Best WordPress Security Plugin: WordFence vs Sucuri

As more and more of our activity moves online and the Internet of Things expands, the number of malicious actors looking to exploit personal information and assets also grows. It’s impossible to make a website 100% invulnerable to exploits, but the other side of that coin is that a shockingly high percentage of companies continue to leave their online assets’ security on the back burner.

We here at WooNinjas are firm believers that security is something you can never have enough of, and today we’ll be doing a deep dive into two popular security plugins for WordPress sites: Sucuri vs WordFence.

Each of these companies offers both free and paid plugins and services with several price tiers to ensure that the risk of your site being compromised is as close as possible to zero. Many of their offerings cover the same bases, but they also differ in important ways that I’ll cover as we go.

Let’s compare Sucuri vs WordFence! Skip to the good stuff:

• Sucuri
  – Sucuri Security
  – Sucuri Firewall
  – Sucuri Platform
• WordFence
  – WordFence Free
  – WordFence Premium

Sucuri vs WordFence: Sucuri

Sucuri offers three primary services:

1. Sucuri Security – a free plugin that includes standard WordPress hardening features, remote malware scans, and a few other nifty things;
2. Sucuri Firewall – a cloud-based firewall that can be purchased independently or integrated with the free Sucuri Security plugin and includes an array of website protection features; 
3. Sucuri Platform – a full suite of premium cloud-based security services, including the Sucuri Firewall, monitoring and detection, website protection, and incident response. 

Sucuri Security

Sucuri Security does a few seemingly basic, but vital(!) things: it hardens your website against attacks, it scans your website, it verifies the integrity of your website’s core files, and it offers some degree of contingency measures with its Post-Hack tools. 

The vast majority of websites that fall prey to hackers are compromised due to known/unknown vulnerabilities in plugins or core WordPress files. Brute force attacks also account for their share of breaches, but what may sound odd to some is the simple truth that keeping your WordPress and PHP up to date is just as important as changing your default admin account password. 

That’s where Sucuri Security comes in, offering everything from simple reminders that it’s time to update your WordPress Version to masking what version of your CMS you’re running from the public. A full list of Sucuri Security’s hardening options can be found (and clicked on) below:

Sucuri’s SiteCheck remote scanners also check your site for “malicious content, blocklisted status, website errors and out-of-date software”, ensuring that you’re in the know if your website has been blocked by Google. This means that you can get the jump on Google’s ban hammer before your SEO is damaged beyond repair. 

One WordFence study found that over 60% of site owners whose websites had been compromised were completely unaware that they had hacked. Even if the site owners had no idea, that doesn’t mean other people weren’t watching – Google blocks over 10,000 websites every single day, and a prolonged block could be a death sentence for your brand!

Finally, Sucuri’s Core Integrity Check also keeps you safe from what’s known as “backdoors”, which is when a hacker makes alterations to the core files in your WordPress installation in order to expedite future breaches.

Even if the unspeakable does happen, Sucuri Security offers a variety of Post-Hack tools and tips that can be used to clean up a hacked site.

Sucuri Firewall

Sucuri’s Website Application Firewall (WAF) is a cloud-based service that also includes a suite of website protection features:
– a content delivery network (CDN) for optimized site performance;
– geographic load balancing for reliable uptime;
– an Intrusion Detection System (IDS);
– DDoS attack mitigation;

That’s a lot of acronyms for one list, so I’ll briefly touch on each.

Sucuri’s WAF is a cloud-based firewall, sometimes referred to as Firewall as a Service (FWaaS). As opposed to local, or on-premises firewalls (i.e. firewalls installed in your network), outsourcing your firewall comes with several benefits and drawbacks.

There’s a lot of information out there comparing cloud-based vs local firewalls, but you’ll find the “142 characters or less” version below: (spoiler alert: it’s more than 142 characters)

Cloud-Based Firewalls	Local Firewalls
Pros	Cons	Pros	Cons
Ease of scaling, expansion, management	A third party has control of your secure assets	Your secure assets remain in your network	Vulnerable to DDoS attacks
High uptime	Unpredictable latency	Deep local scans	Utilizes your resources
Lower total cost of ownership*	Possibility of data leakage	End-to-end encryption via VPNs	Scans and encryption can slow down sites
Nearly invulnerable to DDoS attacks	No end-to-end encryption	You control your own setup and configuration

* = This typically only applies to companies large enough to have dedicated IT teams managing their online security.

