Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
WordPress Plugins
View all Guides

5 Reasons Why We Use Sucuri to Improve Our WordPress Security

Last updated on by
Special WordPress Hosting offer for WPBeginner Readers
5 Reasons Why We Use Sucuri to Improve Our WordPress Security

About a month or so ago, we started seeing a huge number of failed attempts of reaching WPBeginner’s login page and wp-admin page. We got extremely cautious about that. From password protecting the wp-admin directory to adding two-step verification process, we tried to do everything on our own. However, we quickly realized that our skills and knowledge were fairly limited. We already have complete backup solution with VaultPress, so we just needed someone that will continuously monitor our site for any odd behavior. Someone who knew what they were doing. Someone who had a great reputation. After doing some research, only one name stood out. It was Sucuri. After landing on the website, we realized that this is the same site that offers a free website scanner which we used when doing a malware cleanup for one of our client’s website. We went ahead and got the account for our websites. As we were setting it up, the only thing that was coming to mind was “WOW”. This should be a MUST HAVE tool for everyone. In this article, we will show you why we use Sucuri and how it really improves our WordPress security.

1. Website Integrity Monitoring

So unlike their free scanner which you have to run manually, the website malware and blacklist warning checks the site as frequently as every 3 hours to ensure that your site is clean of malwares, malicious javascripts, malicious iframes, suspicious redirections, spammy link injections etc. They also make sure that your site is not blacklisted by any of the popular services like Google, Norton, AVG, Phishtank, Opera and others. How does this benefit? Well it keeps your reputation intact, so your users don’t see signs like “Warning Something is Not Right Here”.

Google Blacklisted

2. Server Side Scanning

So the website monitoring just checks your website on the front-end. But what if you are dealing with a smart hacker, who doesn’t care about infecting your users with malwares. They are simply adding banner ads in your older posts that you don’t know about. What if they have already established a backdoor access that they can use to change your affiliate links with theirs and steal your revenue. This type of hack cannot be detected by their free website scanner. However for the paying customers, there is an option called Server Side Scanning which does just that. It scans your server to make sure there aren’t any suspicious files that are being harbored on your server. It also audit events like file changes and such to keep you informed.

You would think that you would have to install some sort of bloated software on your server to do these scans. All you have to do is upload one simple php file and that’s it.

3. WordPress Audit Log Plugin

Because it is created by folks who love WordPress just as much as we do, they have a special plugin for WordPress users. This plugin is like a gem for beginners and advanced users alike. It audits all the events that happen on your WordPress site. File Changes, New post additions etc.

Often hackers try to disguise their hacked backdoor access files with WordPress file names. So it can be a file sitting in your wp-includes folder called wp-user.old.php or something that an average user wouldn’t suspect to be a malicious file. Sucuri WordPress plugin makes that the integrity of all core files are intact. So if there is a suspicious file among the mix, it will alert you right away. Often hackers try to hide the malware inside your wp-config.php file. Which is a core file. This plugin checks for all that.

1-Click Hardening

If you are a new user, you see various security posts on different blogs. You try to remember all of those on your next site and the one after etc. Some of the hardening tricks are not even talked about. Well Sucuri gives you the ability to improve your security by hardening your WordPress install. With one click, you can protect your uploads directory. Often hackers like to hide their malicious files in your uploads folder. Because the upload folder is organized by year and month, it is an easy place for hackers to hide stuff. Most folks don’t ever check their uploads folder. With a simple click, this plugin will make your uploads directory unbrowsable and disallow php execution. It does the same for wp-content directory and wp-includes directory. With 1 click, you can also move your wp-config file one directory up. With 1 click, it gets rid of your readme.html file and others.

As of right now, there is no way to change the default database prefix with 1 click, but it says that it will be available in the future versions. In the meantime, you can use our tutorial on How to Change the WordPress Database Prefix.

Last but certainly not the least, this plugin adds a web firewall that block spammers and blacklist their IPs. We checked a lot of the IPs that were trying to access areas they are not supposed to be are known blacklisted IPs. For WordPress users, this plugin is the best thing ever.

4. Alerts

The most important part about monitoring is alerts. Sucuri allows you to configure email alerts, twitter alerts, IM alerts, SMS alerts, and RSS alerts. This is great because if there is ever a hack, you will be the first to know.

Aside from Malware and Blacklist monitoring, they also have monitoring for DNS changes, whois changes etc. Recently a lot of popular domains were stolen from their webmasters, and this type of monitoring can keep you alerted.

