Sucuri: A security plugin you should urgently install?

A wide open mouth. Sharp fangs ready to fracture a poor little animal. An unending body that must be close to 30 feet long.

Type “sucuri” on Google, and you’ll find yourself face to face with images of some pretty terrifying snakes. But why, in fact? Well, simply because the word you typed in the search engine is the Portuguese translation of anaconda.

You should realize that at first, I was just looking for more information about Sucuri, a security plugin for WordPress.

Fortunately, there’s nothing really bad about it. And it won’t eat you up after you activate it. Phew, you can take a deep breath!

Instead, this plugin is designed to help you eradicate other predators: nasty hackers and other files and malware that can infect your site.

By the end of this article, you’ll know how Sucuri works (the plugin, not the snake), and more importantly how to set it up step by step. Ready for a safe walk? Sssss, follow the guide.

Your best WordPress projects need the best host!

WPMarmite recommends Bluehost: great performance, great support. All you need for a great start.

Try Bluehost

What is Sucuri?

Sucuri Security is a WordPress security plugin that offers a suite of tools to help you protect your website: auditing of WordPress core files (PHP, CSS, JavaScript), malware and program analysis, security enforcement, email alerts, post-hacking security actions, etc.

Founded in 2012 by Daniel Cid, Sucuri was acquired in 2017 by the American hosting giant GoDaddy, which has been maintaining and developing it ever since.

After offering a premium plugin until 2014, the plugin is now completely free.

With 800K+ active installations, Sucuri is one of the most popular WordPress security plugins in the official directory, alongside competitors like Wordfence (5M+ active installations), iThemes Security (900K active installations), and All-in-One Security (1M+ active installations).

Sucuri, a free plugin backed by premium services

While it has a security plugin dedicated to the WordPress CMS, the company Sucuri offers several premium services based in the cloud to protect your website, regardless of the CMS (Content Management System) on which it runs: WordPress, Joomla, Magento, Drupal, Shopify, etc.

Among these services, there are:

• A web application firewall (WAF) that protects your web server against various attacks: DDOS attacks (denial of service), brute force attacks, malware, phishing, ransomware, etc. This firewall comes with a CDN (Content Delivery Network), to boost your page loading speed.
  The WAF can be used alone or in addition to the Sucuri plugin.
  
• The Sucuri security platform (Sucuri Website Security). In addition to the firewall and CDN, Sucuri offers several services to monitor the security of your site and can provide you with a dedicated team to clean up your WordPress in case of a hack.

Although these services are separate and can be used independently of each other, Sucuri states on the official directory that its plugin “complements your existing security tools. It is not designed to replace the Sucuri Website Security or Firewall products.”

In other words, if you want to protect your WordPress site as well as possible, using the plugin alone is not enough.

Why is securing your WordPress site important?

Before examining the features and other settings offered by Sucuri, let’s stop for a moment to consider the importance of security on a WordPress installation.

Using a dedicated plugin to protect yourself is a minimum, knowing that no WordPress site is infallible. As the most widely used CMS (Content Management System) on the planet, WordPress is naturally the target of numerous attacks on a daily basis.

2,800 attacks per second are said to target WordPress installations worldwide!

However, don’t panic. WordPress is a secure CMS. In its WordPress ecosystem security report, security expert Patchstack explains that 96% of security vulnerabilities come from third-party code (plugins and third-party themes), compared to 4% within the WordPress Core.

This is why it is essential to protect your site. The consequences of a hack can be disastrous and result in:

• The loss and theft of numerous data, more or less sensitive, especially those of your customers.
• A loss of time, because you will have to clean the hacked site and update everything.
• Unplanned financial expenses, especially if you call in a security expert.
• A degradation of your brand image and a possible loss of trust from your current users and/or future customers.

You get the point: do not neglect the security aspect of your site. Let’s move on to a detailed presentation of Sucuri.

How to install Sucuri

Step 1: Activate the Sucuri plugin on WordPress

To begin, install the plugin from your administration interface through the Plugins > Add New menu. Click on “Install Now”:

Remember to activate the plugin. You will then find a new menu named “Sucuri Security”, in the left sidebar of your WordPress back-office:

Step 2: Generate an API key

In order to activate some of the additional tools offered by the plugin, Sucuri recommends that you generate an API key.

API stands for Application Programming Interface. As explained very clearly in this article, “APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols.”

