Both Wordfence and Sucuri are popular and reputable security plugins that will keep your WordPress website safe and secure. However, while these two solutions both aim to secure your site, in this Wordfence vs Sucuri comparison, you will find that there are some important differences.
In this Wordfence vs Sucuri comparison, we will look in-depth at the free versions of these security solutions, comparing their:
- Key features
- Malware scanners
- User experience
Let’s get started…
Wordfence: An overview
Wordfence is the most popular WordPress security plugin. It includes an endpoint firewall and malware scanner, as well as a suite of additional features. Wordfence offers a range of premium plans, as well as its renowned free service.
So, let’s check out the key features provided via the free Wordfence plugin…
- Web application firewall (WAF)
- Malware scanner
- Security alerts and reporting
- File repair
- Real-time user monitoring
Sucuri: An overview
Current Version: 1.8.21
Last Updated: May 9, 2019
In contrast, Sucuri is a cloud-based platform that works with any content management system. That said, WordPress is a specialist area of expertise for Sucuri, and their free WordPress plugin can easily be installed and set up on your website to help keep it secure.
Like Wordfence, Sucuri also provides a range of premium plans. However, let’s concentrate on the free plugin – here are its top features…
- Remote malware scanning
- Blacklist monitoring
- Security hardening
- Security notifications
- Post-hack actions
So now we know a little about what each plugin offers. Next in this Wordfence vs Sucuri guide, let’s next look in-depth at how these features compare…
Wordfence malware scanner
The Wordfence scanner searches your site for traces of malware, malicious URLs, and any patterns of infections. It does this by examining all of your website’s files, themes, plugins, and posts. It also monitors your server, and among other tasks, checks to see if your IP address is being used for malicious activity.
During the scan, Wordfence compares your files to those in the WordPress repository, and then alerts you to any changes. You can then authorize Wordfence to repair the files, restoring them to the original repository version. By default, Wordfence runs a scan from your server daily to check on the status of your website. However, you can also run manual scans with just a click of a button.
Sucuri malware scanner
The Sucuri malware scanner scans your website for…
- Blacklist status
- Website errors
- Out-of-date software
A core integrity check also identifies if any core WordPress files have been modified or removed. Sucuri will then alert you to any file changes on your website, malicious threats, or blacklists. It will also make Post-hack recommendations on how to deal with problems or further secure your site.
The key difference between the Sucuri and Wordfence scanners is that the Sucuri malware scanner is a remote scanner, whereas the Wordfence scanner is server-side. Therefore, the Sucuri scan is far from 100% accurate, as your website could be hosting malware that doesn’t show up on the front-end of your site.
However, the tradeoff is that Wordfence will use more server resources during its scan. If you prefer a more comprehensive off-site scan, check out the MalCare plugin.
The free Wordfence plugin includes a web application firewall (WAF) that identifies and blocks against malicious traffic. Not only does it protect against common web-based attacks, but the firewall also focuses on diagnosing WordPress-specific threats that target the WordPress core, themes, and plugins. The WAF also runs directly from your server and monitors regular visitors and activity on your website, which helps it to identify anything out of the ordinary.
Other features of the Wordfence firewall include…
- Brute force attack protection – Wordfence enforces brute force attack protection, locking out password-guessing attackers, and helping you implement strong passwords.
- Rate limiting – You can opt to block crawlers that are using too many resources or stealing content.
- Blocking – Powerful blocking features let you set your own blocking rules and block traffic based on IP, IP range, hostname, browser, or referrer.
Firewall rules, malware signatures, and malicious IP addresses are updated constantly by the Wordfence security team. However, your firewall will only be updated against the latest security threats in real-time if you upgrade to the premium Wordfence packages.
Using the free plugin, you will need to wait 30 days for any new firewall rules to run on your website, which means you won’t get protection against “zero-day” exploits in the free version (AKA brand new exploits that have only just been discovered).
Unfortunately, if you opt to use the free Sucuri plugin, you won’t find a firewall amongst the features on offer. Therefore, although the free version of Sucuri will scan your website and report any abnormalities, it in no way blocks attacks.
