WordPress security is like a ticking time bomb. You can never know when it’ll go off. Thousands of WordPress sites get hacked every day. It’s a serious issue that should be nipped in the bud before it blossoms into a menacing threat!
There are two major ways to protect your WordPress site: first, opt for a secure hosting service with a proven track record of following industry best practices. Second, beef up your site’s security with a dedicated third-party security service.
With WordPress security, Wordfence and Sucuri are two of the most popular options. They both come with a robust set of security features to keep your website safe. In many ways, they’re same same, but different.
Wordfence or Sucuri? If you’re wondering which of these two will be the right fit for your website, this article will help you decide decisively. I’ve used them both extensively to compare them 1-on-1 for various features, performance, pricing, and the total value they offer.
You can use this information to choose the most suitable option for you.
Sounds good? Let’s get started!
Intro to WordPress Security
WordPress is under constant threat by hackers. According to a report by GoDaddy Security, 90% of all the hacked CMS platforms in 2018 were WordPress sites. Google alone blacklists 10,000 websites every day for hosting and spreading malware, and these blacklisted sites can lose up to 95% of their organic traffic.
41% of hacked WordPress sites are because of vulnerabilities in the hosting platform. Hence, you can avoid a lot of trouble with a secure WordPress hosting platform from the get-go.
Even more astonishing is that 60% of small businesses shut within 6 months of a cyber attack. Since a vast majority of hacking attempts happen to small and medium businesses, securing your website is that much more critical.
How Hackers Breach WordPress Sites
Only 36.7% of the WordPress sites hacked were caused by outdated vulnerable versions of WordPress. The primary attack vectors for WordPress sites are its extensible components, namely plugins and themes.
Plugins are especially the biggest risk! As noted in Kinsta’s WordPress Security article, plugins with known and unknown vulnerabilities make up the bulk of WordPress hacks. A Wordfence study found that they represent 55.9% of every known backdoor.
Brute-force attacks to guess weak passwords are the next big attack vector, making up 16.1% of total hacking attempts. The same study found another shocking statistic: 61.5% of hacked website owners didn’t even know that their site is compromised.
How to Secure Your WordPress Site
There are three major steps to keep your WordPress site safe from cyber attacks:
Whether it’s a biological disease or a digital malware, prevention is always better than cure!
Prevention focuses on keeping malicious code out of your WordPress sites. It’s usually done through firewalls, antivirus programs, email filtering solutions, protections against DDoS attacks and bad bots, etc.
Detection focuses on being aware of security incidents as soon as they happen, so you can take action at once and secure your website before there’s any significant damage is done.
It includes tools such as intrusion detection systems, network scanning, integrity monitoring, etc.
Many owners of hacked WordPress sites don’t even know that their site’s security is breached. Hence, it’s critical to have robust detection systems in place, especially at the hosting level. Security plugins such as Sucuri or Wordfence are great addons.
Response and Recovery
Hope for the best, but always prepare for the worst! Response and Recovery focuses on addressing security incidents swiftly and efficiently.
A good recovery process should not just clean up after an attack, but also include backup and forensic features. This makes sure that you stop similar incidents in their tracks before they occur.
This is a major reason why you must conduct thorough research of your hosting company’s commitment to security before signing up with them. For instance, if your WordPress site is hacked while hosted at Kinsta, Kinsta’s security specialists will work with you to identify and remove the malware.
Security services like Sucuri or Wordfence offer incident response services as part of their professional packages.
