Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

Sucuri Review – How Sucuri Helped Us Block 450,000 WordPress Attacks in 3 Months

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Are you wondering about the best way to keep your website safe?

Whenever we are asked about WordPress security tips, two of our top recommendations are to get a good WordPress backup solution and start using the Sucuri website firewall.

In this article, we will share our honest review of Sucuri’s website firewall and why, in our experience, it’s worth every penny.

Full Disclosure: We were not paid to write this Sucuri review and only recommend services we believe will add value to our readers. If you decide to use Sucuri by clicking on a referral link in this article, then we will get a small commission.

Sucuri review

Here is a quick overview of the topics we will cover in this article:

A Little Background on WPBeginner Security

WPBeginner is one of the largest free WordPress resource sites on the planet. Because of that, we often have to deal with website attacks. These include brute force attacks, feed attacks, DDoS, and a whole lot of spam.

That’s why we have always been extremely cautious, and we have a real-time WordPress backup solution in place.

On top of that, we have password-protected our wp-admin directory, disabled PHP execution, changed the default WordPress database prefix, and basically followed every other security hardening trick.

While you can follow all the prevention best practices at the WordPress software level, the truth is that security has to be addressed at the hosting server level and, more importantly, the DNS level.

During attacks, our website would slow down significantly due to the high server load. Sometimes, it would even cause the server to restart causing downtime.

That’s when we started looking for a DNS-level firewall solution.

We already had the Sucuri WordPress plugin installed on the site, so we decided to try their firewall.

Let’s take a brief look at the benefits of a firewall and how Sucuri helped us.

Note: Although we have now switched to Cloudflare, we still recommend Sucuri for WordPress users. You can learn more about this later in this article.

Overview of Sucuri

Sucuri is a website security company that specializes in WordPress security. They protect your website from hackers, malware, DDoS, and other attacks.

When you enable Sucuri, all your site traffic goes through their cloud proxy firewall before coming to your hosting server. This allows them to block all the attacks and only send you legitimate visitors.

Just see the illustration below:

How website firewall blocks attacks

The biggest benefit of Sucuri is that it makes your website secure. The firewall also makes your website faster, and you save money on your hosting bill because your server load goes down significantly.

As soon as we enabled the Sucuri firewall, we started seeing the difference in performance. The attack overview inside the Sucuri dashboard was just eye-opening.

WPBeginner’s Sucuri Firewall Results

Within the first three months of using the firewall, Sucuri helped us block over 450,000 WordPress attacks.

Attacks blocked by Sucuri

Here’s a breakdown of some of the most blocked requests:

  • Exploit blocked by virtual patching (115,946 blocked attempts)
  • Blacklisted IP address (72,495 blocked attempts)
  • Bad bot access denied (45,299 blocked attempts)
  • Backdoor location denied (29,690 blocked attempts)
  • DDOS attempt blocked (29,676 blocked attempts)
  • Fake bot access (24,571 blocked attempts)
  • Evasion attempt denied (21,887 blocked attempts)
  • Spam request blocked (14,313 blocked attempts)
  • Scanning tool blocked (13,842 blocked attempts)

Now, most of you are probably thinking that WPBeginner is a huge site, and that’s why we are a bigger target. But this isn’t entirely true.

Smaller sites are often an easier target for hackers because they don’t take security precautions. Your website may be getting attacked at this very moment, but you just don’t know about it.

Sadly, most people find out too late when they’ve already been hacked. That’s why our articles on how to find a backdoor in a hacked WordPress site and how to fix ‘this site ahead contains harmful programs’ error are among the most popular on WPBeginner.

If you are running a business website, then Sucuri is a must-have solution because it offers complete end-to-end WordPress security.

5 Reasons Why We Love Sucuri

After reading about our experiences with Sucuri, you can tell why we love it. Here are 5 reasons we recommend it so strongly.

1. Blocks All the Attacks

Sucuri’s firewall blocked all the attacks before they even touched our server. Since they are one of the leading security companies, Sucuri proactively researches and reports potential security issues to the WordPress core team as well as third-party plugins.

Their team closely works with the respective developers to fix the security issues. Once fixed, Sucuri patches those vulnerabilities at the firewall level in case you didn’t get a chance to update your plugin fast enough.

