For those who still do not know the Sucuri security plugin very well, it is not a WordPress company. But nevertheless, he seems to have a special interest in the WordPress platform. It’s time for us to do a detailed Sucuri review!
However, WordFence seems to be the best WordPress security plugin on the market, as users suggest. For the uninitiated, Sucuri is a company specializing in website security.
They offer many different services such as site cleaning, as well as blacklist cleaning and protection against DDoS attacks, among others.
They also offer their services for Joomla, Drupal, Magento, and other sites.
In addition to that, they have a security connector in the WordPress directory, which is what we are going to mainly cover in this article.
Sucuri Review – Installation and configuration
The first step in this Sucuri review, we are going to install the plugin on our website and get it working.
Install the plugin
You can install Sucuri in the same way as other WordPress plugins. Just go to Plugins> Add New and search for Sucuri. The plug-in you are looking for will come first.
Click Install Now, then activate once the download is complete.
The first thing you will see after activation is a message to generate an API key.
Just click the button, select the correct user, and hit Continue to create. As long as you do not activate some functions they will not work. That’s it for the settings.
Sucuri Security- General Information
You can review your site security status from Dashboard. If it is activated, here you will see the logs of everything that has been happening with your site.
For starters, it shows the integrity of your site’s core. It means that Sucuri scans WordPress files for unknown changes or files and lists of issues so you can fix it.
Of course, if the files appear in the list that you know are not a problem, you can exclude them from the next scan. To do this, you simply have to check if the products in question and the use of the brand are in the drop-down menu. In the same place, you can also delete or restore files.
Sucuri Security has a malware scanner inside it. When the button is pressed, it will check your site for malware, errors, and out-of-date components. It also checks if it has been blacklisted by Google, Norton, AVG, PhishTank, and other spam lists.
The analysis will run automatically every three, twelve, or twenty-four hours (depending on settings). The default is twice a day.
Once it has been run, you get a detailed report of its findings. All the issues present on your site are listed so that you can take appropriate action if necessary.
Of course, like any good security system, Sucuri also offers a firewall. When enabled, all site traffic first goes through Sucuri’s servers before reaching your website. That way, they can solve hackers, DDoS attacks, and other unwanted traffic before it even arrives.
In this way, you protect your site, while your server, avoids downtime and slowdowns. It also protects you from SQL database injections, backdoors, and many other threats.
However, the firewall is not included in the free plugin. In order to activate it, you need an API key for which you need to sign up for one of the paid plans.
Low hardening, Sucuri helps take steps to fortify your website from external threats. You can conveniently activate each feature with the click of a button.
- Activate firewall – If you have the paid version, you can configure the firewall.
- WordPress Update – When your website or any of its components are out of date, this section will warn you and ask you to install the latest version.
- Check PHP Version – Checks if the server is running the latest version of PHP.
- Protect file directory – Disable the execution of PHP files within your directory files . This can break certain plugins .. Be very careful
- Restrict wp-content access – put a .htaccess file inside the wp-content to prevent external access.
- Restrict access wp-includes – Same as above but for wp-includes.
- Security Keys – Look for signs of the presence of security keys within wp-config.php . This makes the information stored inside cookies more difficult to decipher.
- Information leak – checks for the presence of a readme.html file on your site (containing the WordPress version) and removes it.
- Default administrator account – Check the administrator user. This used to be the norm back in the day and is a favorite target for hackers.
- Plugin and theme editor – Disable the plugin and theme editor to prevent access to confidential files by other users (and possibly hackers who have broken into your site).
- Prefix base table – Option to check and change if your site is running with wp_ database table prefix . Doing so makes you more vulnerable.
Besides that, you can also find the option to whitelist PHP files that have been blocked. Of course, never do this if you are not sure.
This section of the plug-in offers measurements for when your site has been compromised:
- Reset security keys – This option will generate new keys within wp-config.php .
- Reset User Password – For chosen Prompt users to create new passwords.
- Restore plugins – In case the plugins are infected, allowing you to reinstall them with one click
- Available updates – Shows all the components on your site that can (and should) be updated.
Many of these actions are generally recommended to carry out manually if your site has been hacked.
Here, Sucuri records all logins to your site. You can check your administrator users, who are currently registered on your site, failed login attempts, and blocked users.
Naturally, the settings allow you to control everything related to the plugin.
- General – Configure your API key, for data storage, IP and reverse proxy settings, either to obtain passwords for failed connection attempts, spam user comments and enable audit logs in the dashboard . You can also adjust the date and time and reset all the options.
- Scanner – Configure the Sucuri malware scanner. It defines which algorithm it uses, the frequency of scanning, whether to check the integrity of the kernel, and other settings.
- Alerts – Determine who sends security reports, how often and at what events.
- API Service – All settings that can be done with the Sucuri API.
- Enter exporter – Option to allow the export of security reports for later analysis.
- Ignore Scanning – In case your website is very large, here you can instruct the browser to ignore certain files and folders to avoid waiting times.
- Ignore alerts – By default Sucuri sends warning emails if certain types of emails are created or updated. This menu allows you to turn off the alarm for any type of message.
- Trusted IP – Configure trusted IPs for which it does not send alarms, especially if you are part of a local area network.
- Heartbeat – API Settings, which is a connection between the browser and the server.
Lastly, this part contains everything Sucuri knows about your site. It includes information about the plugins and the server, scheduled tasks, the integrity of your .htaccess file, variables such as database name, table prefix, keys, and more, as well as error log settings.