Sucuri vs Wordfence
Both Sucuri and Wordfence help you secure your WordPress site, but their approach is different. Here a quick showdown between them:
|Firewall Pricing (WAF)||Starts at $9.99/month||Starts at $99/year|
|Malware Removal Pricing||Starts at $199.99/year — unlimited cleanups||$179 per cleanup|
|Free Plugin Available||Yes||Yes|
|Web Application Firewall (WAF)||Yes, but only for Premium customers||Yes, it’s Free|
|Website Integrity Scan||Yes||Yes|
|SSL Certificate Support (on WAF)||Yes||No|
|DDoS Attack Protection||Yes||No|
|Zero-Day Exploits Prevention||Yes||No|
|CDN for Improved Performance||Yes||No|
|Cloud-based Platform||Yes, Remote Scanning||No|
|Self-hosted Platform||No||Yes, Local Scanning|
|System Security Tweaks||No||Yes|
The above table covers the key differences between Sucuri and Wordfence. Now, let’s dig deeper!
Intro to Sucuri
Its core features include malware detection, integrity monitoring, and security hardening. Sucuri scans everything remotely, hence it doesn’t perform any deep scans at the server level.
Sucuri promises to protect websites, improve performance, monitor for indicators of hacks, and offers unlimited support for security incidents (for premium users only).
You should note that Sucuri is not a silver bullet for all your website security needs. It’s designed to supplement your existing web security. However, Sucuri provides you with many tools to reduce risks, giving you better peace of mind and greater security awareness.
How Sucuri Works
When talking about how Sucuri works, it’s best to differentiate between its three tiers:
- Sucuri Security is a free plugin that comes with standard WordPress security hardening features. The free version of the plugin doesn’t include a firewall.
- Sucuri Firewall (WAF) is a paid service that you can integrate with the free Sucuri Security plugin. You can also use the firewall without the plugin. It includes website protection features such as Website Application Firewall (WAF), CDN for performance optimization, load balancing for high availability, Intrusion Detection System (IDS), DDoS mitigation, and a host of other tools.
- Sucuri Platform is a suite of premium cloud-based security services. It includes everything included with Sucuri Firewall, plus other important features such as monitoring, detection, and incident response. By signing up for the Sucuri Platform, you can ask the Sucuri team to “remove all malware & blacklist warnings” for your website.
For a better understanding, here’s a brief video of Sucuri at work:
Sucuri tracks every change in your website and saves the logs to its own cloud servers. You can audit these logs to find out exactly what went wrong where. This helps in fixing security issues swiftly and efficiently.
Security Settings and Features Available
You can break down Sucuri’s WordPress offerings into two main products: a free plugin called Sucuri Security, and a premium cloud-based Sucuri Firewall (WAF).
Let’s look at the free plugin first.
The Sucuri Security dashboard has a straightforward interface that gives you an eagle-eyed view of its security checks.
Its primary task is to notify you about the integrity of your core WordPress files. It’ll show you a warning if it finds any compromised core files. You can then take an appropriate action: either replace the infected files with the original ones or mark them as false positives.
Under the Audit Logs tab here, you’ll find every change that has happened on your website. Likewise, under the iFrames, Links, and Scripts tabs, you can find every instance of scripts and links on your website.
In my case, the warning was a false positive. So, I marked it as fixed manually. Sucuri will remember this fix the next time it performs a scan.
The Settings panel has many tabs to customize how Sucuri protects your website. Under the General Settings tab, you can find your API Key, Data Storage directories, and other settings such as Log Exporter, Reverse Proxy, IP Address Discoverer, and Timezone Override.
You can also import or export Sucuri’s overall settings from here.
Next, let’s move to the Scanner tab. Here, you can see Sucuri’s Scheduled Tasks, WordPress Integrity Diff Utility settings (to compare files on your server with the original ones), and a list of False Positives.
If you want to ignore certain files and folders on your server from Sucuri’s scanning, you can set them here. This tool is helpful to ignore non-code related files and folders that can be too heavy to scan, such as folders with numerous media files, backups, etc.
The Hardening tab lets you apply a set of standard WordPress and PHP security hardening methods. But you can use the Whitelist Blocked PHP Files settings to omit certain PHP files from these rigid restrictions.
In case of an attack or a breach, the Post-Hack tab will come in super handy. Under here, you can Update Secret Keys, Reset User Password, Reset Installed Plugins, and apply any Available Plugin and Theme Updates.
