Sucuri Security / Monitoring

  • first release
    2011-11-18
  • last updated
    2020-02-17
  • current version
    1.8.24
  • requires WP version
    3.6
  • tested up to
    5.3.4
  • download count
    6 465 616
  • rating total
    339
88
%
339 users
5 stars
4 stars
3 stars
2 stars
1 star
sucuri-scanner-banner-772×250.png

Sucuri Security

Sucuri Inc. is a globally recognized authority in all matters related to website security, with specialization in WordPress Security.

The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. It offers its users a set of security features for their website, each designed to have a positive effect on their security posture:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)
Changelog

1.8.24

  • Fix warning caused by humanTime function
  • Fix fatal error caused by cron jobs with nested arguments

1.8.23

  • Add Automatic Secret Keys Updater
  • Improve button’s and link’s messaging on Last Logins sections
  • Improve messaging on Hardening page
  • Improve messaging on IP Access page

1.8.22

  • Add “SSL existence check” to WordPress Security Recommendations
  • Add “Salt & Security Keys existence check” to WordPress Security Recommendations
  • Add “Salt & Security Keys age check” to WordPress Security Recommendations
  • Add “Admin account check” to WordPress Security Recommendations
  • Add “Single super-admin check” to WordPress Security Recommendations
  • Add “Too many plugins check” to WordPress Security Recommendations
  • Add “File editing check” to WordPress Security Recommendations
  • Add “WordPress debug check” to WordPress Security Recommendations
  • Add “Basic hardening check” to WordPress Security Recommendations
  • Add a delete button on Last Logins sections
  • Add register of logs removal on Audit Logs
  • Fix display of Access File Integrity on NGINX/IIS servers
  • Remove PHP version check from hardening page

1.8.21

  • Add WordPress Security Recommendations section in the dashboard
  • Add PHP version check
  • Fix goo.gl links
  • Fix post_type pattern match to allow numbers and max of 20 chars
  • Fix Audit Logs queue timezone issue
  • Fix regex in template string replacement
  • Update translation file to include WordPress Security Recommendations section fields
  • Make the menu icon use the menu color styling
  • Remove block button from failed logins page

1.8.20

  • Add dynamic core directories in the hardening whitelist options
  • Modify scheduled tasks panel to load the table via Ajax
  • Allow hosting details display to be filterable
  • Preparation for translations

1.8.19

  • Add option to refresh the SiteCheck malware scan results
  • Add support for a CLI command to ignore files in the core integrity check
  • Fix text

1.8.18

  • Keep settings when the plugin is deactivated, unless the plugin is uninstalled

1.8.17

1.8.15

  • Make default plugin options filterable
  • Fix missing button to manually activate the advanced features
  • Remove unnecessary tags from README per WordPress guidelines
  • Modify resolution of the images to respect retina display

1.8.14

  • Add filter to allow automatic configuration of the settings

1.8.13

  • Add new version of the GPL v2 license file
  • Remove unused option to reduce number of failed logins
  • Fix multiple typos in the code found after a diff parse
  • Modify name of the base library file for consistency
  • Modify wording of the API key panel in the settings page
  • Add option to include the hostname in the alert subject
  • Fix open_basedir restriction was not considered on scans
  • Remove firewall API key deletion on re-authentication

1.8.12

  • Fix invalid array when deselecting all security alerts
  • Add language files to the list of ignored changes
  • Modify internal response to the log file not found error
  • Add option to force the firewall cache flush
  • Fix unexpected exception when open_basedir is in place
  • Add support to export and import trusted IP addresses
  • Add link to the audit logs API endpoint for developers
  • Add reverse ip address in all email alerts from visitor
  • Remove API key from the settings that can be exported
  • Modify code to make default plugin options filterable
  • Add ability to store the settings in the object cache
  • Add support for wp-cli and command to generate an API key
  • Fix missing documentation tags in the command line library
  • Fix format and coding standard in CSS and JavaScript files
  • Add button to toggle the visibility of the post-types table
  • Modify order of the added, modified, removed core files
  • Fix relative file path when ABSPATH is point to root
  • Add additional notifications for changes on users

1.8.11

  • Modify Sucuri firewall detection with regular expressions
  • Modify option to force scanner to ignore directories
  • Modify form to monitor and ignore post-types
  • Modify miscellaneous changes in some alert messages
  • Modify error message displaying for invalid CSRF validations
  • Fix minor issues with the version detection code
  • Remove internationalization support for consistency
  • Add support for the RTL reading direction
  • Add API key in admin notice when it is being deleted
  • Fix modification date for corrupt core files
  • Fix audit log parser for incompatible JSON data
  • Fix password visibility when the option is changed