To do this, click on the “Generate API Key” button at the top of your Dashboard:

In the window that pops up brightly on your screen, choose the email address associated with your account, then accept the terms of service (if you agree). Click “Submit” when you’re ready.

And there you have it! Sucuri is ready to work. As it tells you after generating an API key, ” this is not a quick fix for your security needs; it’s not a replacement for Sucuri Website Security or Firewall, but it will allow you to be more security conscious and take a better stance, with the goal of reducing risk.”

Now let’s find out how to set up the plugin, with a menu-by-menu dive.

Join the WPMarmite subscribers

Get the last WPMarmite posts (and also exclusive resources).

SUBSCRIBE NOW

How to set up and use Sucuri Security

Overview of the Sucuri dashboard

The first main menu offered by Sucuri Security is the Dashboard. This is where you will find the results of the audit conducted by the plugin on your site.

In concrete terms, Sucuri inspects your WordPress installation for any changes to the basic WordPress files (those you find every time you download the CMS).

Sucuri automatically scans the files in the root, wp-admin and wp-includes directories, and then compares them to the files distributed with the major version of WordPress installed on your site (6.1.1, in my case).

As soon as Sucuri detects a file with inconsistencies, it displays it on your dashboard.

If there is a problem, a red “X” appears, accompanied by a not very reassuring message of the same color: “Core WordPress Files Were Modified.”

The file(s) may have been hacked. In my case, Sucuri reports two supposed anomalies in a .txt file and an error.log file.

The latter lists error logs that occurred on your site (PHP errors, in particular). I then have several options to address the problems:

• Mark the file as false positive, if it’s a file I added myself, for example. Sucuri will ignore it during future scans.
• Delete the file, if you think it is malicious.
• Restore the original version of the file.

This scan is convenient but there is one main problem: for a beginner, it’s still quite difficult to know if the supposedly anomalous file is causing a real security problem on your site or not.

As a result, we don’t really know what to do. Leave the file as it is? Restore its original version? Delete it even if it means taking the risk of deleting important data? It’s not easy to figure out.

Under the insert dedicated to the analysis of the WordPress core, in addition to the audit logs, you will find several tabs indicating changes that have occurred on:

• Iframes (HTML tags)
• Links
• Scripts

Finally, Sucuri also makes several recommendations to reinforce the security of my installation by suggesting, for example, that I remove unused plugins or disable the file editor in the administration:

The application firewall: Firewall (WAF)

The second sub-menu of Sucuri is for the Sucuri firewall. To benefit from this, you must opt for one of the premium plans offered by Sucuri.

If you want to take this step, you just have to add your API key in the box provided.

With this firewall active, Sucuri ensures that your site will be protected from attacks and will prevent malware infections and reinfections.

In addition, the firewall “will block SQL injection attempts, brute force attacks, XSS (site-to-site scripting), RFI (embedding a remote file on your server), backdoors (remote access to your site), and many other threats to your site.”

Via the settings tabs, you are also able to :

• Block certain IP addresses by entering them manually, so that they cannot access your site.
• Enable caching, which will improve the performance of your WordPress site.

The menu related to logins : Last logins

Let’s move on to the third menu of the Sucuri plugin: “Last Logins.” Four tabs are available:

• “All Users” shows all users who have successfully logged in to your WordPress admin
• “Admins” shows all the people who have an “admin” account on your site
• “Logged-in Users” details all users who are currently logged in
• “Failed logins” shows you failed login attempts to your login page. This will help you to see very quickly if you are a victim of brute force attacks, for example.

The Sucuri Settings menu

And finally, the last menu and the most copious. Here you will find several major features of Sucuri, which we will break down in detail, tab by tab.

General Settings tab

The General Settings tab has several inserts. They include some of the following elements, which you can modify:

• A directory with all your security logs (“Data storage”)
• A log exporter
• A reverse proxy, which you can activate
• A module to import and export your Sucuri settings to another WordPress site

Scanner tab

The “Scanner” tab includes a free tool offered by Sucuri called SiteCheck. This tool will scan your site for the following:

• Malware
• Errors on your WordPress website
• Outdated software
• Security anomalies

In particular, Sucuri shows you:

• Tasks scheduled during its scan (“scheduled tasks”). By default, the scan takes place once a day.
• The “WordPress Integrity Diff” utility that compares the files on your server with the original files of your site (root directories, themes, plugins, and WP core files).
• Detected false positives.
• An option to exclude certain files and folders during the scan, especially if they are too large.