For example, when it was disclosed that Elegant Themes had a vulnerability, it was quickly patched on Sucuri’s servers before users had a chance to update their plugins and themes. This means your site is always secure.

2. Website Integrity Monitoring

We were using the Sucuri 2-in-1 Website AntiVirus package, which comes with the Sucuri scanner. It monitored our website every 3 hours to ensure that it was clean of malware, malicious JavaScript, malicious iframes, suspicious redirections, spammy link injections, and more.

The scanner also made sure that our site was not blacklisted by any of the popular services like Google, Norton, AVG, Phishtank, Opera, and others.

This feature helps you keep your reputation intact and stops your users from seeing warnings like these:

Dangerous Site Warning in Google Chrome

3. Site Audit Log

Sucuri’s WordPress plugin keeps track of everything that happens on your site.

This includes file changes, new posts, new users, last logins, failed login attempts, and more.

Sucuri Audit Logs

4. Server Side Scanning

When you are dealing with smart hackers, you need to account for everything. Some hackers don’t care about infecting your users with malware. Maybe they just want to add banner ads in your old post or replace your affiliate links.

These kinds of hacks are very hard to catch because they’re not as obvious, and you won’t get blacklisted for them.

That’s when the server-side scan comes in handy. Sucuri’s server-side scanner goes through every file (even non-WordPress files) to ensure that nothing suspicious exists on your server.

It also audits events like file changes and such to keep you informed.

5. Malware Cleanup Service

Even though all the reasons above well justify the cost, Sucuri also offers a malware cleanup service with no page limits, along with blacklist removal. We haven’t had to use this part of the service yet, but can you imagine having security experts cleaning up your site?

On average, security experts charge $250/hour for consulting.

Since this can get quite expensive, Sucuri has an extra incentive to make sure that your website never gets hacked.

Pro Tip: If your site was hacked and you were not using Sucuri, then check out WPBeginner Professional Services. Our team of experts will clean up malicious code, files, and malware to make sure your sensitive data is safe. Prices start at $249.

WPBeginner Professional Services: Hacked Site Repair

Why WPBeginner Stopped Using Sucuri

At WPBeginner, we used Sucuri as our website firewall, security, and CDN solution for many years. While we still believe it’s a great solution, we recently switched to Cloudflare.

Cloudflare is an industry leader in CDN and website security. It has grown incredibly over the years.

Because you might be interested in why we made the move, we wrote a detailed article on the reasons why we switched from Sucuri to Cloudflare.

In short, we switched because of Cloudflare’s faster CDN. Since WPBeginner has users from all over the world, the switch improved our latency, page load time, and performance.

Cloudflare global network

We also found that Cloudflare has more configurable firewall rules and fewer regional outages, especially in Europe.

Sucuri and Cloudflare are both great solutions for WordPress security and performance. You can learn which is better for your business by reading our detailed comparison of Sucuri vs. CloudFlare (pros and cons).

Our Final Thoughts – Sucuri Review

Day after day, we hear stories of people’s websites getting hacked. We can honestly say that Sucuri is hands down one of the best and most cost-effective security services in the WordPress industry.

For $199.99/year, it is the best insurance you can buy for your online business.

If government websites can be hacked, then so can yours – no matter what you do. However, it’s much better to find out that your website is hacked from a monitoring service rather than finding out from your users, or worse still, when Google blacklists your website.

More importantly, it’s definitely worth the peace of mind knowing that if something were to happen, you would have a team of security experts who will help you clean everything properly.

Sucuri is a leading security company whose products have been mentioned in major publications like CNN, USAToday, TechCrunch, TheNextWeb, and more. We have personally met with their co-founder and CEO, Tony Perez, and can honestly say that they are a trustworthy company.

Each time we interacted with Sucuri’s support team, they were quick, polite, and helpful.

If we were to rate Sucuri’s service and support, we would give them a 5 out of 5.

We hope you found our Sucuri review helpful. If you are thinking about improving your WordPress security, then definitely check out Sucuri and give it a try.

Expert Guides on WordPress Security

Now that you can see how effectively the Sucuri WAF protected the WPBeginner website, you may like to see some other guides related to WordPress security:

We hope this article helped you learn about the effectiveness of Sucuri’s security features. You may also want to see our guide on how much it costs to build a WordPress website or our expert pick of the best push notification software.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

52 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Mrteesurez says

    Happy to hear that Sucuri has helped you blocked that so much attacks in just 3 months, this showed how powerful the plugin is and much concerns you have for security. This article made me understood the importance of security for if not for the plugin, the attacks might have caused significant harms to your website if not hacked.
    Thanks for this information and keeping us informed.