1.8.10

  • Version bump skipped

1.8.9

  • Remove duplicated failed user authentication log
  • Remove trailing forward slash from asset URL
  • Fix post-type ignore tool to allow hyphens in the ID
  • Fix queries to the database in the last logins page
  • Remove unnecessary option queries to the database
  • Fix PHP notice for a string offset cast occurred
  • Remove unnecessary data from the website info page
  • Modify timing for the execution of the Ajax requests

1.8.8

  • Add smart limit to send logs from the queue to the API
  • Add option to ignore events for post transitions
  • Fix infinite loop with email alerts and SMTP plugin
  • Add option to configure the malware scanner target URL
  • Add option to enable the auto clear cache firewall function
  • Modify status of the directory hardening using the Firewall
  • Modify error message in audit logs when the API key is missing
  • Modify timing for the dashboard alerts after an update
  • Modify firewall clear cache button to execute via Ajax
  • Modify firewall settings page to load data via Ajax
  • Add option to blacklist IP addresses with the Firewall API
  • Fix order of the audit logs when the queue is merged
  • Add more directories to ignore during the scans
  • Add option to customize the URL for the malware scans
  • Fix error interception for Firewall API errors
  • Add support for other English and Spanish based languages
  • Modify mechanism to ignore files from integrity checks
  • Add option to stop sending the failed login passwords
  • Modify default value for some of the alert settings
  • Remove unnecessary statistics panel for the audit logs
  • Modify output for the malware results to simplify links
  • Add option to override the timezone for the datetime
  • Add option to configure the WordPress checksums API
  • Add maximum execution time avoidance in the integrity tool
  • Add support to run diff on deleted WordPress files

1.8.7

  • Fix multiple issues with the API calls
  • Add queue system to fix website performance
  • Fix non-dismissable newsletter invitation message
  • Fix performance of the audit log parser without regexp
  • Add conditional to check for the availability of SPL
  • Add cache for the audit logs to make dashboard responsive
  • Modify frequency of the file system scans to run daily
  • Remove option to configure the maximum API timeout
  • Modify location of the scanner options and scheduled tasks
  • Add button to send the logs from the queue to the API

1.8.6

  • Add default language for internationalization fallback

1.8.5

  • Fix minor bugs after post-testing of the new release
  • Add full support for internationalization with en_US locale
  • Add full support for internationalization with es_ES locale

1.8.4

  • Modify the entire interface to offer a fresh design
  • Add support for internationalization via gettext
  • Modify the structure of the project for maintainability
  • Remove minified files to facilitate future contributions
  • Add warning message in the reset plugin tool page
  • Fix loading sequence for additional PHP files
  • Add restriction to prevent direct access to PHP files
  • Fix file search by name when the directory is passed
  • Add HTTP request parameters to track some settings
  • Fix reset plugin tool with the new WordPress API
  • Fix length of the pagination helper with many pages
  • Add performance boost for the failed logins page
  • Modify structure of the failed logins data analyzer
  • Fix deactivation of all the scheduled tasks from settings
  • Modify entire code base to enforce HTTPS over HTTP
  • Remove heartbeat settings after performance improvement
  • Remove unnecessary XHR event monitor and report
  • Remove deprecated functions from previous releases
  • Remove deprecated tool to scan for error_log files
  • Modify failed logins logger with wrong passwords
  • Remove plugin checksum dependency to avoid asset cache
  • Modify minimum PHP version in hardening page
  • Fix email alerts with non-existing site_url option
  • Add tool to import and export the plugin settings
  • Add uninstall instructions during deactivation of the plugin
  • Fix plugin reinstall procedure with backup and prechecks
  • Modify mechanism to ignore irrelevant WordPress core files
  • Modify list of available scheduled task frequencies
  • Fix lazy load of the CSS and Scripts on the correct pages
  • Add audit log message fixer for the wpephpcompat_jobs event
  • Fix website URL in the template for the email alerts
  • Add message in the core integrity tool for false positives
  • Add option to reset the content of some storage files
  • Add mechanism to display self-hosting logs as fallback
  • Fix incoherent failed login processor on pagination
  • Add option to display differences in core integrity checks
  • Modify the default and maximum timeout for the API
  • Fix static data storage path to allow server migrations
  • Add option to ignore non-registered custom post-types
  • Add more details into the event that monitors post deletions
  • Fix event monitor for plugin activation and deactivation
  • Fix dynamic directory tree deletion with improved performance
  • Fix automatic deletion of conflicting plugins
  • Add event monitor for all supported post status transitions
  • Add one-time newsletter invitation after plugin updates
  • Add code to delete legacy plugin options from database
  • Modify error on non-processed files in the integrity checks
  • Fix overflow of HTTP requests to SiteCheck API on failures
  • Fix handling of the actions in the core integrity checks
  • Add message and button to reset the audit logs cache
  • Add ajax request to load malware scans for performance

