Sucuri Review 2022 – Investing in Your WordPress Security

Did you know that the average website gets attacked over 44 times per day? Having a website is essential when running a business, but not everyone knows how to keep it safe. In this review, we evaluate one of the leading WordPress security solutions, Sucuri.

by Ryan Sullivan

WordPress | WordPress Plugins | WordPress Security

Reading Time | 9 min

Sucuri Review 2022 - Investing in your WordPress security

Why do I need website security plugins for WordPress?

One of the first things you should do when creating your own website is to ensure you have adequate web security measures in place. You might not think that website hacking will happen to you, but with WordPress being one of the most commonly hacked and used Content Management Systems (CMS) around, no WordPress site is safe. Hackers can bring down your site, spread malware to your visitors, access sensitive information, or hijack your server.

But it’s not all doom and gloom. You can easily avoid a serious attack by taking proactive action. The simplest way to do this is with a WordPress security plugin. Let’s explore one of the top WordPress security integrations in 2022: Sucuri.

Table of Contents

What is Sucuri?

Sucuri is one of the leading names in software security, and their WordPress security plugin is among the most popular. While the Sucuri plugin is free to all WordPress users, some features are only available with a subscription, such as their Website Application Firewall (WAF). Still, the free version allows you to scan your site with all the tools you need to remove threats and keep your site running smoothly.

Sucuri’s top security features

The website security platform offers its users a set of essential security features for their WordPress sites to improve overall web security.

  • Security activity auditing tracks, monitors, and logs all security-related events in the Sucuri cloud to record changes and prevent hackers from wiping this information from your security logs.
  • File integrity monitoring records the optimal state of your files at integration, including core files, themes, and plugins, so web/system administrators can detect changes due to security breaches.
  • Remote malware scanning, powered by SiteCheck, remotely scans for malware to check if your site has been defaced or blacklisted.
  • Blocklist monitoring synchronizes with and checks popular blocklist engines (such as Norton and AVG) to scan and confirm if your website has been flagged with security issues.
  • Effective security hardening reduces vulnerabilities and closes all back doors for potential attacks.
  • Post-hack security actions confirm what needs to be done after a security hack (see instructions below)
  • Security notifications alert website owners about security breaches.

Additional Sucuri benefits

Sucuri’s login monitoring system is important for almost everyone implementing website hardening rules. The plugin makes this process easy, as all it takes is a single click. Sucuri can assist with removing your domain from blacklists and can also help you to:

  1. Remove malware from your hacked website;
  2. Access your hacked website if you get locked out;
  3. Put a stop to hacking or DDoS attacks.

In short, it’s a perfect web security tool for users needing a quick, off-the-shelf solution to secure their websites.

Sucuri as a CDN

In addition to providing website security, the platform also serves as a content delivery network (CDN). Essentially, a CDN automatically caches your website and speeds it up by up to 70 percent. It ensures your website is working optimally during traffic spikes and DDoS attacks through the use of a distributed network.

What does this mean? If your web hosting server is based in the United States, for example, an online user in Italy (Europe) would need their computer to reach your hosting server all the way across the Atlantic Ocean. This will add extra seconds to each of your website asset’s loading times (e.g., your web images, content, videos, JavaScript, CSS, etc.).

Sucuri’s CDN is built on multiple secure data centers or points of presence (PoP) worldwide, which means your web data can be transferred directly from an online visitor’s closest data center. This will significantly decrease your web page’s load time.

How does the Sucuri firewall work?

The firewall is designed to stop website hacks and attacks (including bad web traffic). It works by pointing your domain name to Sucuri’s cloud-based platform and then routing the web traffic to your WordPress host. The web application firewall acts as a virtual security guard, blocking unwanted traffic before it even gets to your host.

Sucuri firewall features

In addition to its website acceleration, caching, and CDN functionality, the firewall boasts the following features:

  1. It is easy to enable and manage.
  2. Users have direct access to their support team to help get you onboarded and configured.
  3. It protects your website against SQL Injections, XSS, RCE, RFU, and all known attacks.
  4. It provides virtual patching and hardening to improve your security posture.
  5. It offers full DDoS protection on all plans.
  6. It gives you brute force protection.
  7. It blocks malicious bots and vulnerability scanners from accessing your site.

Sucuri’s core integrity check and post-hack features

This top WordPress security plugin includes a Core Integrity Check – a tool that checks the integrity of the core WordPress files. This check also covers PHP, JavaScript, CSS, and other files that come with your original WordPress version.

Why is this important?

Attackers modify these core files with pieces of code to allow them to bypass the security of your website. By identifying these file modifications, it allows you to patch them and avoid possible reinfection.

How to use Sucuri if your site’s been hacked

If your website has been hacked, immediate action must be taken to prevent further damage. The post-hack feature allows you to reset security keys, reset user passwords, reset installed plugins and check for available plugins and theme updates.