  3. Unarine Leo Netshifhefhe says

    I read some reviews on sucuri and it seems like the free version of it doesn’t help a website owner at all, so my question is did you use the free version or you just started with the premium version?this is because i don’t want to risk it and go for free version whereas i can find another security plugin which can offer me better security than sucuri

    • WPBeginner Support says

      Our review is for the paid service from Sucuri, at the moment the free plugin on is a scanner and not their firewall which would likely be why users are confused.


  4. Marissa says

    I just got Sucuri premium plan and wanted to know do I still need to install the Sucuri plugin on WordPress or do they do everything through their site?

  5. Ariel says

    I have another question I just thought of: Sucuri also has backup service. Do you use that one at wpbeginner, or do you use another backup solution instead?. If that’s the case, which one, and why not the Sucuri one? Thanks!!

  6. Gautam Budhiraja says

    Whenever I click on any article on my website from my mobile, it redirects to spam page but not on laptop.Wpbeginner please help me out to remove hack or any malware.Should I install wordfence or sucuri to remove this and to prevent future attacks.

    • WPBeginner Support says

      If you’re using Sucuri’s firewall then normally you shouldn’t need an additional firewall as multiple plugins/tools for the same purpose can sometimes cause conflicts between the two.


  7. Ankit says

    Awesome article really helpful information.
    Sucuri quiet expansive subscription plane but I know how to secure my website manually.
    Overall article was greatest.
    Thanks Dear

  8. MD Fahim says

    Awesome article really helpful information.
    Sucuri quiet expansive subscription plane but I know how to secure my website manually.
    Overall article was greatest.
    Thanks wpbegainer

  9. Amit Mishra says

    Literally loveed your full review and will definitely try securi paid plan, as currently I am in free plan is it necessary to go with their paid plan?
    Is free plan isn’t effective?

  10. Bill Patterson says

    What do you think of the free version of Securi? I am using wordfence, securi and Bulletproof. I know there must be some overlap. Just did not see any review using the free version.

    • WPBeginner Support says

      Hi Bill,

      The free version of Sucuri helps you scan your WordPress website for security vulnerabilities. It is a solid plugin maintained by the top WordPress security company.


  11. Christoforos says

    I came across this article while searching on Google for wordpress security info.
    I subscribed to their service. I admit that they are very helpful and they do know what they do… The problem is that because of their firewall my website was unreachable for more than 90 minutes. I have more than 40K visits per day, so 90 minutes offline is a lot of money lost!!!!!!!

    Nothing is perfect!

  12. Cody says

    I see you recommended Sucuri in combination with MaxCDN. Do you also have other security plugins enabled because Sucuri is that good? Currently I keep both iThemes Security and Wordfence Security enabled. Adding a third plugin seems like there might be many overlapping features. Can you comment on which combination you use on wpbeginner for a fast and secure site?

    Thank you

  13. Bill says

    Sucuri, is in my opinion, the best computer-related investment I’ve made in my entire life. I’ve been with them several years and they are always there to help. I would say they have bent over backwards helping someone like myself who is not too computer-literate. I have a small cartoon site, and once had over 33K attacks in one day but my site was unaffected.

    Note: Sucuri I believe does have a referral service where you can get a discount if you recommend someone. I have repeatedly emailed them and told them, I do not wish to participate in this referral program as their service is so amazing, I’ve recommended them to many others just to help others avoid heartache from hacking attacks.

    The peace of mind that comes with a service such as this is immeasurable.

    Finally, there is only one thing I absolutely despise about Sucuri, the name Sucuri. As someone who is terrified of snakes, Sucuri is Portuguese for anaconda. I’d much prefer rabbit, dog or another animal.

  14. Brian says

    Thanks for your review. How concerning, in your opinion, is Go Daddy’s acquisition of Sucuri? I always feel like when a huge company acquires a smaller company, there’s a chance for quality and service to take a nosedive.

  15. Dani says

    Does anyone have bad experience with securi. They would be the best according to them, But I only have problems with them. And is there a way that I can look how many people they employ (Chamber of Commerce). I will pay for it.

