Sucuri WordPress Security Plugin

With the Sucuri WordPress Security plugin you can take preventive action to protect your WordPress site and you can scan your site for indications of intrusion.

The Sucuri WordPress Security plugin significantly enhances your security by adding:

  • A Web Application Firewall

  • Integrity Monitoring

  • Audit Logging and Activity Reporting

  • 1-click Hardening

  • Server Side Scanning

Why The Sucuri WordPress Security Plugin Is Important

The people behind Sucuri have been active in web security since 2004 and the Sucuri company was founded in 2010. The company specializes in malware detection and removal.

The WordPress Security plugin is provided for free to all clients. In other words you need to have a paid plan with Sucuri to use this plugin. 

Visit their website to see the current prices.
(Affiliate link: We get a small commission – you pay the same price).

We recommend:

  • If your WordPress site has been hacked you should use Sucuri to clean it up. They are cheap, fast and great. They charge USD89 per year for one site with unlimited clean ups. How many hours do you have to work to make USD89? Can you clean your site in that time?

  • If you make an income from your site we recommend that you invest in Sucuri. We believe the preventive protection they offer is well worth the price. And should you ever get hacked you know that your business will be back online as fast as possible.
    We of course use Sucuri ourselves.

  • If your site is a hobby site we still recommend you invest in Sucuri unless you cannot afford it. If you have more time than money and have a very, very tight budget, you can rely on the other security recommendations in The WordPress Security Checklist. If your site gets hacked you can try to clean it yourself with the help of Wordfence (see the article How to clean a hacked WordPress site using Wordfence) or sign up with Sucuri at that point in time.

The Sucuri WordPress Security Plugin

With the Sucuri WordPress Security plugin you get:

A Web Application Firewall

The Sucuri Web Application Firewall (WAF) is very strong. It protects you from brute force and other unauthorized attacks. Think of it as a professional version of WordPress Firewall 2. The WAF communicates with Sucuri’s servers so if they see certain IP addresses attacking sites those IP addresses can be blocked across the network instantly.
sucuri web application firewall

Integrity Monitoring

The plugin also checks the integrity of your WordPress core files against a clean version. Note that at this time the plugin does not check plugin and theme files, only WordPress core.
integrity check

Audit Logging and Activity Reporting

The plugin has an extensive audit log built in. This allows you to keep an eye on what is going on with your site. You can track login attempts, new and revised posts, new plugins, file changes and many other events.
audit log

1-click Hardening

The plugin allows you to add extra security protection to your site with one click and verifies that other security risks are managed.
sucuri 1 click hardening

With 1-click hardening you can:

  • Verify WordPress is updated to the latest version.

  • Hide the WordPress version from visitors.

  • Protect WordPress directories by disabling PHP execution for these directories:

    • uploads

    • wp-content (not recommended – see below)

    • wp-includes

  • Verify Keys and Salts are used properly.

  • Move wp-config up one level.

  • Remove readme.html.

  • Verify you are not using the default database table prefix and administrator user name.

  • Verify you are using the latest PHP version.

To protect your WordPress directories from PHP execution the plugin will add an .htaccess file to the directories in question.

For the wp-content directory things might break if you enable this protection. This happens if any of your plugins store php files in the wp-content directory. Please test thoroughly. Wordfence has been reported to have problems with this protection, and might stop working properly.

If you have a problem you can delete the .htaccess file from the wp-content directory.

Server Side Scanning

Server Side Scanning is an extension of the remote malware scanning performed by Sucuri. This is the same scanner you can use for free on their website.

With Server Side Scanning you can also scan all the files on your hosting account. The remote scanner can only see the public facing html pages presented to your visitors.
server side scanning

Other Monitoring Provided By Sucuri

In addition to the WordPress plugin your Sucuri subscription also gives you these remote monitoring services:

  • Blacklisting.
    If your site is listed on Sucuri, Google Safe Browsing, Norton, AVG, Phish Tank or McAfee SiteAdvisor you are immediately notified.

  • WHOIS.
    If the information listed in WHOIS about the registrant, registrar, nameservers etc. changes you are notified immediately.

  • Domain Name System (DNS).
    The DNS is like the phone book in your mobile phone. It translates a name to a number and in this case a domain name is translated to an IP address. If this information changes you are notified immediately.

  • SSL Certification.
    If your site uses SSL you most likely have a SSL certificate. If the information in the certificate changes you are notified immediately.

other monitoring


Sucuri offers support via a ticket system. Most of the tickets we have opened have received a response in less than an hour. These tickets have not been time critical, so this kind of response time is excellent.

They also provide a phone number for questions.

The responses we have received have always been concise and correct. These guys know what they are talking about.

Once we asked Sucuri if the practice of moving the wp-config.php file up one level is still valid or not. In the WordPress Codex there is a reference to a post on questioning the value of this. The support guys not only answered us, but also took the time to post the answer on

Excellent service.

You can find the post here and Sucuri’s answer here.

How You Complete This Security Checkpoint

You can’t find the Sucuri WordPress Security plugin on because it comes as a part of a paid subscription.

Sign up to get the plugin here.
(Affiliate link: We get a small commission – you pay the same price).

The installation procedure is a little bit different to what you are used to.

Sucuri has a very good article with the installation instructions, which you can find here.


Sucuri has a very good Web Application Firewall and some great monitoring options, and Wordfence has very good Integrity Checks, Live Traffic Viewer and traffic throttling.

We recommend that you use both.

When you use the Sucuri WordPress Security plugin you can safely delete the WordPress Firewall 2 and Block Bad Queries plugins.

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next articleSchedule Backups Of Your WordPress Site 
Previous articleWordfence[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!

About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.

Most Popular Articles – All Time

Most Popular Articles – This Week


  1. Creekmore says:

    Are you running all four Wordfence and Sucuri and WordPress Firewall 2 and Block Bad Queries plugins? Is it a good idea to do so?

  2. Why do you suggest both Wordfence and Sucuri in your post on problogger? Wordfence does everything the Sucuri does minus the ticket system?

    • Sucuri and Wordfence are quite different.

      Sucuri has their own malware scanning system, and amongst other things includes an active firewall. This means if one site protected by Sucuri is under attack from a specific IP address it will be reported to the network of other sites protected by Sucuri automatically. Wordfence does not do this.

      You can safely run with both.

Speak Your Mind

   Login Using:


To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    Markdown is turned off in code blocks:
     [This is not a link](

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see