5. Malware Cleanup Service

Even though all the reasons above well justify the cost, they also offer malware cleanup service with no page limits along with blacklist removal. We haven’t had to use this part of the service yet, but can you imagine having security experts cleaning up your site. Normally some of these guys charge $250+/hour for consulting. Let’s say if your site gets hacked and you have their monitoring, they will do the cleanup for you. Chances are that it will be caught before Google and other services blacklist you. But if you did get blacklisted, then they will help you with blacklist removal.

We have the power plan which costs $189.99 / year which covers 5 websites. The monthly cost comes about to be $3 per website. We would much rather pay $3 per website and keep it secure rather than getting hacked and pay someone $$$$ to clean up our site.


Web is a really scary place. Day after day, we hear stories of people and websites getting hacked. Having helped numerous people cleanup their websites from malwares, we can honestly say that Sucuri is hands down the best and most cost effective security service in the WordPress industry. It’s much better to find out that your site is hacked from a monitoring service rather than finding out from your users or better yet from Google when they blacklist your website.

We are using Sucuri and if you care about your site’s security, then you should too. There is a reason why major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are recommending these guys. Having personally talked with one of their co-founders Dre Armeda, we know that we are in good hands.

Check out Sucuri and Give it a Try.

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »


  1. jesse says:

    I have kept getting downtime with Sucuri’s firewall… have had 48 hours of downtime from 2 outages. Their technical support is really incompetent. I do NOT recommend their service.

  2. Vinny says:

    How much did sucuri pay you to put them on your list? I’m not saying they are bad but, I rather go with Wordfence or even iThemes Security both of which have 6x active uses as sucuri .

    • Editorial Staff says:

      Sucuri didn’t pay us a single penny. At the time of writing this, iThemes Security had a different name and WordFence was the only main competitor. Sucuri’s malware cleaning service and active monitoring gave them the edge. We’re in the process of switching to their new WAF at which point will write an update to this.

      Sucuri’s WAF is far superior than the other plugins that you mentioned because it’s active cloud based DNS firewall not a hosted one for your WP site. Also 6x active users is mainly because the others are free.

  3. butterkitten says:

    I like the recommendation, but I cannot afford Sucuri at the moment. Are there any other plugins that you can recommend that are affordable?

  4. Chris Bunting says:

    Although there are now various security plug-ins, I still prefer securi! I run a site where traffic isn’t so much the problem, but more along the lines of the people who visit.. Hack attempts are a daily thing for us.. But Securi has the best notifications and setup that I’ve found!

    Truly protecting your site goes way beyond just a plugin.. Don’t let the hype full you! If you are running on a dedicated / VPS, you have to start at the OS.. If you are on a shared hosting account with auto-installer scripts, you should do some research on securing your site prior to even looking at securing WordPress..

  5. Thomas Zickell says:

    Sucuri CloudProxy is out now and I have been using it since it came out. I have to say it is one of the best tools I have ever used. Site speed is faster you have true protection against all brute force attacks even DDos 7 protection built-in to their base offering with full DDos 3,4 &7 in their professional offering. It is really a outstanding tool anyone not using managed WordPress hosting ( I use both managed WordPress along with Terremark, FireHost, Linode & digital ocean) it is a great addition especially to anyone looking for a very fast reliable secure server pair with digital ocean and you have something amazing.

  6. Sean says:

    Good review, we are just about to sign up with them. When you’ve suffered at the hands of hackers and so many people recommend these guys, you know it’s the right thing to do.

  7. Thomas Zickell says:

    I really like the new Sucuri backups. They are $5 a month and you have unlimited space. I agree that vaultpress is an excellent service however after comparing the $15 month Vault press verse Sucuri & codeguard I choose Sucur all need is sftp/ftp/mySQL this is preferred to a plug-in only method.

    I especially because of the service you get from Sucuri they will even help you restore the site for you and yes you must either use I’ve chat which is available 20 7

    You get to send your Client a e-mail every day, week, or month with a backup link to download.

    When you’re doing search engine optimization, web development and content creation like myself.

    Clients need to have a method of knowing that you are an honest person so if you disappear they will get there site even if it’s on your hosting platform.

    For that reason which I know is odd to bring up but it’s important because you don’t want your client who might not be as web savvy as yourself playing around with plug-ins or anything if you’re the webmaster.

