The 2019 Sucuri Security WordPress Plugin Review13 min read25/04/2019
Sucuri Security is a premium WordPress plugin that has a reputation of a reliable and multipurpose tool. Its developers have implemented the latest cybersecurity trends to ensure solid protection from hacking attacks for blogs, online stores, and landing pages based on the most popular content management system (CMS). According to the Sucuri 2018 Hacked Website Report, the plugin cleaned about 4,427,000 files in approximately 25,500 infected sites.
The company offers solutions for such content management systems as Magento, Drupal, and Joomla. However, the report shows that 90% of infected CMS-based websites refer to WordPress. Sucuri provides a set of features that allows you to both prevent WordPress hacking attacks and deal with their consequences. It has a web application firewall (WAF), antivirus, and malware removal tool.
How Sucuri Security works
The full protection will be available only when you use a paid package. With the premium version, you can protect your WordPress website from various types of cyber threats. Despite it allows you to avoid data loss, you still should enable regular automatic backups to be able to recover your posts and pages in the case where your prevention measures turn out to be inefficient.
In addition, Sucuri can increase your website speed with server operation optimization. All traffic coming to your site passes through Sucuri cloud proxy servers where the system verifies each user request. If the tool detects any malicious code or script initiating the malware download, it blocks this request while allowing other validated queries. Since these operations happen on Sucuri servers, this reduces your server workload, thus enabling it to process more requests. As a result, your site works faster.
Furthermore, Sucuri can speed up your website by caching your webpages and storing them on the company’s CDN Anycast server. That’s why the system can deliver these pages to users from the nearest Sucuri server without accessing your server. The closer the server is to a user, the faster he or she gets the requested page. If a hacker manages to compromise your data, Sucuri can find an infected file and remove it with further secret keys update.
Sucuri Security is an all-in-one WordPress protection plugin. If it detects any malicious code, it will send you a notification and automatically remove it within 12 hours. The plugin also offers regular backups as well as real-time protection and scanning, SSL certificates, DDoS protection, DNS identification, etc. Moreover, it allows you to change your WHOIS information in order to hide the domain owner name.
The security feature enables the plugin to monitor all site security events. Sucuri records any code change that may be qualified as a cyber threat. The tool registers all cybersecurity events in the Sucuri Cloud service, thus ensuring that nobody can erase report data. If an attacker manages to bypass your website security system, the changelog will be stored in the Sucuri Security Operations Center (SOC).
This feature is especially useful for website administrators and cybersecurity experts who need to know what has happened to the site and when. This data will help them understand where to start website healing, which code they need to remove, and which users they should block to prevent further hacking attempts.
File integrity difference monitoring
With the WordPress Integrity Diff Utility, Sucuri analyzes original core files and corresponding files on your server. If the plugin detects any changes, it means that your website might be hacked. In other words, the tool compares WordPress core files in wp-admin and wp-includes folders stored in your root directory with the WordPress files in the official repository.
Besides detecting code diversity, this utility can determine types of code: whether it’s iFrame, link, or script. In the dashboard, you can find a report that includes all found differences. There you also can check Sucuri recommendations on how you can increase your WordPress security. Click on any tip to see vulnerability fixing instructions that typically requires adding a few lines of code to the .htaccess or server configuration file.
Remote malware scanning
With the SiteCheck utility, the Sucuri Security plugin can detect malware on your website. By clicking on the Scan this site button, you can initiate the scanning process either to timely detect malicious code on your server or use this command as a post-hack measure when you already know your resource has been hacked. Remember that malicious code on your website can affect your WordPress SEO even though your visitors can’t see any consequences of this code.
Sucuri also monitors various blacklists of sites that contain malicious code. When your site gets in one of them, the tool instantly notifies you. The plugin supports the following blacklists:
- Sucuri Labs
- Google Safe Browsing
- Phish Tank
- McAfee Site Advisor
These are ones of the largest lists with sites that have security issues. Besides removing malicious code, Sucuri offers users to remove their sites from these blacklists for an additional fee.
Sucuri offers additional cybersecurity measures you should implement to protect your WordPress website from hackers. These measures include:
- .htaccess file protection
- Restricting access to the wp-includes folder
- Checking security keys
- Verifying the PHP version
- Hiding the PHP version
- Changing the database prefix
- Removing the readme.html file, etc.
