This will ensure that the number of bytes sent over the internet is reduced, thereby improving the overall performance of your website.

This is where you do that:

Yet another great feature is the geo-blocking option you can get with a premium subscription. You can block people from a country of choice from accessing your website completely, or you can allow them to read your website in read-only mode. People from those countries cannot comment, subscribe, or perform other such tasks.

You get that feature under the Access Control tab.

Here is what it looks like:

There is more that you can do on this tab. I will say that you use the options wisely, especially when you are trying to block anything.

How Easy Is It To Use Sucuri?

The Sucuri Security WordPress plugin is easy to use. It is designed to be a plug-and-play plugin. Only a few configurations here and there is all you need.

If there is some setting the Sucuri recommends, all you have to do is to enable it using a single click.

You don’t have to worry about anything else. Set it up once and forget it. That’s how easy it is to use.

When it comes to the Sucuri Firewall, the story remains the same with the overall interface. The only work that you need to do is to point the domain to their servers. From there on, Sucuri will take care of everything.

Yes, you can finetune a few settings; however, most of the default options are good enough. You can improve security even further by activating other options.

The heavy lifting of the backend settings is all taken care of by the Sucuri team, and you don’t need to bother about that at all!

How Well Does the WordPress Plugin By Sucuri Work?

If you are thinking that the Sucuri WordPress is going to give you protection from DDoS attacks or brute force attacks, you are broadly mistaken. It is not going to do that for you. However, it will help you to in hardening the basic WordPress security.

It is really good at sniffing out the smallest of changes taking place in your core WordPress files. These data can be very helpful in finding out what’s going on with your website.

So, if you are looking for a security solution that will shield you from hackers and malicious code injections, you need to go for the Sucuri Firewall, and it is not free.

What’s great about the Sucuri plugin is that the logs stay on the Sucuri server. This means that if you are locked out by a hacker, and you are unable to access your website, you can check the logs from Sucuri servers and find out the best things you can do to gain back the controls of your website.

When it comes to malware removal and website recovery, the only way you can get that from Sucuri is to get a premium Sucuri Platform subscription.

What Didn’t I Like About Sucuri?

What I don’t like about Sucuri is that the WordPress plugin will only tell you what is wrong. It will not tell you what to do to fix those issues. For noobs or rookies, this isn’t always a viable option.

Also, Sucuri’s premium plans are quite expensive, even for a single site license. This may prevent many small and new businesses from using their services. While using only the WAF is less expensive, using only that instead of the full suite leaves a lot to desire for.

In the worst-case scenario, if your website is hacked, you will have to sign up for a full suite to get back full control and a clean website. Many people argue that the high prices are justified in the long run, I feel that the justification comes only when the actual tasks of malware removal and brand reputation management are accomplished.

For simple monitoring and protection, a lower price tag would have been more meaningful. Sucuri could have charged separately for those things while keeping all other services in the lower price spectrum.

Conclusion: Should You Use Sucuri? Do I Recommend It?

Yes! I recommend it, and you should use it. For the time being, you can start with a WAF subscription. That’s often enough to keep your website safe. In the worst-case scenario, if your website gets hacked or infected with malware, you can then upgrade to a higher plan to get your website back.

Overall, Sucuri has a state-of-the-art security system that can help to protect your website – small or big. If you have the right budget, Sucuri is the right tool for you. However, I will never say that it is the only tool. In fact, you can get a cheaper and equally good alternative like MalCare. There are other alternatives that you can always check out.

Scroll to Top