preloader

Sucuri plugin review and common issues

Sucuri is used for hardening login, scanning files, and blocking common attacks. In most cases, it fits business sites better than a custom build done too early. A common issue is that firewall rules block valid users or admin actions. This usually happens when strict rules create false positives on custom sites. It can save time, but it still needs testing on a staging site before major changes go live. From experience, Sucuri works best when you keep the setup focused and avoid overlapping plugins.

Sucuri plugin review and common issues
Official Plugin Page ↗ Get Help With This Plugin

What is Sucuri plugin?

Sucuri is a website security company that provides both a free WordPress plugin and a premium cloud-based security platform. The free WordPress plugin at WordPress.org handles malware scanning, file integrity monitoring, blocklist monitoring, security hardening, and post-hack remediation tools. It is owned by GoDaddy and is one of the most recognized names in WordPress security alongside Wordfence.

The key architectural difference between Sucuri and Wordfence is the firewall model. Wordfence’s firewall runs at the PHP level (on your server, processing every request through WordPress). Sucuri’s premium WAF is cloud-based — all traffic passes through Sucuri’s servers before reaching your hosting, blocking malicious requests before they ever touch your site. This DNS-level protection can block DDoS attacks and sophisticated threats that a server-side firewall cannot intercept. However, cloud WAF setup requires changing your DNS to route traffic through Sucuri, which is a more involved configuration step.

The free plugin does not include the cloud WAF — that requires a paid Sucuri Platform subscription starting at $199.99/year. The free plugin does include malware scanning (via SiteCheck, which scans the public-facing site remotely), blocklist monitoring (checking Google Safe Browsing, Norton Safe Web, and others), and security hardening one-click recommendations.

When a site is compromised, Sucuri Platform subscribers get unlimited malware cleanup as part of their plan, performed by Sucuri’s security team. This is a strong value proposition compared to paying an hourly rate for emergency cleanup. For non-subscribers, cleanup is available as a separate paid service.

Need Help With Sucuri Setup, Troubleshooting, or Customization?

Need help with Sucuri? Whether you are dealing with errors, broken functionality, styling problems, plugin conflicts, or advanced customization, we can help you fix the issue and get the plugin working properly on your WordPress site.

Get Sucuri Expert Help

Key Features

  • Remote malware scanning via SiteCheck (free)
  • File integrity monitoring for WordPress core
  • Blocklist monitoring across major security databases
  • Security hardening one-click recommendations
  • Post-hack remediation tools: security key reset, user password reset

Pros & Cons

Pros

  • Cloud-based WAF architecture blocks threats before they reach your server
  • Unlimited malware cleanup included with paid plans
  • Well-established brand with professional security team

Cons

  • Cloud WAF requires DNS configuration change — more setup than Wordfence
  • Free plugin's WAF protection requires premium upgrade

Free vs Premium

Free plugin covers malware scanning, file integrity monitoring, blocklist monitoring, hardening, and post-hack tools. Sucuri Platform ($199.99/year+) adds the cloud WAF, DDoS mitigation, brute force protection, SSL certificate, unlimited malware cleanup, and priority support.

Common Problems & Fixes

Why is Sucuri SiteCheck showing malware even after cleaning the site?

SiteCheck scans the public-facing website remotely and caches results. After cleaning malware, SiteCheck may show stale cached results for a period of time. Request a fresh scan directly from sitecheck.sucuri.net and also confirm that the security blocklists (Google Safe Browsing, Norton, etc.) have been updated by requesting removal through each blocklist’s platform. Removal from Google Safe Browsing can take 1-3 days after the site is confirmed clean.

Why is Sucuri's file integrity check flagging custom files as modified?

Sucuri compares WordPress core files against known-good originals from WordPress.org. Custom modifications to core files, premium plugins not in the public repository, or MU-plugins appear as unknown or modified. These warnings are informational — review flagged files manually to confirm they contain only intended customizations. Files that are legitimately customized can be marked as known in the Sucuri dashboard.

Why is setting up the Sucuri WAF more complex than Wordfence?

Sucuri’s WAF operates at the DNS level — all traffic to your domain goes through Sucuri’s servers before reaching your host. This requires changing your domain’s DNS A records to point to Sucuri’s IP addresses rather than your hosting server’s IP. The configuration process involves your domain registrar or DNS provider. Sucuri provides step-by-step guidance in their documentation, but it is inherently more technical than installing a plugin and activating a firewall switch.

Customization & Developer Notes

How do I configure Sucuri security alerts?

Go to Sucuri Security → Settings → Alerts to configure email recipients, alert triggers, and alert frequency. You can set alerts for failed logins, file modifications, admin actions, blocked requests, and more. Configuring only the alerts relevant to your threat model prevents alert fatigue from notifications that do not require action.

What security hardening does Sucuri recommend after installation?

Sucuri Security → Hardening provides one-click recommendations including: blocking PHP file execution in the uploads directory, verifying the WordPress version is not publicly exposed, disabling file editing from the admin panel, and checking that the wp-config.php and .htaccess files are not directly accessible. Most of these are one-click applications from the Hardening panel.

Frequently Asked Questions

Is Sucuri better than Wordfence?

The main differences: Sucuri’s WAF is cloud-based (more effective against DDoS, requires DNS change, costs more). Wordfence’s WAF is on-server (easier setup, slightly less effective against volumetric attacks, includes real-time threat intelligence in Premium). For most WordPress sites, either is strong security. For sites that face targeted DDoS or sophisticated attacks, Sucuri’s cloud WAF model is more appropriate.

Does the Sucuri free plugin include a firewall?

No. The free plugin does not include a WAF. The cloud-based Web Application Firewall is exclusively a premium feature requiring a Sucuri Platform subscription and DNS configuration.

Does Sucuri clean hacked WordPress sites?

Sucuri Platform subscribers get unlimited malware removal and hack cleanup as part of their subscription. Non-subscribers can pay for individual cleanup services. Cleanup is performed manually by Sucuri’s security team, not automated.

Is Sucuri compatible with WordPress Multisite?

Yes. The free plugin supports Multisite installations. The cloud WAF can protect a Multisite network at the domain level. Contact Sucuri support for specific Multisite WAF configuration guidance.

Need a Sucuri Developer?

Find a vetted WordPress developer specializing in Sucuri. From setup and configuration to custom Sucuri development — get expert help on WPWizzy.
Get a Free Estimate

Ready to hire your WordPress developer?

WPWizzy connects you with vetted freelance WordPress developers from the Codeable network — the top 2% of WordPress experts worldwide, , you can get a free no-obligation project estimate before hiring. Every developer is carefully screened, backed by Codeable’s satisfaction guarantee, and rated by real clients based on completed WordPress projects.

Pick one option and we’ll take you to the right next step.

After submitting your request, up to three WordPress developers may review your project and ask a few questions to better understand the issue.
This step helps us define the scope of work and provide an accurate estimate. Most projects receive a response within 24 hours.
Providing a few key details about your website or the problem will help us respond faster. There is no obligation to proceed with the project.