One of the biggest benefits of cloud-based security lies in the fact that it reliably keeps attackers from knocking on your door by concealing your server’s location on the internet. This forces ne’er-do-wells to knock on Sucuri’s doors instead, and Sucuri has several contingencies in place to respond to this while keeping your site operational and your assets safe. 

However, site owners should bear in mind that no cloud-based solution can protect your servers against attacks by hackers who have figured out your server’s IP address through other techniques such as phishing or social engineering. 

A hacker who knows your server’s iP address can go right around a cloud-based firewall and access your server’s traffic, which is why companies with especially valuable intellectual property often use cloud-based firewalls in conjunction with local firewalls (and regional firewalls, but these aren’t particularly relevant to SME). 

That way, even if a hacker knows your server’s IP address and makes their way to your doorstep, a local firewall is still present to scan your server’s traffic for abnormal or unauthorized activity and provide an additional layer of defense against potential breaches. 

Sucuri’s CDN, or Content Delivery Network, employs a number of techniques to make sure that traffic flows between your site and your clients, and boasts an average speed increase of 70%.

The Intrusion Detection System (IDS) scans incoming and outgoing traffic to make sure that only authorized parties are given access. 

As mentioned in the table above, Sucuri Firewall makes websites extremely resilient to DDoS attacks, which means your site can stay up and running even when the bad guys are trying to shut you down.

Sucuri Security Platform

As an all-in-one offering, Sucuri Security Platform offers more features than I can reasonably cover in a single blog post that’s not dedicated exclusively to this one thing.  Its offerings are broken down into the following categories:

• Support
• Monitoring and Detection
• Protection
• Response
• Performance

Each tier comes with the Sucuri WAF, a variety of regular remote scans, site performance optimization, blocklist monitoring and removal, and here’s the kicker – unlimited malware & hack removals for one annual charge. 

If you have an existing SSL certificate that you’d like to use, you’ll have to purchase the Pro Platform or Business Platform, as origin SSLs are unsupported by the Basic Platform. Remote scans and monitoring become more frequent the higher you go up the price tiers as well, but that’s really the only way that the three Platforms differ. 

Enterprise-level clients also get access to exclusive perks such as 24/7/365 support, custom scans, SIEM integration, dedicated network resources, and more. 

Sucuri vs WordFence: WordFence

WordFence provides a lot of the same security hardening features as Sucuri and comes with two tiers:

1. WordFence Free – a free plugin that offers much of the same hardening features as Sucuri Security and comes with additional features such as a firewall and 2FA;
2. WordFence Premium – functionally an improved version of WordFence Free with a few extra perks;

WordFence Free

WordFence Free offers a respectable toolkit for site owners looking to beef up their site’s security without actually investing money into it, but there are a few important caveats to consider as well.

WordFence Free comes with a WAF that is installed at the endpoint, or on your server. I dedicated a bit of space above to discuss the pros and cons of cloud-based firewalls, so I’ll touch on the benefits and drawbacks of local ones as well.

WordFence spells things out rather clearly on their site:

“Unlike cloud alternatives our firewall does not break encryption, cannot be bypassed and cannot leak data.”

Cloud-based firewalls act as a midpoint between your clients and your server, a place where traffic is temporarily de-encrypted so the firewall can analyze what should and shouldn’t be running across your network. After the firewall filters out any bad traffic, everything else is re-encrypted and re-enters the flow.

WordFence’s firewall filters your traffic between endpoints (which usually means “between your server and the client’s web browser”), which means that your traffic remains 100% encrypted as it’s traveling across the internet. Even if a hacker were to intercept any traffic going between your server and a client, the information would be indecipherable unless the hacker had access to highly sophisticated de-encryption technology.

This type of attack is so rare that it isn’t even included in the list of attack vectors published by WordFence, whereas plugin vulnerabilities and brute force attacks account for over 70% of WordPress attacks. 

There are two “buts” to consider with WordFence Free, though:

1. Even if local firewalls have endpoint-to-endpoint encryption and are leak-proof, they are inherently vulnerable to DDoS attacks. Well-configured local firewalls stop hackers from getting in through your figurative front and back doors, but that doesn’t change the fact that hackers are already sitting on your doorstep (i.e. your server). This gives them the opportunity to overwhelm your server with malicious traffic.
2. WordFence Free users only receive updates to their firewalls rules 30 days after they are released to WordFence Premium users. In other words, if WordFence discovers a new firewall rule that guards against an exploit and includes it in their updated firewall for Premium Users, anyone without a Premium plan will be vulnerable to said exploit for 30 calendar days.