    Sucuri has really stepped it up I have use them for years and they are fantastic company.

    I will say CodeGuard is ok
    I would rather spend the money on Sucuri backup never worry about space

  8. Phil Alcock says:

    When I ran the Sucuri check on our domain it came back as clean but under the Web application version section had a warning triangle for

    WordPress internal path: /home/dibdench/public_html/wp-content/themes/atahualpa3712/index.php

    With no indication as to what this means. Any ideas?

  9. oj wickliffe says:


    I have come across this site before and indeed it helped discover some malwares.

    Actually i do have a problem which i need some recommendation. My site seems hacked as there is a folder there not by me. But each time i delete it keeps coming back from my cpanel filemanager.

    What can i do.


    • WPBeginner Support says:

      A folder does not necessarily mean that it is due to some malware or trojan on your site. Many WordPress plugins also create folders to store data. To make sure that it is not a plugin creating that folder, first deactivate all your plugins and then delete the folder. See if the folder comes back. If it does then it is probably due to a malicious script or malware. If it does not come back then this means one of the plugins on your site needs that folder to work properly.

  10. TOrben Heikel Vinther says:

    Nice review! Today I’m using the free plugin Better WP Security at my sites, but when I read about Sucuri it sounds that it is even better! If I buy the Sucuri plugin will I get the same protection (or more) than with Better WP Security?

    Do you recommend other security plugins to work together with Sucuri e.g. Wordfence or would that be to much overlap?

    • Editorial Staff says:

      Sucuri is a pretty comprehensive solution, so you shouldn’t need to combine it with Wordfence and such. One clear advantage of Sucuri is their guarantee that they’ll fix your site if anything goes wrong. For anyone who know the pain of cleaning up a hacked site, will buy the subscription in a heart beat. Hiring a good security consultant costs hundreds of dollars per hour. Sucuri also has server side scanning that gives you warnings. It monitors file changes and such.

  11. Frithjof says:

    Thanks for the great review! Before I head over to sign up one “bonus” question: Does the server side scanning replace the need for uptime monitoring?

  12. Maggie says:

    I just started my blog last month and it is still a very small site that no more than 10 people come to visit every day.
    Does it mean there’s less chance someone hack my website?
    Should I wait until my website become busier?
    I take my blog very seriously but I’m not sure whether it is worth a lot of investment at the beginning.

    • Mary says:

      I just wanted to respond to you because I am having brute force attack to my websites and they are all new with very little traffic.

      “Login in security” is a free plugin that is giving me this information and was discussed on this site.

      Updates and a strong password are also important.
      But I am looking into sucuri and will buy thru the link on this site because these guys are great.
      Good luck!

      • Maggie says:

        Thank you for your reply Mary. It sounds scary!
        I just installed “Limit Login Attempts” now and I will re-consider about Sucuri.

  13. Mary says:

    Hello there, Thank you for this article

    I dont actually understand all the details written here or in the comments

    So I was wondering this. If I get sucuri DO I

    1) have to decide what I need from what they offer (I wouldnt know)

    2) is it hard is it to install for a NON-UNDERSTANDER” like me

    3) is there code? I have broken my site before by adding code

    4) and will any other security measures be necassary?

    Thanks for your site! Mary

    • Editorial Staff says:

      Hey Mary,

      1. No, you simply purchase the plan (it is all-inclusive).

      2. Fairly easy to install. Their team will assist if you need it.

      3. Nope. No code involved.

      4. Using a strong password is always necessary :)

  14. Keith Davis says:

    Hi Syed
    Just thought I’d let you know that Sucuri now has one – click database prefix change – awesome!

  15. Keith Davis says:

    Seriously looking at Sucuri for 5 to 8 sites.
    Any discount codes?

  16. Ahmed says:

    Well, I guess I’ll give these guys a try!

  17. Brad Dalton says:

    Got my site hacked today and Sucuri scan was clean before i fixed it.

    Wordfence picked it up when i scanned using this plugin.

    • Editorial Staff says:

      Brad, were you using their free scanner or the paid server scan? Their free scanner doesn’t check files on your server. It merely checks for malicious codes that are being publicly displayed.

  18. Jason H says:

    Positive review ends with this line:

    “There is no reason why major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are recommending these guys.”

    • Editorial Staff says:

      Wow total oversight on our point. It was suppose to read “there is a reason”. Thanks for pointing it out.

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.