Why I Don’t Like Sucuri And I Am Not Recommending It

By | June 15, 2016

One of the highest rated, but not the best WordPress security plugins on the market is Sucuri.  While it does an excellent job with a lot of things, I am going to explain why I love it, and also don’t love it.  With over 100 WordPress website, I take WordPress security very seriously and try and educate others why they should too. Just like the Microsoft operating systems, wordpress is so wildly popular and mainstream it has become a major target.

The WordPress plugin by Sucuri does a great job with it’s basic hardening features, as well as a fantastic auditing feature. On my most important sites, I leave the free version on just to alert me anytime someone logs in successfully, if I am the only person with a login.  There are a lot of great auditing features with Sucuri.

So why do I stay away from Sucuri’s paid solutions?
Well, for one, Sucuri is expensive, with their lowest current price as of June 2016 being $199, without even having a monthly option.  This is for 1 site!  Their pricing has completely left most people out of the market and what you may not know, is their security isn’t really more effective than other solutions on the market.  While I used to pay a $99 annual fee for a very important client website I had, I no longer can justify it due to the extreme pricing, which forced me to look elsewhere.
Since I have so many client websites I manage, as well as several of my own websites such as this one, I simply had to find a more affordable solution that also provided as good of security, if not better. While Sucuri’s free plugin does an excellent job of protecting your website and auditing it, there are definitely protection gaps that you would need other WordPress security plugins for.The most affordable and best WordPress security plugin I have ever seen is WP Site Guardian, which I will get into more later, but I want to finish going over the issues I have with Sucuri as well as Wordfence, another free WordPress security plugin. 
Is Sucuri Worth the Investment?
I know there is a lot of work and development that has gone into Sucuri’s paid security software and I respect it, and consider it to be a great service.  However it just falls out of the reasonable price range for those of us with multiple websites who need a solution for all of them. So while many people would disagree with my viewpoint on Sucuri security services, I do think they are outstanding, but just not better than lower priced alternatives. I just can’t see the big difference from the Sucuri free WordPress plugin versus their paid subscription that you can’t get elsewhere.
Are there any Alternatives to Sucuri Security Services for WordPress Websites?

The malware removal is the main service they do extremely fast and successful, as I originally signed up years ago due to an infection of a WordPress site.  They do this incredibly well, but once I found WP Site Guardian, I have never once had any WordPress website infected.  It really has made WordPress security a lot simpler, and much more cost effective as WP Site Guardian doesn’t require annual fees, and is an incredible bargain at $47 for a 100 site license, and even cheaper if you only need 1 site license, or a 10 site license.

While price isn’t the only important thing when it comes to using the best WordPress security plugin on the market, it is a big factor.  But let’s take a look at some of the features that WP Site Guardian provides that many of the other WordPress security plugins do not.

Thousands of new WordPress vulnerabilities each year allow hackers to break your websites. Computer World had a great article about a million insecure websites due to one popular caching plugin that had a vulnerability in it.

Sucuri is a great free security plugin, as is wordfence, but they really lack in many areas which I will go over.  In the last 18 months, over 1.3 million websites were defaced and hacked with exploits, which are the biggest problem with WordPress websites now and going forward.  One minior plugin vulnerability left open hackers to inject malware, spam, phishing, and other spyware onto over 50,000 websites.

WordPress has admitted that there was a recent vulnerability that left open a vulnerability for brute force attacks which would affect all 75 million and growing wordpress sites. The biggest challenge now for WordPress website security is that there is no quality control protocols in place.  Most plugin and theme writers and developers are not properly training in security coding practices.  The code isn’t ever checked and that leaves your WordPress site vulnerable.

1 Bad Theme, Plugin or Update & Your Site Is Owned By Someone Else

In this age of the Internet, the hackers have tens of thousands of exploits they can simply download, copy, paste, and press the enter button, and a WordPress site is hacked, that simple. Once a hacker discovers a vulnerabiltiy in your WordPress website, all he or she has to do is Google the plugin or theme name, plus exploit, and they can download the code and implement it on your site without admin access or any kind of cpanel or FTP access.

Most hackers are generally lazy, in the sense they prefer to go after the low hanging fruit and simply download exploit code and do things the easy way.  Unless you are a very advanced programmer that can find that one need in a code haystack, you will never know exactly how exposed you are.