The Alerts tab allows you to set Alerts Recipient, Trusted IP Addresses, Alert Subject, Alerts Per Hour. You can set what kind of Security Alerts will trigger the alert mechanism, and what types it will ignore (usually the ones by 3rd-party plugins). This is a great Detection feature to have.
The API Service Communication tab is simple and straightforward. It’s mainly for developers to access Sucuri’s remote API service.
Finally, the Website Info tab lists down almost everything you’d want to know about your website and the web server it’s hosted on. Here, under the Access File Integrity section, you can check the integrity of your .htaccess file.
Sucuri’s cloud-based firewall is a premium service. It’s great to filter out junk traffic, DDoS attacks, and bad bots.
It can work its magic even without the plugin (it’s the recommended way). You just need to point your host’s DNS towards its nameservers.
Read Kinsta’s in-depth Sucuri Firewall guide to understand more about all its features.
Most web hosts, including Kinsta, have extra security features in place to block and/or filter out spammy IP addresses and bad bots. Kinsta even has security settings available to allow IP limiting.
However, a professional WAF service such as Sucuri, whose business model is focused primarily on weeding out bad traffic, will provide a more granular control.
It’s not uncommon for users to sign up for Sucuri’s cloud-based firewall as a backup and switch to it only in case of an attack. Sucuri makes it super easy to do that.
All things considered, Sucuri is more than just a security plugin or a firewall. It’s a complete web security solution to keep your sites protected from virtually any malicious attack.
Ease of Use
Sucuri is simple to use. The user interface is on the point. If Sucuri recommends you to apply any security hardening settings, it only takes a single click to enable them.
Once you install the plugin, you need to generate its free API key, which you can do directly from your WordPress dashboard.
Sucuri automates most of its security features, so you can set them once and forget forever. You don’t have to worry about updating or maintaining the plugin either.
Sucuri will alert you if it detects a breach. But in case you want to take control manually, it provides you with many options. And since Sucuri’s WAF is cloud-based, it doesn’t require any technical maintenance from your end.
Overall, I found Sucuri a breeze to set up and use.
How Sucuri Fares on Web Security
The free Sucuri Security plugin is good enough to keep a tab on your WordPress website and apply some standard security measures. But it’s not built to prevent any major attacks against your website.
If you’re looking for a free WordPress security solution, I wouldn’t recommend Sucuri Security. Don’t rely on it to secure your website.
On the other hand, Sucuri Firewall does a stellar job against DDoS attacks, abusive bots, and customer data compromise. The Sucuri Security Platform goes a step further and adds even more preventative measures.
Sucuri’s free plugin does a great job at sniffing out even the minutest changes on your website. If it finds any anomalies, it’ll alert you promptly so you can take appropriate action.
Even if a hacker has locked you out of your site, you can audit the logs saved on Sucuri’s cloud servers to find out what happened and how you can gain back control.
However, it’s the premium Sucuri Security Platform which truly shines with monitoring and detection. It comes with various added features such as regular server-side security scans, blacklist monitoring, SSL monitoring, instant notifications, and Log Correlation Integration (SIEM).
Response and Recovery
A web security platform is incomplete if it doesn’t offer a way for you to clean up a hacked website.
Fortunately for me, I never had a security incident on my websites while Sucuri protected them. But there are many who had a serious issue, and they’ve shared their experiences on crowd review sites like G2.com.
Here’s an owner of a website sharing her positive review with Sucuri.
“When I was suddenly aware that my website, primarily used by teachers and children, had been hacked, I needed the problem resolved ASAP. Sucuri had my website back to normal within a half hour of reporting the problem and signing up for service. I will never leave my website unprotected again, and have been pleased with Sucuri handling this security.”
And here’s a web designer sharing her positive experience with Sucuri in helping her clean up her clients’ WordPress websites.
