If you’re a user of WordPress you (should) know that security is a large and growing problem. With WordPress now powering 25% of the Internet, it has become a primary target for hackers due to the sheer volume of sites using the platform. This means as a WordPress publisher you are more vulnerable to things like DDos attacks, application attacks, malware, and brute force attacks than those using other CMS (or custom built) platforms.
If you’re not already using security methods to protect your WordPress site today, you are leaving all your hard work at the hands of thousands of cyber criminals around the world who are working around the clock to find and exploit WordPress vulnerabilities. Without proper security measures in place, you could already be compromised and not even know it. And the repercussions are serious.
Network and application layer DDoS attacks can take your site offline for hours or even days at a time. Even worse, hackers can gain access to private information, change your code, or infect your site with malware. Malware infection often leads to your site being delisted by Google.
Fortunately, you don’t need to be a security expert to secure your WordPress site. Like most other important website functionality, there are plugins that can handle the heavy lifting for you. There are dozens or even hundreds of WordPress security plugins out there, but unlike simple cosmetic plugins and themes, choosing the wrong security plugin can have severe consequences.
Wordfence is one of the more popular WordPress plugins in the world with over 2 million active installs at the time of this writing. It includes a number of security features (some free and some paid) including firewall, malware scanning, IP blocking, and login security. The Wordfence dashboard provides you a detailed overview all current security statistics on your site:
As you can see there is quite a bit you can do with just the free version of the plugin. Plus, it works fairly nicely right out of the box with only a few simple configurations. Notice there were 17 blocked firewall attacks in the past month? Without a security plugin installed there is a good chance those threats could be hitting your site unnoticed.
Below is a closer look at the Wordfence web application firewall:
The Wordfence WAF protects you from all the most common attacks like cross site scripting, SQL injection, and brute force attacks. The screenshot above shows a paid version of the plugin which also gets you some premium features like comment spam filters, “spamvertising” checks, IP spam checks, etc. And as you can see, the rules engine is just a simple list of check boxes that you can enable or disable as you please. Not included in this screenshot is a useful feature called Rate Limiting. This feature allows you to throttle or block certain people or crawlers that are abusing your site by hitting too many pages too fast. The settings are easy to configure using only drop downs.
Wordfence Website Scan
The Wordfence scan checks your whole WordPress site for vulnerabilities, including:
- the public configuration of your site
- log files
- the strength and complexity of user and admin passwords
- current disk usage
- unauthorized DNS changes
It can also check and compare the core WordPress, themes, and plugins files against the repository versions to ensure they are the same size and have not been modified.
Like the WAF, you won’t receive real-time updates to protect you from the most recent security threats out there. This is fine for some people, but it does leave you open to zero-day vulnerabilities. That said, you’re getting a lot of protection in the free version.
Wordfence Pros and Cons
The Wordfence plugin offers quite the security punch for a free app, and the paid version even steps it up another notch. If you are smaller publisher or personal blogger, you’re not going to find a better free security plugin than Wordfence to keep your site secure. There is a reason it has over 2 million active installs. That said… there is a downside.
The biggest problem with Wordfence is that it does seem to impact website performance. This can be said about just about any plugin (which is why you should only use plugins you need) but this one in particular is pretty heavy duty. We’ve seen a noticeable slowdown in the admin area of our site since install, and there does seem to be an impact to the public facing side as well (although there are a ton of variables that can affect that). If you’re going to use Wordfence be sure you’re using a good caching plugin for browser caching and a CDN to cache at the edge.
Here is an article comparing the top caching plugins: https://www.designbombs.com/top-wordpress-caching-plugins-compared/
Here is our WordPress CDN comparison: https://stratusly.com/wordpress-cdn-cloudflare-incapsula-keycdn-fastly-cdn77/
Sucuri is a Delaware based company that offers complete website security via the cloud. The company’s team of security experts are globally-distributed in over a dozen countries around the world and operating 24×7 to monitor for and stop security threats.
The company only has 2 main products; Sucuri Firewall and Complete Website Security. The Sucuri Firewall runs on a globally distributed Anycast network that is managed around the clock by the Sucuri security team. The Firewall protects your website from DDoS attacks at both the network and application layer while improving performance by caching your site content at the edge. Sucuri’s Complete Website Security offering includes all the above plus additional features like malware detection and removal. Both plans include 24x7x365 support.
Sucuri is very feature rich and protects your site against just about any type of security threat, including zero day. Some of the more critical features include:
- SSL Certificate
Sucuri provides every customer, under the Professional plan, an SSL certificate for their website. Customers have the option to leverage previously purchased SSL certificates as well, under the Professional plan. Leveraging Secure Socket Layer (SSL) certificates ensures the integrity of data in transit between browsers and the web server.