    My english is not so good i’m from belgium and i speak dutch – I will also write it in Dutch.

    -How it all started-
    2 months ago I protected my domain name using securi firewall. Because securi told me they were the best I chosen them without a doubt.
    3 days ago I contacted securi whit a support ticket. I asked them to delete my domain name, Because I bought another domain name, And I will not use the old domain name anymore. I want to use my new domain name with the securi firewal. They said no problem, just remove the securi name sever from your hosting Then you can delete it in your securi account. I do not know how to do that so my hosting company has removed the name server, And then I asked securi to put the new domain name into my securi account.
    SECURI Ticket update

    Hi, in that instance you need to point the nameservers from your back to the ones that they were previous to ours. Otherwise, if we remove the domain from the firewall dashboard the site will show a Sucuri error message.

    Once the nameservers are pointed away from us and the site is no longer resolving to our firewall IP, we can remove it from the dashboard and then you can add in the new domain.

    By: Jarret C.

    SECURI Ticket update Ticket

    The old site has been removed and the new site has been added

    I was happy I thought now I can upload my website and then its well protected, Because securi told me they were the best.
    Now I wanted to login I filled in my email address and my password. but I automatically get redirected to (
    and I get a error – Sucuri 2FA ( Invalid code. Please try again.) Ok no problem until i have tried it 20 times with 20 different codes.
    I then sent an email to Because written on their website. And Because I want to log in to my securi account

    Please email if you need to reset or disable your 2FA account.

    day 1 – I did not get an answer to my email nothing So I called them 10 times (No one answers the phone) A bit angry but okay tomorrow I will try again.

    day 2 – Sent an email again but this time 3 emails – No one answer my email So I called them 15 times (I do not get anyone on the phone) A bit angry but okay tomorrow I will try again pffff.

    Day 3 – I thought I will call them a few times a few times (8 times) – (But no one answers the phone) But yes i got a mail from them.
    SECURI Ticket update Ticket

    It looks like you were able to remove because I don’t see any sites here at the moment:

    You should be able to continue with adding new now, but let us know if you have any other issues.

    – jon
    Pffff After 3 days I get an email whit no answer to my question and I still can not log in
    So I sent securi an e-mail (again)

    The namesaver has already been deleted 3 days ago by my hosting company. and the domain name deleted Successful from suciri. I want to use my new domain name

    But that’s not the problem, and I say it again for clarity that’s not the problem.
    (2FA) Code not working – I’ve always been able to log in whit (2FA) Code until 3 days ago. When a colleague of you changed things in my securi account After that, I could not log in again.

    you can remove (2FA) Code So I can log in (disable 2FA account.

    I received a message again, you should send an email to I have already emailed them 4 times.

    Hi there,

    Unfortunately we currently do not have phone support at this time. It also appears that the emails were going to the wrong mailbox.

    I would be happy to help you with disabling the 2fa so you can log in to your account. But first, I need to authenticate you as the account owner. We do this by verifying with the billing information on file.

    If PayPal – we need the PayPal account email / billing agreement ID

    If Credit card:
    Company Name – if any
    Full name of the account holder
    Last 4 digits of the credit card number used
    Expiration date
    Billing address

    Looking forward to your reply.


    I sent them all the information and wait and waiting no anser no mail no call nothing. I now pay for a securi firewall that I can not use
    Sorry but I’m really angry people. So I sent them an angry mail.

    I’m really frustrated I thought you were the best. But I really begin to doubt you.
    I have been trying for 3 days now To call you Your line is supposedly occupied for 3 days okay
    Really this is the last time I send an email to you Can you solve my problem If you can not, I would like a refund. Because I pay for something I can not use

    Please disable my 2FA account. So I can log in


    Then I received a message

    – This is the last message I received from Ryan securi –
    Your IP address is being blocked for abuse. To continue correspondence, you can email Have a great day! :)

    – I have replay
    Why I just want to be helped I’ve been waiting for 3 days now. No problem I will now post a review online with all the mails that I received from securi. please close my account. And give me a refund. Because you are not fair. have a nice day

    • Tony Perez says

      Hi Dani

      Thank you for the feedback. I have since tried reaching out, have no had luck connecting. Please, if you can respond to I’m sure we can work to get this resolved quickly.