“Clients of mine were having problems with their wordpress web sites. Since signing up my clients — there has not been any issues of the website being hacked.”
You should note that there are quite a few reviews where users complain about the time Sucuri takes to respond to tickets. Understanding Sucuri’s pricing strategy can help explain this issue.
Now, coming to the most important bit, the pricing.
Sucuri Firewall (WAF) starts from $9.99/month, while Sucuri Platform starts from $199.99/year. Signing up for the Sucuri Platform also gives you unlimited access to malware removal and hack cleanups.
All of Sucuri’s premium plans come with a 30-day money-back guarantee.
Sucuri doesn’t exclude any security features from its lower level plans except for SSL certificate support on your origin server (that’s reserved for the second cheapest plan).
Instead, Sucuri uses scans and response priority as an incentive for you to sign up for their higher plans.
This pricing strategy gives every Sucuri customer the same prevention and detection features, but for scans and malware removal, customers who have signed up for higher plans get the highest priority.
Everyone will get their tickets addressed in due time, but if you’re on the lowest tier, in most cases the response won’t be immediate. If you need a faster resolution, you have the option to go for their higher plans. For comparison, Cloudflare’s equivalent security solution costs $200/month.
I can understand why this approach can frustrate some users, especially when they’re dealing with a hacked website and are looking for a quick fix. But considering the total value you get out of it, it works out better for a majority of Sucuri users in the long run.
Now that we’ve covered Sucuri, let’s move to Wordfence and see how it compares with it.
Intro to Wordfence
Wordfence is a free WordPress security plugin that includes an endpoint firewall (WAF) and a malware scanner.
Unlike Sucuri, Wordfence is a localized firewall. It stays on your web server and is not a cloud service. Hence, it can perform server-side scans at a deeper level and provide full end-to-end encryption.
But this advantage comes at the cost of performance.
Why? Because your server’s resources will analyze the traffic, check for any malicious intent, and if necessary, discard the traffic. If you host your website on a server with fewer resources (e.g. shared hosting and cheap managed hosting plans), your site can come to a crawl fast.
In case of a DDoS attack, the sheer flood of malicious traffic can overwhelm your server’s resources. No local security plugin can stand up to that. This is Wordfence’s biggest weakness when compared to Sucuri.
By contrast, if you have Sucuri’s WAF enabled, any malicious traffic to your website gets filtered out in the cloud before it reaches your server.
But Wordfence’s localized WAF is a free in-built feature, while Sucuri’s cloud WAF is a premium offering.
How Wordfence Works
Wordfence’s firewall is powered by its Threat Defense Feed, which is a fancy term for its collection of firewall rules, malicious IP addresses, and malware signatures.
The Threat Defense Feed is integrated with the Wordfence plugin installed on your WordPress site. It’s powered by your server.
With Wordfence Premium, you get real-time updates to the Threat Defense Feed. It includes features such as:
- Real-time IP Blacklist, Firewall Rule and Malware Signature Updates.
- Premium Support.
- Site/IP Reputation Checks.
- Country-level Blocking.
Free users get the mission-critical updates only after 30 days of going live. They also don’t get real-time IP blacklisting. While this seems like a good option for personal websites, it can be a deal-breaker if you’re hosting a business or an ecommerce website.
There’s one advantage an endpoint firewall has over cloud firewalls. Since it’s powered completely by your server, theoretically it can’t leak any data, nor can it be bypassed. In contrast, a cloud firewall can leak data, or be bypassed if the attacker knows the IP address of your server.
Security Settings and Features Available
Wordfence lives on your web server. Hence, you can find all its settings within your WordPress dashboard.
The dashboard is clean and informative. It provides you critical information and warnings at a glance.
Wordfence’s scanner performs an integrity check of every file on your server. It’ll alert you if it’s not a core WordPress file or an official theme/plugin.