That’s a heck of a catch-22. 

Like Sucuri Security, WordFence Free also has a range of scanners (for malware, backdoors, bad URLs, code injections, etc.) and checkers (for core WordPress, plugins, themes, etc.) designed to keep your site in pristine condition. 

When compared to Sucuri’s remote scanners, WordFence’s scanners can also perform more comprehensive, deeper scans of your website and its contents, and being extra thorough is never a bad thing. 

That said, the resources needed to perform these scans (and encrypt your traffic) will be coming from your server, so site owners should take this additional load into account when optimizing their site’s performance.

The same catch-22 applies here as well:

“Wordfence free users receive signatures to detect new malware 30 days after they are released to our premium customers.”

Unlike Sucuri Security, WordFence Free allows you to set up two-factor authentication (2FA) for your site, which is one of the most effective ways to defend against brute force attacks. CAPTCHA login pages are also included to add an extra layer of security against bots trying to log into your site, and you can also block logins for users whose passwords have been compromised to further reduce your site’s attack surface.

Finally, the free version of WordFence comes with WordFence Central, a dashboard that gives you total control over your configuration and allows you to manage security events.

WordFence Premium

Whereas Sucuri’s offerings address different elements of website security, WordFence Premium is more or less a direct upgrade of WordFence Free. The 30-day timers for firewall rules and malware signatures are replaced with real-time updates, new IP blocking features become available, and Premium clients can enjoy Premium support.

WordFence Premium allows site owners to restrict or block IP addresses from entire countries with its Country Blocking feature. A Premium license also provides site owners with real-time access to WordFence’s Security Network – a WordFence-wide collection of known malicious IPs and URLs that will be blocked automatically if they try to access your site.

WordFence’s Premium Support team also claims to resolve most tickets in 24 hours (during business hours). Their support page states that all support tickets are conducted over email.

The base cost of WordFence Premium is $99.00/year, but there are several ways to get a discount on this annual rate:

1) Purchase a license for multiple sites:

2) Purchase a multi-year license:

Other Services

In addition to its free and premium plugins, WordFence also offers Site Auditing and Site Cleaning services. 

Site Audit: WordFence’s security analysts carry out a 59-point inspection and generate an extensive report detailing your site’s current level of security and WordFence’s recommended improvements.

Site Cleaning: WordFence follows a 6-point plan to detect and destroy any malware or malicious code on your site:

Site Audit and Site Cleaning cost $490 apiece and come with a free year of WordFence Premium, as well as a guarantee to keep your site clean for 1 year after purchase (assuming you follow their recommended steps). 

If your site has been compromised and you need immediate help, you can purchase a VIP Priority Audit or VIP Priority Cleaning for $950, which automatically bumps your ticket to the front of the queue and ensures that WordFence will begin work on your site within 4 hours regardless of the time of day or your physical location.

Sucuri vs WordFence for WordPress Security

When comparing Sucuri vs WordFence’s free plugins, site owners will find a lot of the same functionalities coming from both companies. WordFence Free technically has more to offer with its built-in firewall and 2FA, but the 30-day delay on firewall rule and malware signature updates certainly has the potential to be a wrench in the engine of your security setup.

As far as paid offerings go, Sucuri and WordFence offer similar toolkits but differ in what they’re inherently trying to deliver. 

Whereas Sucuri offers a large suite of remote tools to detect and respond to attacks and includes a cloud-based firewall, WordFence focuses on keeping attackers out with its local firewall and offers malware removal as a separate service. 

If you have the ability to dedicate around $300 a year to your website’s security, there’s really no reason not to do so, as these two services can be complementary to one another. Pairing a cloud-based firewall with a local firewall would really be the best of both worlds, as the two types cover one another’s weak spots and generate additional layers of defense that deter hackers accustomed to exploiting easier vulnerabilities.

At the very least, we recommend utilizing one of the free plugins to keep your website safe. 

If you are looking for additional help implementing security measures to yourWordPress, don’t hesitate to reach out to our team of WordPress experts.

Thanks for reading and stay secure!