1.8.3

  • Removed goo.gl links
  • Fixed fatal error when PHPMailer failed
  • Fixed incorrect selected value in settings
  • Added SiteCheck for arbitrary domain
  • Various code cleanup

1.8.2

  • Modified logic of the settings in database checker
  • Modified default value for the available updates alerts
  • Fixed undefined array and object keys in audit logs
  • Fixed incompatibilities with foreign API service responses
  • Added development option to keep using the database
  • Added panel with information about the plugin settings
  • Added conditional to prevent redeclaration of class
  • Fixed cache flush method used to delete datastore

1.8.1

  • Modified default setting for the core integrity alerts
  • Added more files to the core integrity ignore list
  • Fixed support for custom data storage directory
  • Fixed admin notices after changing alert settings
  • Fixed settings and audit logs for the firewall page
  • Fixed regression with clear cache in firewall page

1.8.0

  • Added error message when storage is not writable
  • Fixed option getter to migrate plugin settings if possible
  • Fixed base directory name without PHP DIR constant
  • Fixed user authentication denial when no blocked users
  • Fixed htaccess standard rules checker with no WP_Rewrite

1.7.19

  • Added method to rescue HTTP requests using sockets
  • Fixed mishandled JSON data in audit logs Ajax request
  • Modified list of firewall features and promo video

1.7.18

  • Added options library using external file instead of the database
  • Modified API calls using custom HTTP request using Curl
  • Fixed core files marked as broken in a Windows server
  • Fixed pagination links in last and failed logins page
  • Fixed password with ampersands in email alert
  • Fixed whitelist hardening using the authz_core module
  • Removed unnecessary emails to reduce spam
  • Added constant to stop execution of admin init hooks
  • Added explanation for invalid emails and no MX records
  • Added link to open the form to insert the API key manually
  • Added more options in the IP discoverer setting
  • Added option to configure malware scanner timeout
  • Added option to configure the API communication protocol
  • Added option to reset the malware scanner cache
  • Added scheduled task and email alert for available updates
  • Added tool to block user accounts from attempting a login
  • Added tool to debug HTTP requests to the API services
  • Various minor adjustments and fixes

1.7.17

  • Added API service failback mechanism
  • Added core integrity email on force scan
  • Slight interface redesign
  • Various bugfixes and improvements

1.7.16

  • Fixing a low severity XSS (needs admin access to create it)

1.7.14

  • Added alternative method to send email alerts
  • Added button to reset options with explanation
  • Added suggestion for new users to check plugin settings
  • Allow mark as fixed non-writable core files
  • Fixed display menus items single or network panels
  • Fixed handle boolean values in PHP config retrieval
  • Fixed non-standard content location in core integrity
  • Fixed user identifier as integer on password reset
  • Modified css and js files to reduce size
  • Modified do not load resources on hidden sidebar
  • Modified fully redesign of general settings page
  • Modified hide update warning if versions are the same
  • Modified wording of post-types alert settings
  • Removed ellipsis of long IPv6 addresses in last logins
  • Removed unnecessary dns lookups in infosys page
  • Removed unnecessary monospace fonts in settings status
  • Removed unnecessary ssl verification option processor

1.7.13

  • Fixed issue affecting site performance
  • Fixed clear hardening of previous versions
  • Modified report and block non-processable ajax actions
  • Added configure DNS lookups for reverse proxy detection
  • Added option to configure comment monitor and logs
  • Added option to configure the XHR monitor and logs

1.7.12

  • Improved hardening options
  • Added more logging events
  • Various bugfixes and improvements

1.7.11

  • Reverted change for firewall detection to protect legacy users

1.7.10

  • Added better checks for SSL issues
  • Fix for audit log timezones
  • Various bugfixes and improvements

1.7.9

  • Improved reinstallation process
  • Updated sidebar banners
  • Various bugfixes and improvements

1.7.8

  • Fixed bug on the secret keys hardening.