- Advanced Website Protection
Our cloud-based protection platform, a custom Website Application Firewall (WAF) / Intrusion Prevention System (IPS), proactively mitigates attacks against a website. Stop attacks including: Distributed Denial of Service (DDoS), Brute Force, and automated attacks looking to exploit software vulnerabilities.
- Continuous Scanning and Monitoring
The monitoring platform utilizes a proprietary approach to scanning websites. Capable of identifying any Indicator of Compromise (IoC), the Sucuri detection technology is able to quickly identify and alert website owners in the event of any security incident.
The chart below shows the feature parity between the Sucuri Firewall and the Complete Website Security offering:
Sucuri Malware Scanning
For WordPress users, Sucuri offers a robust free plugin you can use to easily configure your website security. You will need a free API key in order to start using it, however.
The plugin comes with malware scanner that will continuously scan your site for common malware, website errors, outdated themes and plugins, and whether your site has been blacklisted on any services that flag malware infected websites. After you run the initial scan, the results will be available under Sucuri Security > Malware Scan and will be updated every 20 minutes.
The Sucuri Firewall can also be configured using the WordPress plugin, but you will need to become a paid customer to access this feature. Pricing starts around $10/month, which is very reasonable for what you get.
Sucuri Site Hardening
The Site Hardening feature of the WordPress plugin allows you to check on a various of potential vulnerabilities in your site and harden any weak points.
The available options of this feature include:
- website firewall protection
- ensuring that you are using the latest versions of WordPress and PHP
- remove visible WordPress version
- protect the uploads directory
- restrict access to the wp-content and wp-includes directories
- updating and using security keys
- checking information leakage through the readme file
- database table prefix
- default admin account and password
In addition to protecting you from security threats, Sucuri comes with a variety of features that can clean an already infected website. For example:
- WordPress uses a combination of security keys to encrypt data saved in browser cookies. Sucuri provides an easy way to replace all these security keys, invalidate all existing sessions and forcing all users to log in again.
- You can reset the password of any user.
- You can reset all existing plugins and then perform all available updates on a fresh install.
- The ‘Last Logins’ feature will display all the latest login activities on your website. You can see the username, IP address, date/time, etc for each login attempt.
Sucuri Pros and Cons
Now that we’ve covered the main features of Sucuri it’s time to review the good and the bad. To start, Sucuri is a veteran in the security world and has an excellent reputation spanning 6 years. They aren’t just a WordPress plugin but a full-blown security platform used by bloggers and large enterprises alike. In our opinion, the quality and depth of Sucuri’s security offering is far superior to Wordfence. This is partially because it blocks just about every type of attack including zero-day threats right out of the easy-to-use box. But more importantly, it does not slow down your WordPress site, but rather makes it much, much faster. Again, this is because Sucuri security services operate on top of a CDN so that attacks can be blocked and your static content can be cached at the edge, rather than on your server. But with the good, comes the bad.
Sucuri is higher cost than Wordfence. This shouldn’t come as a shock, since the basic version of Wordfence is just a free WordPress plugin. However, even the paid version of Wordfence is slightly cheaper. The Sucuri Firewall service starts at $10/month for bloggers and includes WAF, DDoS protection, and CDN. For the full security suite which includes malware detection and cleanup (among other additional features) plans start around $17/month. These price points are lower than just about any other cloud security provider, including our favorite, Incapsula. But if you’re looking for something that is free or has only a one-time cost, then Sucuri may not be for you.
Sucuri vs Wordfence – Which is Better?
Both of these security plugins do an excellent job of protecting your WordPress site from the vast majority of threats with little security expertise needed. In terms of the free versions only, Wordfence takes the ‘W’ because it includes features like a basic Firewall, malware scans, and brute force protection right out of the box. The free version of Sucuri is fairly limited in comparison. However, Wordfence runs locally on your server and is a very resource intensive plugin which can cause performance degredation on your site. If you have a lightning fast server and utilize caching properly this may not be a big problem for you, but for some it certainly will be.
Sucuri, on the other hand, takes the overall win due to improved threat detection, a broader feature set, a larger team of security experts at your disposal, and its cloud-based delivery method. The paid version of Sucuri outguns Wordfence in just about every aspect that we measured, and as an added bonus, it speeds up your website substantially rather than slowing it down. For this reason we recommend Sucuri Security to any business that is serious about keeping their websites fast and secure.