It’ll match the text within your server’s files with that of known malware. If it finds anything similar, even if it’s a line or two, it’ll alert you with a warning. You’ll also get notifications if any of your themes or plugins have an update available.
Now, let’s move to Wordfence’s Firewall panel. Here, you can manage Wordfence’s WAF settings and optimize its configuration.
When you first install Wordfence, its WAF will be in Learning Mode for a week by default. This allows it to study your site and visitors thoroughly, so it understands what rules to apply to let only legitimate traffic through the firewall.
The Real-Time IP Blacklist feature is available only for premium users.
With the Brute Force Protection enabled, Wordfence protects you from attackers by locking their account after a few unsuccessful password guessing attempts. It also forces you to change your password if it thinks it’s too weak to guess easily.
Under the Blocking tab, you can block traffic based on IP addresses, IP range, browser, hostname, and referrer. However, country-level blocking is a premium-only feature. You can combine all different blocking rules and save it as a Block Type.
Under the Firewall Options section, you can whitelist IP addresses and services, set IP addresses to ignore for WAF alerts, configure rate limiting, and whitelist URLs.
Wordfence also lets you block IPs that access certain URLs. This is helpful if someone repeatedly probes your website for known vulnerabilities.
Next, let’s go over to the Scanner settings tab.
Here, you‘ll find Wordfence’s scan tasks. The first three tests are checks for spam and blacklist, and they’re reserved only for premium users.
If the scan detects anything out of the ordinary, it’ll give you a warning.
Under the Scan Options and Scheduling section, you can set scan sensitivity, scan frequency, and whitelist files. You can also optimize scans for performance on your setup.
Wordfence comes with a bunch of other handy Tools.
The Live Traffic tool helps you see what’s happening on your website in real-time. You can filter it by only security-related traffic. This will show you all user logins, hack attempts, and malicious requests.
While it’s a cool feature to have, Live Traffic uses up a lot of your server’s resources. I recommend you switch it off when not in use.
Other tools include Whois Lookup, Import/Export Options, and Diagnostics.
You can also enable Two-Factor Authentication (2FA) for all logins on your WordPress site with Wordfence’s Login Security module. It was earlier a premium-only feature, but now it’s available for free.
You can use free mobile apps such as Google Authenticator, FreeOTP, or Authy (my personal recommendation) to set up the 2FA.
You can enable 2FA for all user roles. It’s a great way to protect yourself and your users from brute force attacks such as password guessing and credential stuffing.
You can set an IP whitelist for 2FA, so that certain IPs don’t have to go through extra security checks while logging in. If you’re mostly working from a single location, this feature helps you avoid going through 2FA every time you log in.
Other login security features to stop brute force attacks include:
- Limit the number of “forgot password” attempts and login failures. After a set number of tries, the user gets locked out.
- Enforce site-wide strong passwords.
- Prevent user registrations with certain usernames (e.g. admin)
- Block people trying to log in with specific usernames immediately (e.g. admin, yoursite_admin, etc.).
- Disable XML-RPC authentication, a common attack vector used to inject malware.
Finally, Wordfence includes an All Options panel where you can find each and every Wordfence setting. Considering the extensive options available under Wordfence, this is super helpful.
Ease of Use
Regarding user-friendliness, Wordfence is comparable to Sucuri Security and is super simple to use. After installing and activating the plugin, Wordfence will immediately go into Learning Mode for a week.
Based on your server setup and traffic, it’ll automatically apply the recommended firewall and scan settings. In my experience, these settings are more than enough to protect you against most attacks.
The login security features are easy to set up and enforce.
If your website is under a DDoS attack, Wordfence can bring your server to a crawl. In the most extreme cases, the server can be so overwhelmed that it’ll lock you out of accessing your WordPress admin dashboard.
Since Wordfence is a localized solution, you’re in complete control of its settings. While this can be helpful if you’re technically proficient, for most WordPress users this can be a hassle.
Overall, I find Wordfence easy as pie, as long as it’s working as intended.