1.7.7

  • Added better support for directory separators
  • Added option to remove API key from plugin
  • Various bugfixes and improvements

1.7.6

  • Added audit log reporting.
  • Added more settings for better control.
  • Added support for more actions.
  • Improved multisite support.
  • Added support for reverse proxies.
  • Various bugfixes and improvements.

1.7.5

  • Added better handling of API responses of remote scanner.

1.7.4

  • Added option for keeping failed logins until the user removes them.
  • Bugfixes for user reported issues.

1.7.3

  • Error log panel.
  • Various bug fixes.

1.7.2

  • Messaging and FAQ updates.

1.7.1

  • Fixed remote scanning that was not loading automatically on some installs.

1.7.0

  • Added Hardening option to remove error log files
  • Bug fixes on some new registrations.
  • Changed format of the internal logs to json.

1.6.9

  • Multiple bug fixes (as reported on the support forums).
  • Added heartbeat for the file scans.
  • Code cleanup.

1.6.8

  • Fixing interface.

1.6.7

  • Added Support for integrity checks on i18n installations.
  • Fixed the setting change bug.

1.6.6

  • Internal code cleanup and re-organization.
  • More white lists for the integrity checks.
  • Additional settings to customize some of the warnings.

1.6.5

  • Fixed integrity checking display.

1.6.4

  • Fixed API generation bug.

1.6.3

  • Added proper brute force alerts.
  • Added option to restrict number of emails.
  • Added more description to the emails.
  • Added a list of failed login attempts inside the last login tab.

1.6.2

  • Setting a maximum number of emails per hour.
  • Fixing typos.

1.6.1

  • Initial release with new auditing options.

1.6.0

  • A new dashboard to welcome users to the new features of the plugin.
  • Overall design of the interface of all the pages were modified.
  • SiteCheck scanner results were filled with more information.
  • SiteCheck scanner results markers when the site is infected/clean.
  • System Info page were simplified with tabulation containers.
  • Integrity check for administrator accounts was optimized.
  • Integrity check for outdated plugins/themes was optimized and merged.
  • IPv6 support in last logins statistics.

1.5.7

  • WordPress 3.9 compatibility

1.5.6

  • Added IPv6 support.
  • Fixed links and messaging.

1.5.5

  • Added list of logged in users.
  • Added system page.
  • Change the integrity checking to use WP API.

1.5.4

  • Bug fixes.

1.5.2

  • Adding additional information about .htaccess hacks and the server environment.

1.5.0

  • Fixing last login and giving better warns on permission errors.
  • Making the integrity check messages more clear.

1.4.8

  • New and clean design for the scan results.
  • Adding a web firewall check on our hardening page.

1.4.7

  • Cleaning up the code a bit.
  • Only displaying last login messages to admin users.
  • Storing the logs into a log file instead of the db.

1.4.6

  • Increasing last login table to the last 100 entries.

1.4.5

  • Fixing some issues on the last login and allowing the option to disable it.

1.4.4

  • Small bug fixes + forcing a re-scan on every scan attempt (not using the cache anymore).

1.4.3

  • Fixing a few PHP warnings.

1.4.2

  • Fixing a few PHP warnings.

1.4.1

  • Small bug fixes.
  • Adding last IP to the last login page.

1.4

  • Added post-hack options (reset all passwords).
  • Added last-login.
  • Added more hardening and the option to revert any hardening done.

1.3

  • Removed some PHP warnings and code clean up.
  • Added WordPress integrity checks.
  • Added plugin/theme/user checks.

1.2.2

  • Tested on WP 3.5.1

1.2.1

  • Tested on WP 3.5-RC4
  • Style changes

1.2

  • Cleared PHP warnings
  • Added /inc directory
  • Added /lib directory
  • Logo added
  • Default stylesheet added
  • Header area added
  • Sidebar area added
  • Restyled 1-click hardening page
  • Removed old malware page

1.1.7

  • Tested on WP 3.5-RC3.

1.1.6

  • Upgrading for WP 3.3.

1.1.5

  • Removed PHP warnings / code cleaning.

1.1.3

  • Cleaning up the results.
  • Added 1-click hardening.

1.1.2

  • First release that is good to be used (debugging code removed).

1.1.1

  • First public release.
Download different versions
Screenshot gallery
sucuri-scanner-screenshot-1.png sucuri-scanner-screenshot-2.png sucuri-scanner-screenshot-3.png sucuri-scanner-screenshot-4.png sucuri-scanner-screenshot-5.png sucuri-scanner-screenshot-6.png sucuri-scanner-screenshot-7.png sucuri-scanner-screenshot-8.png