I decided to go on a search journey for the best web access firewall (WAF)  (and overall cyber security protection) for my WordPress site and I came across the following review 5 Best WordPress Firewall Plugins Compared. After reading, it did indeed appear that sucuri had the best over feature-set and came with the boast of mitigating four hundred and fifty thousand WordPress targeted attacks.

The following stood out to me (and from the rest of the products I had reviewed so far):

Sucuri also improves your website’s performance by reducing server load through caching optimization, website acceleration, and Anycast CDN (all included). It protects your website against SQL Injections, XSS, RCE, RFU and all known-attacks.

Here’s a video from sucuri’s YouTube channel: 

I had actually come across sucuri in my web travels whilst looking for a domain vulnerability scan site they provide a Free website malware and security scanner located: sucuri site scanner

Their WordPress Plugin appeared to have features that were free and part of some of the competitors paid versions (or not available from them at all).

In order to properly validate the reviewers rave recommendations, I needed to try it for myself.  I wasn’t keen to outlay $199.00 (annually) (which BTW is quite cheap for the feature-rich product suite that sucuri appeared to provide). before first giving it a spin and putting it through the paces.

The installation was simple and went seamlessly.  I was in and configuring once the plug-in had been activated.

The SOC user interface is surprisingly nice and easy to navigate. All of the WAF features are disabled in the free version (which you need to subscribe to on the main sucuri site – they provide three OOtB and one custom solution): sucuri subscription options prices start at $199 and all options include: Malware Removal & Hack Response, Continuous Malware & Hack Scanning, Brand Reputation & Blacklist Monitoring, Stop Hacks (Virtual Patching / Hardening) and Advanced DDoS Mitigation.

Their firewall is SSL and PCI Compliant and customer support becomes more premium (from a 8 hour response SLA with the basic subscription to 30 minutes with the business which will set you back $499 per year.  For the large complex enterprises looking for a SOC-as-a-Service they offer custom solutions that include: 

  • Multiple site pricing; 
  • Seamless integration; 
  • Emergency response SLAs; 
  • Flexible account management; 
  • Custom server configurations; and
  • A dedicated support team.

There is a log exporter however I am yet to configure it with a SEIM, Splunk or otherwise (they recommend OSSEC which I was unable to locate). You can enable reverse proxy with one click, which I think is neat.

The free hardening options are encompassing and include: Verify WordPress Version, Verify PHP Version, Remove WordPress Version, Block PHP Files in Uploads Directory , Block PHP Files in WP-CONTENT Directory , Block PHP Files in WP-INCLUDES Directory , Information Leakage and Default Admin Account.

The Plugin and Theme Editor does not work and it provides the error message: “WordPress configuration file is not writable”. The only hardening option not available is Website Firewall Protection as this is part of the paid subscription offering.

The scheduled tasks that come default (and free) can scan your entire website looking for changes which are later reported via an API in the audit logs page. This scanner runs daily but you can change the frequency to meet your own requirements. They provide advice stating that scanning your project files too frequently will affect the performance of your website. Be sure to have enough server resources before changing this option. The memory limit and maximum execution time are two of the PHP options that your server will set to stop your website from consuming too much resources.

It has a fantastic alerts function that provides around 30 different triggers (all in the free version). There is a configurable password guessing for failed login attempts to stop brute force attacks and an entire feature-set on post-hack secret keys in the event of an exposure.

Overall the free version of sucuri seems quite comprehensive considering its free and not on a time bound trial.  I am going to continue to review this product and will more than likely subscribe to the paid premium version that will avail the WAF functionality.

I will update this article in a few weeks, once I have had the opportunity to comprehensively assess sucuri and it’s capability.  However so far so good!… 

Leave a Reply