Sucuri is a popular online malware scanning and removal service that published the WP plugin with the same name in the WordPress repository a few years back. Wordfence is one of the oldest and most popular WordPress security extensions. Like Sucuri, it offers a malware detection/removal service. These two security plugins are designed to protect a website from various attacks, according to their WordPress listing pages. Do these two extensions really protect your website? Is Wordfence better than Sucuri or vice versa? Below, we’ve compared the features and options of the two WordPress security plugins.
File scanning
WordFence can scan the WP core files on demand. It can scan files for malware infections, changes, etc. It can scan hundreds of thousands of files in the WordPress directory within minutes or even seconds. WF will display the file names/links in a list when it finds issues with a file or malicious code in them. Its free version can repair WordPress core files by replacing them. You must manually fix the files that the plugin can’t repair. Sucuri automatically scans WordPress core files and alerts users when it detects some changes in them.
API key
According to Sucuri, users must enter the API key to prevent malicious users from deleting the audit logs. Wordfence doesn’t ask you to enter an API key. It only shows an option to purchase its premium/pro edition when you install and activate the plugin for the first time. Besides the option to buy the premium edition, the extension shows the “skip” button.
Alerts
The two WP security plugins can send email alerts whenever they detect security issues on your website. Wordfence prompts you to enter your email ID as soon as you open its settings page or activate it. Sucuri asks you to enter the email address when you click on the Generate API key button.
Firewall
Sucuri free edition comes with a WAF module which is disabled by default. You can enable this feature only after entering the API key, and to get the key, you must purchase the license. Wordfence features a firewall utility that isn’t locked. Its firewall works in two modes – learning and enabled. The learning mode makes it learn about the site’s traffic, users, etc. Wordfence asks the users of the extension to keep the learning mode on for a week. The other mode i.e. Enabled and Protecting, will make it block known threats automatically.
Users can configure the Wordfence firewall to block XSS, SQLi attacks, and over 50 other attacks that can be triggered because of security issues in the third-party plugin or theme.
Brute force protection
Wordfence can ban IP addresses from accessing your website when they make several failed login attempts. The Brute force protection settings page has the option to enforce strong passwords, disable application passwords, block users from registering an account with the user name admin, make your site participate in Wordfence real-time security network, and more.
Secret keys updater
Sucuri ships with the Secret Keys Updater function that will make the plugin generate and update the secret keys in the wp-config.php file. To activate this function, open the Hardening Tab that you will find on the plugin’s settings page.
Last login details
Sucuri stores the IP addresses of all users that have logged in to your WordPress site. It also shows the IP address and browser of the user that had tried logging into your site but failed to do so. It also shows the time at which the failed login attempt was made.
Removal of the WordPress version
Sucuri can prevent WordPress from displaying its version in the HTML code of the page. You can find the option to enable this feature in the Hardening tab of its Settings page.
PHP execution
Sucuri can block the execution of code in specific PHP files stored in the critical directories of WP.
Scheduled tasks
Many WP extensions schedule or create a WP cron task without your knowledge. Sucuri lets users see these tasks and prevent/delay their execution. The tasks include the tasks that it has created to keep your site secure. The plugin shows the Scheduled tasks in the Scanner tab of the settings interface. The Scanner tab also shows an option to execute the task right now. If the scheduler finds suspicious files or changes, it will update the audit logs with the same.
Disable code editors
Sucuri lets users disable the plugin and theme editor with one click of a button. This option can prevent unauthorized users from making changes to the WP extension and theme files.
2FA
Wordfence’s latest feature is Two-factor authentication. When you click its Login Security option, the plugin will open a page that shows a QR code and backup codes. You must scan the QR code with an authenticator app. WF lets you manage 2FA roles for various users.
Tools
Wordfence lets you see the real-time traffic to your website. The live traffic module of the plugin shows the browser name/version of the user, the URL the user has visited, and the option to block the user or see their WHOIS details. WF features a WHOIS lookup tool and comes with an option to export/import settings. Sucuri doesn’t have live traffic/WHOIS info lookup tools, but it can export/import settings like Wordfence.
Closing words: Sucuri is a good security plugin, but it lacks a brute force protection function, a 2FA module, a real-time traffic function, and a free firewall tool like Wordfence. WF is a better WP security extension than it, as it provides more valuable features than Sucuri.