Hardening tab

The “Hardening” tab lists ten security measures you can apply to prevent possible attacks. They will strengthen the security of your WordPress installation.

For example, with one click you can:

• Block the execution of certain PHP files in the wp-content and wp-includes directories
• Disable the file editor in your administration interface, to prevent a hacker from modifying your files
• Remove the display of your WordPress version
• Check if your WordPress version is up to date

At the bottom of the page, it is also possible to manually exclude certain PHP files that have been blocked from running.

As a precautionary measure, back up your site (files + database) in order to apply one of these measures. You can use a backup plugin such as UpdraftPlus. And if possible, proceed on a test environment, not in production.

Post-Hack tab

As its name suggests, the “Post-Hack” tab offers several measures to be applied immediately after your site has been hacked. So I hope you never have to use it! ^^

Here’s what you can do:

• Generate new security keys. They are present in the wp-config.php file, and they allow a better encryption of some information, especially the cookies of a user who connects to the administration of your site. If a hacker is in possession of these cookies, he will be able to connect to your site even if you reset your password — unless you change your security keys!
• Update user passwords
• Reinstall your site’s plugins
• Update your themes and plugins

Sucuri Alerts tab

In the Alerts tab, you can configure settings related to the security alerts that Sucuri will send you by email.

By default, the plugin sends security notifications to the site’s main administrator (the one created during its installation). However, you can specify other email addresses to receive these notifications.

You can also manage the types of alerts you will receive, and authorize trusted IP addresses so that they do not generate alerts.

For example, you can specify:

• A maximum number of alerts to receive per hour (from five hours to unlimited)
• The number of failed connection attempts per hour (brute force attacks) before an email alert is sent
• The events that will trigger a security alert (e.g. changes in plugin settings, creation of a new login, deactivation of a theme or plugin, etc.)

To be completely comprehensive, Sucuri offers two other settings tabs: “API Service Communication” and “Website Info.” These two tabs do not govern specific settings: they give information about your API and your WordPress site.

After this broad overview, I propose that we move on to the final part of this article. First, we’ll talk about the price of Sucuri, and then I’ll give you my opinion on this security plugin.

How much does Sucuri Security cost?

Sucuri is presented as a free plugin, which is true… but with limits.

Indeed, you have to pay if you want to use the application firewall offered by Sucuri. And when it comes to security, the use of a firewall is highly recommended.

This option, which also includes access to a CDN, is offered from $9.99/month for a use on one site.

On the other hand, Sucuri offers a much more comprehensive security package called Website Security Platform. Prices start at $199.99/year for single-site use.

This pricing plan includes of course Sucuri’s firewall, CDN, and also malware and pirated file cleanup by in-house experts:

Our final opinion on the Sucuri security plugin

To conclude, what should you think about Sucuri? To answer this question, I’m going to discuss two crucial aspects when choosing a plugin: its ease of use and its efficiency.

First of all, about the handling. It is not necessarily complex, because Sucuri has chosen to offer clear options, well distributed in different tabs.
The menus are not too overloaded and it is very easy to perform an action (one click is enough most of the time).

On the other hand, the security field is full of technical terms — Sucuri has nothing to do with that — and the beginner user will not always be able to understand what he is being recommended to do or what he should do. This is a first limitation to be pointed out.

Let’s move on to the efficiency of the plugin. Sucuri is first and foremost a monitoring tool designed to alert you to security issues on your WordPress. It scans your pages for anomalies, sends you alerts in case of problems, etc.

But the plugin doesn’t really allow you to solve security problems (with the exception of some small aspects), except after hacking (but it will be too late by then).

One of the main security shields is the use of a firewall. Sucuri does offer one, but only in its paid offer.

Download the Sucuri plugin:

In conclusion, I would not recommend the free plugin if you want to protect your WordPress site efficiently.

Do you share my opinion and do you use Sucuri? Give me your opinion by posting a comment.

Receive the next posts for free and access exclusive resources. More than 20,000 people have done it, why not you?

Register

About the author

WPMarmite Team

WPMarmite helps beginners get the best out of WordPress with in-depth tutorials and honest reviews. Meet the founder, Alex, and his team right here.