      Thanks in advance for your time.


  16. AJ Clarke says


    We are getting hit hard by SPAM bots located on Amazon AWS and Google Cloud. Do you know if Sucuri firewall can help with that? We currently use WPEngine which has a built-in firewall (not blocking anything) and CloudFlare (also not blocking the spam) we are running out of options and really hope Sucuri can help.

  17. Avinash says

    On sucuri’s product page related to there basic plan which is available for 9.99$ per month, they have also mentioned Performance Optimization and CDN. So is it something like they provide CDN services or they provide web security for websites using CDN services?
    Can you please explain that if they provide CDN services, why should we go for a separate CDN provider?

  18. Connor Wright says

    I’ve had this for about 1 month and about 1 week ago it blocked 700k attacks and allowed 3m requests through (I own a web hosting company)

  19. Johnathan says

    A very recent problem with our website is causing me to uninstall / re- install WordPress.

    Multiple issues:
    We had I guess what you would call “link injection” – Links showing up for our webite in Google that redirected to porn, viagra and such. I found that the htaccess has a a couple additional lines in it that allowed for these redirections.

    I also found in “users” that there were hundreds of user acounts created.

    Dashboard showed there were over 7K log in attemps.

    I started off by trying to pick through everything and repair, but I am concerned that I wouldn’t find all the problems and this would just happen again.

    I know the paid version of sucuri is recommended, but from the information I provided would you think the free versions will prevent these issues until I can justify the monthly cost to the owner of the company?

  20. Martin Fuller says

    I am at a loss to understand why the makers of WordPress itself do not address this problem of protection and security

    • Ezeugwu Paschal says

      Website Security is a big deal entirely and not everybody is excellent at it. If the makers of WordPress focus thoroughly on security, I bet you we will still be running WordPress version 1.2alpha. It’s better when another set of people takes one of the flaws as their major concern and try as much as possible to fix them.

  21. Mary says

    Sucuri is awesome, They have helped me with my site. I’ve looked into other malware removal services and it’s expensive. For $199 a year, you get awesome support, an awesome firewall, awesome advice, and they will even remove the malware for you. If your site gets some good traffic, it’s important to secure your site.

  22. David says

    First and obvious question — how does Sucuri compare to CloudFlare? CloudFlare’s basic plan is free, and does lots of the same things. Why should one switch to Sucuri at $200 a year from CloudFlare (free or $20 a month?)

    • Editorial Staff says

      You don’t get the web application firewall on Cloudflare free plan. Your site also don’t get much optimization on the free plan.

      On their $20 / month plan, you do get WAF but that comes out to $240 / year. You also don’t get Advanced DDoS protection for which Cloudflare charges $200 / month (so $2400 / year).

      On the other hand Sucuri gives you WAF + Advanced DDoS protection for $199 / year. And if you want DDoS protection on Layer, 3, 4, & 7 — that’ll be $499 vs CloudFlare’s $2400.

      Aside from price comaprison, Cloudflare doesn’t offer malware cleanup guarantee that Sucuri includes as part of their service.


      • shiva says

        Our website is an huge database and fully loaded with latest windows softwares

        Our website traffic (hummans) : 5-10K & hits : 20-25K, we are worring same problem , what you said in post.

        When i tried our website on cloudflare as plan 20$/month, If set security ” iunder attck mode” , we got blocked adsense for one day. we got mad, now i removed cloudflare , i added maxcdn & keycdn . it works okay not perfect for security purpose.

        Compare to keycdn , maxcdn is excellent work for speed . Still im looking some thing perfect security for wordpress. we will try for this. and also i will post a review on securi in next month.

    • Ashu Xlon says

      Actually Cloudfare do not totally protect you in their free basic version.They consider all the sites same that’s why there is no specialized security for wordpress whereas wordpress has its own security issues and needed to patched separately.

  23. Abhay says

    Thank for this article. This is much needed. Sucuri is also of great help in identifying the malware in the site and it’s root. One observation I have on Sucuri, even when there is a malware in the website (because of which the hosting service provider first blocks port 80 and then the website), Sucuri does not show any malware / risk in the website. That’s suprising.

    • Editorial Staff says

      If you’re using their free scanner tool on the website, then yes that won’t detect all malware specially the ones that are hidden inside your server.

      However the server side scan will detect those.


Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.