How Wordfence Fares on Web Security
Unlike Sucuri’s free solution which doesn’t include a firewall, Wordfence has some teeth to stop most attacks. Not only does it apply standard security hardening measures, but it also comes with a server-side WAF.
But the latest threat updates are only available to premium users. Free users get updates 30 days after going live. And since your web server powers Wordfence (and not the cloud), even with the premium choice, you’re left to fend for yourself against a DDoS attack.
I can understand the business need behind this decision, but for security, I think Sucuri’s all-or-nothing approach is better. At least you’re not left to think you’re protected against the most popular threats while you aren’t.
With that being said, the premium version of Wordfence does a nice job at preventing most security attacks. Their blog and YouTube channel are great resources to keep yourself updated on the latest WordPress security threats.
The free Wordfence plugin performs pretty well for detecting most security issues. But you need its premium package to sniff out the latest threats.
If a hacker has successfully locked you out from your website though, there’s no way to audit the logs as in Sucuri. Thus, investigating the hack is much harder.
You’ll have no other recourse apart from contacting your hosting provider or a third-party security service, which ironically also includes Wordfence.
Compared to Sucuri, Wordfence has a basic alerts customization feature, and it does the job well. It’ll alert you promptly in case it finds a security anomaly.
Response and Recovery
As noted earlier, you’re left to take care of yourself with the free version of Wordfence. But even with the premium package, Wordfence doesn’t offer any response and recovery service.
“Our support offered for Wordfence Premium is limited to 2 hours of support per incident. We reserve the right to decline further support or to charge for additional support beyond the 2 hours of support.”
For a full resolution, you must go for their separate service called WordPress Site Cleaning. It’s priced at $179 per instance (plus surge charges based on the demand).
Their WordPress site cleaning service includes:
- Clean the infected site by removing all malicious code and links.
- Investigate how the site was infected.
- Provide an in-depth report of the investigation and infection removal.
- Apply the site for removal from anti-malware and anti-spam blacklists.
- Provide a checklist to avoid future attacks.
I haven’t used their site cleaning service yet, but it seems comprehensive enough. Here are a couple of good reviews I found on Twitter:
Compared to Sucuri’s malware removal and hacks cleanup service, which is included with the premium Sucuri Platform, Wordfence’s site cleaning service seems costlier.
And with Sucuri you get unlimited malware removals during your subscription period, whereas Wordfence’s malware removal service is for a single job. If your site gets infected with malware again a few months down the line, you need to pay the same fee again for removal.
You can download Wordfence’s security plugin for free. As of now, it’s the highest-rated and most installed security plugin on the WordPress plugin repository.
Wordfence Premium starts at $99/year for 1 site. You get a discount if you tack on additional sites to your order. The more sites you add, the bigger the discount!
How Security Plugins Impact Site Performance
WordPress plugins are not only the biggest security risks, but they’re also one of the major performance killers. Security plugins are particularly the top culprits, thanks to their always-on requirement and scanning features.
However, cloud-based security solutions like Sucuri Firewall or Cloudflare are super neat if you need extra protection, especially if you’re up against bots and proxy traffic.
Sucuri vs Wordfence. What’s the best pick?
On one hand, Sucuri is the better solution of the two for web security and performance, especially if you’re running a mission-critical business or ecommerce website.
But if you’re looking for a free web firewall, Wordfence is a sturdier solution. If that’s your choice, I’d suggest pairing it up with a reliable free CDN, like Cloudflare.
At the end of the day, it all comes down to your hosting. A great hosting provider will take care of most of the security measures for you. They understand that the performance hit to their servers and service brought on by third-party plugins is not worth the hassle.
Ideally, your host should lockdown code to only be executable in limited locations and instances. And then restrict writing uploads to only the code’s respective folder. With a few more security hardening measures added at the server level, this would make WordPress security plugins redundant.
Ultimately, website security is a journey and not a destination. I recommend you take the best path forward!