1. To reset security keys
  • Click on ‘Settings.’
  • Select ‘Post Hack.’
  • Select ‘Generate New Security Keys.’
2. To reset user passwords
  • Select ‘Post Hack.’
  • Select the ‘Reset User Password’ section.
  • Check the radio button next to the user accounts and click ‘Submit.’
  • All users will receive an email with a strong temporary password.
3. To reset installed plugins
  • Select ‘Post Hack’
  • Select the ‘Reset Installed Plugins’ section.
  • Check the radio button next to the plugins you would like to reinstall and click ‘Submit.’

As soon as patches become available, it is important to install them to prevent future attacks.

4. To update plugins and themes
  • Select ‘Post Hack.’
  • Select the ‘Available Plugin’ and ‘Themes Updates’ sections.
  • Download the themes you want to update.
  • Once the download is complete, you can manually upload them in:
    • Appearance > Themes > Add New > Upload Theme.
    • Plugins > Add New > Upload Plugin

How do I set up Sucuri on my site?

Step 1: Find and install the plugin.

Click on ‘Plugins’ on your WordPress dashboard and search for the Sucuri plugin. Install and activate the plugin. Click on the plugin to allow it to load and scan your site.

Step 2: Generate the API key for the Sucuri plugin.

Log into your WordPress website as an administrator and open the plugin. Click ‘Generate API Key’ on the upper right side of your screen. Read and check the Terms of Service and Privacy Policy radio buttons. Click Submit. You will be sent an email confirmation to your site’s primary email address.

Step 3: Monitor hacks.

Once the API key is generated, Sucuri will communicate with a remote API service which will act as a safe data storage for the audit logs generated when the website triggers specific events that the plugin monitors. If someone hacks your website, they won’t have access to these logs. Now you can investigate any modifications (for malware infection) and how the attacker gained access to the website.

Step 4: Make sure to harden your WordPress security to protect your site from cyberattacks.

You can do this by adding a set of rules in your .htaccess file and verifying secure configurations. To enable and disable security hardening in the WordPress security plugin:

  • Log in to the WordPress dashboard.
  • Go to Settings, which you’ll find on the right-side menu under the Sucuri Plugin.
  • Go to the top menu and select ‘Hardening.’
  • Click the ‘Apply Hardening’ button to any of the security options.

Step 5: Set default email address for email alerts.

By default, your email alerts are set to be received by the account used for the initial installation of WordPress on your web server. The tool allows you to add multiple email accounts to receive the same alerts. Daily scan reports will automatically be sent to the default email account used when setting up the plugin. Alternatively, you could also manually scan your site at any time and customize your alert configuration as needed.

Step 6: Adjust malware detection settings, if necessary.

This malware scanner is a powerful tool integrated into the website security plugin; it allows you to scan your website for malware, website errors, outdated software, blocklist status, and security anomalies. You can change the malware detection settings by going to Settings and clicking on the menu options on top of the screen.

Step 7: Connect the Sucuri Firewall to the WordPress plugin using the firewall plugin option:

A Web Application Firewall (WAF) is crucial if you want advanced protection. It blocks bad traffic to your website and prevents DDoS attacks. You can connect it to your WordPress site as follows.

  • Click on ‘Dashboard.’
  • Click the ‘Firewall (WAF)’ button.
  • On the sidebar, go to ‘Firewall’ (WAF).
  • Paste your API key and click ‘save.’

Is Sucuri right for you?

Sucuri protects your website from hackers, malware, DDoS, and blacklists. This is achieved by routing all your site traffic through their cloud proxy firewall before sending it traffic to your hosting server. Doing this allows only legitimate visitors to visit your site and blocks all attackers.

Plugin safety and reliability

As of May 2021, Sucuri had 800,000+ active installations, has been tested up to WordPress version 5.7.2, and scores an average rating of 4.3 out of five stars. These figures indicate that it is a trusted website security solution for thousands of WordPress owners.

There is further proof in the pudding, however. In 2017, the company was acquired by the popular web hosting company, GoDaddy, to develop security products and advance Sucuri’s security offerings. Sucuri Labs is their technical research unit, which actively finds and examines emerging website threats to keep abreast of web security trends and solutions.

Sucuri vs. Cloudflare and Sitelock

All three of these products are effective cloud-based website security and protection solutions. That said, according to customer reviews, Sucuri is ahead of the curve in terms of threat detection, protection against malware, and overall customer satisfaction. No other security plugin offers a DNS-level firewall.


If price is a big factor, this website security solution might not be the one for you. The plugin is free to WordPress users, but the full package starts at $199 a year.

Contact SiteCare

You need to assess what level of security your business needs when choosing a security solution. If you would like expert help to protect your WordPress site from all kinds of malicious activity, contact SiteCare about our WordPress maintenance and security services.

Ryan Sullivan | Chief Operating Officer

Ryan Sullivan is Chief Operating Officer at SiteCare, LLC. With a background in information and open source technology, Ryan has been calming technical tidal waves, and helping businesses and publishers succeed online for 10+ years. Ryan is also an avid golfer and loves tuning in to Utah Jazz.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *