For many WordPress users, adding security hardening features to their website comes down to a choice between Wordfence and Sucuri. While there are many other options, these two are so popular it’s worthwhile knowing how they stack up in a head-to-head comparison. In this article, we’ll take a close look at these two WordPress security plugins. We’ll explore their free and premium offerings and make recommendations on which types of users will get the most out of each option.
Let’s dive in!
Wordfence vs Sucuri
That these two security plugins get compared all the time is pretty interesting because they do offer fairly different services, at least for free users. And the number of free users for both is pretty massive. The basic services, however, achieve the same end-goal: protecting your site from threats such as hidden malware, brute force attacks, and various other kinds of intrusions and compromises.
Because Sucuri and Wordfence handle this through various means, that means each plugin is ideal for a different set of users. No WordPress plugin or security platform fills every need, but both of these fill specific ones. We want to go through the different ways that the plugins protect your site, Wordfence via preventative security measures and Sucuri with site monitoring and malware scanning/removal, so that you can make the most informed decision possible to keep your site safe.
Both tools could be considered helpful multisite plugins, bringing their features to all the WordPress sites in your network. We do want to note, however, that despite their differences, either choice will provide your site with a comprehensive security suite.
Wordfence
As a platform, Wordfence is designed as an up-front shield that fences off your site from incoming attacks. Let’s take a look at just how it does this.
1. Simple Setup
Internet security is a highly technical and complicated field. Most of us aren’t experts in it by a long shot. Wordfence is good for us because when it’s installed and activated, it just works.
Yes, there are absolutely settings to tweak and options to configure. But even if you never press another button, Wordfence will block incoming threats to your site and keep you apprised of what is happening by email alerts and dashboard-based ones.
Admittedly, the dashboard is a bit busy with tabs, boxes, and links everywhere. But in terms of getting the plugin up and going, it takes very little effort and no real security background.
2. Web Application Firewall (WAF)
The heart of the free version of Wordfence is the WAF (vs Sucuri, where the WAF is a premium feature). From installation, Wordfence puts up a barrier around your site and blocks suspicious traffic and entry attempts. Within the firewall, users can block countries, IP ranges, or individual IP addresses.
Additionally, the whitelist and blacklist features let you only allow traffic from certain places, which is a proactive way of keeping suspicious activity out.
Rate limiting is an incredible feature Wordfence offers through the WAF, too, in that you can decide how to treat different bots and crawlers on your site. you determine if humans can access a certain number of pages or if someone takes up an inordinate amount of server resources.
Not only does the rate-limiting feature help with content protection and server stability/performance, but it can also limits the harm that malware can do to your site if you somehow get infected.
3. Two-Factor Authentication (2FA)
The coolest feature the free version of Wordfence offers is to set up two-factor authentication for users on your site. Under the Login Security section of the Wordfence menu item, you can set up 2FA for your users easily through using a QR code. They can choose to use Google Authenticator, FreeOTP, or a number of other 2FA apps and tokens.
In terms of passive security, two-factor authentication for users is one of the best ways to do it. Including it as a free feature in Wordfence is going over and above in our opinion.
4. Site Scan
What would a WordPress security plugin be without a site scan? You can manually run a scan. Or you can set them to automatically run at set times.
The Wordfence scans are deep because the software exists on your server (vs Sucuri which is a remote scanner). The results are easily decipherable with color-coded responses. Many issues that you will see come from outdated plugins or themes. But if Wordfence finds malware or suspicious files, you can delete them from within the scan window immediately. (Though please always back up your site before deleting anything.)
The free version of Wordfence offers a lot for users. Being a free user does have its downsides. You do not get real-time firewall updates, IP blacklists, or malware signatures. When security issues are discovered by the Wordfence team, they are immediately patched in for premium users. Free users, however, get those fixes 30 days afterward.
Plus, with a premium plan, you are paying for premium support. If something happens to your site, you have access to the Wordfence team directly with very short delay.
If you run a site that deals with sensitive or confidential data, the premium version is worth the money, by far. For a single site, that comes in at $99 per year.
Sucuri
Sucuri, unlike Wordfence, is based on an external platform that monitors your site for threats from afar. Instead of using your server’s resources to put up a shield, Sucuri is more like a superhero, waiting to swoop in to save the day when you’re in trouble.
1. API Connection
Because Sucuri is not based on your servers, you need a way to securely connect with the service. Sucuri is entirely based off-site, meaning that you need to generate an API key from within the WordPress dashboard to enable the service to have access to your site.
In many ways, this is a superior feature to Wordfence’s on-site scans. If your site goes offline, so does Wordfence because it is stored and run on the local hardware. Sucuri, however, is external, so the threats that brought your site offline in the first place can still be handled by the platform.
2. Website Hardening
Website hardening is a major feature that Sucuri offers over Wordfence. The free version of Sucuri does not offer a WAF, meaning that traffic from certain IPs, countries, IP ranges, and real-time threats can still reach your site. Website hardening, however, is a set of detailed rules that can prevent those with unauthorized access from taking specific actions.
Such as creating PHP files in the WP core directories, editing plugins and themes from within the dashboard, even obfuscating the running WordPress version to deter hackers looking for outdated versions.
These are proactive measures, rather than reactionary. With Sucuri, you prepare for the worst by blocking the most common paths of access ahead of time.
3. Malware Scanning
The malware scanning of Sucuri is a mixed bag. The scan itself is thorough and will absolutely find a number of issues and threats on your site (if any are to be found). However, it is a remote scan, and even their API connection to your site can’t get full access to your server. Their scanner comes with a disclaimer stating this.
In our experience, however, Sucuri’s scan results have been accurate and found some real threats we didn’t know were there. However, in order to get a full scan, you need to pay for the Sucuri team to do it, which feels like an unnecessary upcharge on a seemingly fundamental element of a WP security plugin.
We do feel, however, the API-connected remote scan being more limited in scope because it can scan and repair your site after an attack has knocked it offline. That in itself can save valuable time and revenue.
4. Login Security.
Sucuri lets you track users who log into your site. Within the plugin dashboard, you can check for any user who has logged in, any user who is currently logged in, and any user who has failed to log into your site. This feature can be the difference in a secure site with a number of happy users, or a compromised site where someone has access they shouldn’t.
Seeing failed logins can indicate a brute-force attack, while seeing users currently logged in can let you know what accounts have been compromised already. For example, Sucuri is showing that Bob Smith is logged into your site, but Bob retired from your company three years ago…something is probably wrong and that access is unauthorized.
All the preventative measures, website hardening, and password protection in the world is useless once someone has legitimate access to your site with active permissions.
We have no qualms in saying that Sucuri is a fantastic service that protects your website and deserves it spot as a go-to standard in WP security. The free version of Sucuri works well as a scanner and tool where you can be proactive against threats.
If, however, you want a more hands-off approach when using Sucuri, you will need to upgrade. The free version does not come with a WAF, which we feel is necessary for security these days. You must upgrade to enable it.
Plans for the WAF Sucuri start at $9.99 per month. This is the part where things get sticky, though. The $9.99 plan does not include malware/hack cleanup (nor does the $19.98 per month plan). If you subscribe to their platform plan at $199.99 per year, you get that on top of other features such as CDN integration and more.
However, the real sticking point is that neither of the Sucuri basic plans ($9.99/month for WAF or $199.99/year for platform) includes existing SSL Certificate support. Since Google has all but required sites to use SSL certificates by using it as a page rank factor, not having SSL certificate support on the basic plans makes the basic plans useless for nearly all customers.
Listing a lower price but removing such a fundamental feature as SSL certificate support creates a false idea that the full service is available at that price, when it is actually not. The Pro plans are really the base plans, and the Basic tier exists (seemingly) as a marketing ploy to be able to advertise “plans as low as $9.99/month” when that plan is untenable for the majority of users.
In reality, Sucuri’s plans start at $19.98 per month for WAF access and $299.99 per year for the full platform. These are not absurd prices, and they offer great features for those prices. However, we are not fans of the way pricing tiers are handled.
Wordfence vs Sucuri
When looking at the free versions of both, it really comes down to what your site needs. For set-it-and-forget-it users, Wordfence comes out on top. Automated scans, email alerts, decent-enough default WAF settings, and two-factor authentication make Wordfence our choice for free users. The plugin simply offers too much for free to be dethroned.
However, when looking at the premium versions, Sucuri users do get more value-add for their money. Where Wordfence premium upgrades are nice in keeping your site’s protection up-to-date from emerging threats, Sucuri adds quite a bit to the features we highlight above. CDN integration, a continually updated WAF, DDoS protection, and malware removal/site cleanup. And more. With that in mind, Sucuri comes out on top.
However, we do want to qualify this by saying that premium Wordfence is 1/3 of the price of premium Sucuri. The difference in $99.99 per year and $299.99 is not insignificant. With that in mind, our suggestion is to use Wordfence to protect your site for free (or on the cheap), and if you need increased security features, take a look at Sucuri‘s plans to see if their platform offers enough for the increased price.
What have been your experiences in dealing with Wordfence vs Sucuri?
I am used Sucuri for malware checking and showing great results.
Any comments on the performance impact of these services?
Curious about your comments under “Login Security” because Wordfence is happy to send you an email anytime anyone with user access logs into a website; as well as locking people out who are trying brute force attacks. I always know when my clients are signed in, or have been signed on because I receive emails telling me when they are. I also receive emails when they have accidently locked themselves out. One improvement I would really like to see is the blocking of WP usernames which anyone can find by rolling over a post title, even when the “author” meta tag on a post is not shown; why give hackers half the information they need?
What if we use both together?
Prfer Shield to either of these
First of all thanks for great content. I have one problem when i install sucuri. It shows (Core WordPress Files Were Modified) after scanning. Are these files are secure. And if it is how to remove (We identified that some of your WordPress core files were modified) these notification.
Wordfence! I too was hacked using Sucury and since many years with Wordfence and many attacks my websites are always protected
With unlimited malware removal requests, Sucuri offers one annual fee for website cleanup and protection.
I’ve been using the free version of WordFence for a while now on a variety of sites. I’ve been very happy with it. This post confirms that, for my purposes, WordFence is the right choice. It’s good to know that there is a solid alternative if I need it. Thanks for the great comparison of two great plug-ins!
Our experience is different. We’ve had sites protected by Sucuri that were hacked and infected that we disinfected using WordFence.
In my opinion, you’ve undervalued WordFence’s firewall. It not only prevents blacklisted bad actors from interacting with the website, it also identifies and halts malicious behavior.
We install the premium version of WordFence on every website subscribing to our Maintenance and Security service. WordFence provides a Central Dashboard that makes it a breeze to administer standard policies and monitor the status of every site at a glance. Plus, we get notifications of sites needing attention via their Slack integration.
For agencies like ours, WordFence is a much better solution than Sucuri.
Totally agree, Tom! I generally use WordFence, but have taken on a couple of sites that had been fairly seriously hacked despite running Sucuri. Replacing that with WordFence and doing a thorough cleanup generally seems to be the best bet.
I can’t help wondering how, if you have a strong password, I’m talking here about a 20 to 30 digit computer generated password along with Two Factor Authorisation, you get hacked? That coupled with a plugin that limits three wrong tries before a lockout must surely keep you safe.
Am I missing something?
Sorry to say yes you are missing something. Some of the most common attacks against sites use critical errors in the code of either your wordpress installation or in one of the installed plugins. Basically the hacker usese a script to determine which plugins and which versions are installed. In a next step he then would check for vulnerabilities. If there are some he then would go on and uses these.
Obviously this is not done manually but by using scripts to automate the process.
So keeping your installation as clean as possible by using as little plugins as possible and up to date is also a life saving thing. And also : back up, back up and btw. back up 🙂
Depending on how the site is setup with forms, plugins, etc., there are many ways to infiltrate a site. Wordfence will provide reports of what it has blocked many of which are due to flawed plugins.
I much prefer the plugin Wordfence for ease of use and easy website protection however Securi are great when it comes to tricky malware removals when enlisting their paid for service which luckily I’ve only had to do once!
Hi, great article! Question for you — Can you run both?
I’ve noticed with the free version especially sometimes both of these applications are installed.