You can implement some of these measures by adding the code below to your .htaccess file.
Security Header: X-XSS-Protection Missing
With the Sucuri Security plugin installed, you can find a notification in your dashboard: X-XSS-Protection-Missing. Use this code to protect your site from some types of cross-site scripting, also known as XSS attacks:
# X-XSS-Protection <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode = block" </ IfModule>
Security Header: X-Content-Type-Options nosniff
In your dashboard, you can find another Sucuri recommendation: X-Content-Type-Options nosniff. This measure can help you protect your website visitors from running malicious code added by hackers. Add this code to your .htaccess file:
# X-Content-Type: nosniff <IfModule mod_headers.c> Header set X-Content-Type-Options nosniff </ IfModule>
Once the plugin detects a successful hacking attack on your site, it will offer you to do the following:
- update security keys
- update passwords for all users
- update plugin
- update your theme
You may know that if you add any code to your theme or plugins or, your changes will disappear with the next update. You must remember it before click on the Update button. This WordPress characteristic can form some inconveniences for those site administrators who has ever edited original theme and plugin files. However, this aspect is a reliable cybersecurity measure, because you can remove third-party malicious code by simply updating an infected plugin or theme.
Using Sucuri Log Exporter, you can export event logs to a separate file and then open it with special software like OSSEC. Store the exported file at least one level deeper than your website root directory typically called public_html. This will help you avoid data disclosure.
Sucuri Firewall is available only in a paid package. It’s a preventive cybersecurity utility that blocks any SQL injection attempts, protect your WordPress website from brute force attacks, XSS attacks, remote file inclusion (RFI), backdoors, DoS and DDoS attacks, and other threats. In addition, the firewall has the zero-day exploit prevention feature capable of detecting suspicious behavior on your server. Thus, you can avoid hacking attacks instead of healing your site post-factum.
Monitoring login attempts
The Sucuri Security WordPress plugin monitors both successful and failed login attempts. Therefore, you always can check who has tried to sign in to your admin panel. The Sucuri Last Logins section has 4 tabs:
- All Users – a list of all login attempts
- Admins – a list of logged-in users who have the administrator privileges
- Logged-in Users – a list of all currently logged-in users
- Failed Logins – a list of all failed login attempts
The latter tab is the most important tab in this section. It allows you to keep an eye on those hosts that try to hack your site. If the same host had 30 failed login attempts within an hour, the tool will block this IP address and notify you via email about the brute force attack attempt.
Sucuri offers a free WordPress plugin you can download from the official repository. However, it’s easier to install and activate it right in your admin panel as you do with any other plugin. Just enter “Sucuri Security” in the plugin search line. The free version provides reliable security enhancements and post-hack utilities. With a paid package, you can significantly improve your WordPress site protection against hacking attacks.
The most affordable package costs $199.99 per year. It’s equal to $16.67 per month but Sucuri charges annually. They also offer Pro, Business, and Enterprise plans. Pro and Business packages cost almost $300 and $500 respectively. However, if you an ordinary blogger, then there’s no need for paying for any of these plans. The Basic package for about $200 will be enough.
The gap between a free and Basic package is huge while the difference between Basic and Pro plans is in faster customer support responses and support for your origin server SSL certificate. Is it worth an extra couple of dollars per year? – Doubt it. However, a firewall and two-factor authentication (2FA) definitely worth annual $199.99. With this utility, you can be sure hackers won’t be able to compromise your data and insert any malicious code.
Free WordPress security plugins include a wide range of offers. One of them is iThemes Security. The main advantage of Sucuri over iThemes is that the former have simple settings. By default, Sucuri Security has already done basic configuration, so you can just change those settings rather than make the plugin work as in the case with iThemes Security.
Generate your API key
As soon as you install and activate Sucuri Security, the next thing you should do is to generate API keys to connect the plugin to the Sucuri server. API keys enable the tool to activate those functions using data stored on Sucuri servers. These keys authorize HTTP requests the plugin sends to the Sucuri server. Generating API keys is free and you can generate new keys as many times as you need.