Your Website, Your Reputation, Your Search Engine Rankings, Website Revenue, & Your Domain Value Can Be Destroyed

Most of us build real businesses using WordPress, and work very hard at it, sometimes many years.  We build brands, rankings, and all sorts of assets with WordPress. Then one 30 year old dude in living in his Mom’s basement takes a break from playing video games and screws it all up for you.  Even if you took all the security precautions known to most people, and updated plugins and themes, and kept WordPress current, you still can and most likely will get hacked. There is little to no protection against these exploits.

Hacking creates a lot of headaches to keep you busy for a very long time afterwards.  Your WordPress website will likely be blacklisted and the removal process means you will need to apply to 30+ security agencies to get back in good standing. Assessing the damage done, money lost, and hopefully being able to restore from a very recent backup are all things you will have to go through. You also will need to then plug up the hole the hacker came in through.

Regaining your website’s SEO rankings is a big challenge as well, as you likely will notice some drop in rankings very fast. They may come right back, they may never fully come back, or somewhere in between may be your result.  All of this because you thought your website was safe with a few security plugins!

Using the following exploits, the developers of WP Site Guardian tested a live WordPress website for security.

  • XSS Attacks
  • SQL Injection
  • Header Injection
  • Directory Traversal

The following services and plugins failed the security test:

  • Wordfence Plugin
  • All in One Security Plugin
  • Better WP Security Plugin
  • iThemes Security Plugin
  • Acunetix Plugin
  • Bulletproof Security Plugin
  • Cloudflare
  • Reverse Proxy
  • Server Firewall
  • WP Updates
  • Secure Hosting

Statistics show that 92% of wordpress hacking attacks are done using exploits. WordPress vulnerabilities are around 40%, theme vulnerabilities about 30%, Plugin vulnerabilities about 22%, and 8% brute force attacks – these are the facts and reality of running WordPress websites.

What the real solution to this problem is a wordpress plugin that automatically detects exploits in real time and blocks them in real time. Welcome to WP Site Guardian plugin, that does all this with a simple install, activate the plugin, and forget about it.  On a daily basis, even websites I have online that receive almost no traffic receive countless exploit attack attempts, as I see the email notifications.

There is literally no WordPress website on the planet that is safe from exploits unless you are using a plugin like WP Site Guardian, which I have not seen anywhere.  I have yet to find a plugin that does exactly what this does, and it has had no performance impact on any of my websites.  It has never had a conflict with any theme or other plugin either.

Another great feature of WP Site Guardian is it constantly receives updates available through the WordPress repository as it meets all the requirements and beyond of a plugin for their repository.  When new versions of WordPress come out, the creaters of this plugin are developers and highly responsible coders, and they always update the plugin to keep it current.

Auto Blocks Any And All Exploit Hacking Attempts and Automatically Bans Hacker IP Addresses

This feature virtually eliminates the threat of ever being hacked as it is more behavioral based than signature based. WordPress security plugins that are signature based only know about past exploits and security vulnerabilities.  WP Site Guardian knows exactly what is normal end user behavior, and what is not, and if the bad behavior is over a certain threshold, it automatically stops it and bans the user.

WP Site Guardian is the 1st and I think the only proactive WordPress security plugin that monitors and blocks exploits and other hackers that is behavioral based, which is crucial to your WordPress security.

Does it Block Attacks Even if I have Vulnerable Plugins?   YES!

It is unlikely you will know when or how your website is at risk, as there aren’t any good ways of knowing about any risky themes or plugins your site may already be using.  This is irrelevant with WP Site Guardian as the plugin looks at site visitor behavior instead of specific vulnerabilities, and shuts down all suspicious behaviors and automatically bans their IP address.

You’ll never know if your site is at risk – currently there is no way of getting notified of any risky plugins or updates your site may
When any suspicious activity is detected the IP is instantly blocked & the hacker is banned. This prevents the exploit from executing & also shuts down all further hacking attempts.

WP Site Guardian truly offers peace of mind and while you should still be updating WordPress, themes, and plugins, you will be protected from all these exploits and you won’t need multiple WordPress security plugins, and the payload is extremely low, which means your site speed won’t be affected.

Best of all, WP Site Guardian comes with a 30 day money back guarantee, so you have nothing to lose giving it a try.  You simply can harden your website with the suggestions by Sucuri, and then uninstall it and then install WP Site Guardian and then sit back and have peace of mind.

My recommendation:

My recommendation is to install Sucuri, make the hardening recommendations, and then uninstall it, and install WP Site Guardian so  you can then have a much higher level of security on your WordPress site.