Sucuri does offer its own WAF, but only on its premium plans.
Wordfence vs Sucuri: Other features
Let’s have a look at some of the other features that these two security plugins provide…
- WordPress hardening – Sucuri provides a range of WordPress hardening options, including blocking PHP files, blocking theme and plugin editors, and much more, all of which you can configure to suit your needs.
- Live traffic options – The Wordfence live traffic tools shows what is happening on your site in real-time, including user logins, hack attempts, and firewall blocked requests.
- Reporting – Both plugins alert you of any security breaches via email.
- Support – Wordfence and Sucuri both provide extensive knowledge bases. However, for both free plugins, support from the developers is only available via the WordPress repository support forums.
So now that you know how the features of these two free plugins compare, let’s next check out the user experience of Wordfence vs Sucuri…
Wordfence: Ease of use
You can install Wordfence for free from the WordPress.org plugin directory:
Once you have installed the Wordfence plugin, you will be asked to provide an email for security alerts, and agree to the terms and conditions of the service.
Select Wordfence > Dashboard from your WordPress menu. Here you will find an overview of the features available and your security analytics, as well as quick links to access the different tools and help documentation.
Wordfence provides helpful pointers, talking you through the different features and how you can use them to protect your website. This is an effective way to introduce users to the Wordfence dashboard and help people get the most out of the service.
To access the Wordfence firewall settings, select Wordfence > Firewall from your Wordfence menu. To start with, the firewall will be in “Learning Mode”, which allows Wordfence to learn about your site and understand how to protect it. Wordfence advises that you leave the firewall in learning mode for at least a week before it is activated.
By clicking on Manage Firewall, you can configure the firewall settings, including brute force protection, and IP blocking.
If you select the Blocking tab you can create blocking rules and view any blocks that have already been set up.
Wordfence malware scan
The Wordfence malware scan will automatically run once you have activated the plugin. Alerts will also automatically be sent once you have added your email address during plugin set up. However, by selecting Wordfence > Scan from your WordPress menu, you can create custom scan configurations.
Within the Wordfence dashboard, there are also numerous links that will take you to relevant help articles in the Wordfence knowledge base.
Under the Scan dashboard, you can view your scan results, and take action on any issues that may have been uncovered.
For a more detailed look, check out our full Wordfence guide.
Overall, Wordfence is easy to set up, with hints and tips provided en-route to ensure you configure the plugin in a way that works for your site. So how does this compare to the user experience provided by Sucuri? Let’s find out…
Sucuri: Ease of use
Like Wordfence, you will also find the free Sucuri plugin in the WordPress repository.
Once installed, Sucuri will ask you to generate an API key. This will connect your website to the Sucuri cloud and ensure you can access all the plugin’s features.
By selecting Sucuri > Dashboard from your WordPress menu, you will find the results of your site’s malware scan, which automatically runs after you activate the plugin. You can also select to force start a new malware scan.
Click on Settings > Hardening to view and activate the numerous preventative measures this plugin provides. You can both Apply and Revert hardening features, depending on your security needs.
Under Settings > Post Hack, Sucuri provides a range of recommendations on how to clean up your website. These include the option of resetting security keys, user passwords, and installed plugins.
Sucuri also provides an easy user experience, with set up being pretty self-explanatory. However, this plugin doesn’t provide the helpful hints that you will find when using the Wordfence plugin. Therefore, if you want further clarification on the features offered, you will need to consult the Sucuri knowledge base.
Final thoughts on Wordfence vs Sucuri
Both Wordfence and Sucuri have created effective free WordPress security plugins. However, as this Wordfence vs Sucuri guide shows, these security plugins do have different features and end-goals.
The Sucuri plugin was originally designed to simply support the premium Sucuri plans, and although it provides an impressive malware scanner, you will need to upgrade to access the Sucuri firewall. Therefore, if you want a free security plugin that not just monitors your WordPress website, but also blocks security threats via a WAF, then Wordfence is the tool for you.
Have any questions about which is the best free WordPress security plugin for your site? Ask away in the comments!