When you generate your API keys, the plugin will start saving every login attempt on the Sucuri server and display them in your WordPress dashboard. Sucuri analyzes received data and makes a conclusion whether your site has been hacked or blacklisted. You should regularly check Sucuri reports in your plugin dashboard to timely detect cybersecurity issues.
Enable WordPress Integrity Diff Utility
To enable the WordPress Integrity Diff Utility module, which finds a difference in the code of kernel files, go to Settings – Scanner – WordPress Integrity Diff Utility. Click the Enable button. If you manually added or changed some files, you can add them to the exceptions in the Settings – Scanner – WordPress Integrity (False Positive) section.
By default, the scanner compares files once every 24 hours. In the Scanner -section, Scheduled Tasks you can change the scanning frequency. Check the box for sucuriscan_scheduled_scan, select Twice Daily in the drop-down menu below, click Submit.
Enable hardening options
In the Hardening Options section, you will see a list of cybersecurity measures offered by the plugin. These options include:
- Website Firewall Protection
- Verify WordPress Version
- Verify PHP Version
- Remove WordPress Version
- Block PHP Files in Uploads Directory
- Block PHP Files in WP-CONTENT Directory
- Block PHP Files in WP-INCLUDES Directory
- Information Leakage
- Default Admin Account
- Plugin and Theme Editor
Enable them all by clicking on the Apply Hardening button. If you use a free Sucuri Security WordPress plugin, then the Firewall option will be unavailable for you. You also should pay attention to the following options: Block PHP Files in WP-CONTENT Directory and Block PHP Files in WP-INCLUDES Directory. If you use the WordPress file editor in the admin panel, then leave these options disabled.
Furthermore, some plugins and themes can store their PHP files right in wp-content and wp-includes folders. With the above-mentioned options enabled, some of your plugins may stop functioning. To avoid such situations, add corresponding files to the Blocked PHP Files Whitelist in the case where some plugins have started working improperly.
Brute force attacks are one of the most common types of attacks aimed at accessing your WordPress admin panel. Hackers try to guess your passwords manually or rather using special software capable of creating thousands of requests per minute. The simpler your password is, the easier it is to guess it. Once successfully logged in, an attacker can delete your content or insert malicious code that will collect user personal data, send spam, or display third-party ads.
Go to the section called Password Guessing Brute Force Attacks and set the limited number of unsuccessful login attempts. You can choose between 30, 60, 120, 240, and 480. Set the minimum available number to ensure a better level of protection against brute force attacks. As soon as a particular host reaches the limit, Sucuri Security will identify these login attempts as an attack and block the host. So make sure you remember your password to avoid being blocked by your own plugin.
Configure your notifications
Notifications are crucial for ensuring a timely reaction to unusual behavior. When you receive an email notifying you that your website might be hacked, you have time to quickly remove malicious code and change your sensitive data to prevent your site from appearing in blacklists and losing your visitors. Go to Settings – Alerts and configure your notifications.
- Set your email address where you have to receive notifications. By default, the service will send emails to the site owner’s email address. You also can add other email addresses.
- Set the email subject. You can choose one either from the plugin list or enter your custom subject using available pseudo-tags.
- Set the limit for email notifications you want to receive. Go to the Alerts per Hour section and enter a suitable number. If you set a low number, then you can miss an important message. A too large number means you can receive too many email notifications.
- Go to the Security Alerts section and select the types of events you want to receive email notifications about. I would recommend you to enable the following alerts:
- Allow redirection after login to report the last-login information
- Receive email alerts for core integrity checks
- Receive email alerts when your website settings are updated
- Receive email alerts when a file is modified with theme/plugin editor
Generate new security keys
The Sucuri Security plugin provides a set of tools that can help you recover your WordPress site after a hacking attack. One of these tools is creating new keys and salts. In other words, you can encrypt your data with different keys to prevent an attacker from using the same techniques to access your files. You should generate new security keys on a regular basis to make conducting hacking attacks harder for cybercriminals.
Sucuri Security can ensure a reliable level of protection for WordPress websites. Its powerful capabilities like firewall, post-hack measures, login attempts monitoring, and 2FA create a significant barrier for hackers willing to get access to your site. With Sucuri website security paid packages costing minimum $200 per year and more, this plugin is more expensive than many other WordPress plugins. However, your website safety worth this money. You can save your time and financial investments by paying for reliable cybersecurity.