Sucuri Security / Monitoring

  • first release
  • last updated
  • current version
  • requires WP version
  • tested up to
  • download count
    6 465 616
  • rating total
339 users
5 stars
4 stars
3 stars
2 stars
1 star

Sucuri Security

Sucuri Inc. is a globally recognized authority in all matters related to website security, with specialization in WordPress Security.

The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. It offers its users a set of security features for their website, each designed to have a positive effect on their security posture:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)


  • Fix warning caused by humanTime function
  • Fix fatal error caused by cron jobs with nested arguments


  • Add Automatic Secret Keys Updater
  • Improve button’s and link’s messaging on Last Logins sections
  • Improve messaging on Hardening page
  • Improve messaging on IP Access page


  • Add “SSL existence check” to WordPress Security Recommendations
  • Add “Salt & Security Keys existence check” to WordPress Security Recommendations
  • Add “Salt & Security Keys age check” to WordPress Security Recommendations
  • Add “Admin account check” to WordPress Security Recommendations
  • Add “Single super-admin check” to WordPress Security Recommendations
  • Add “Too many plugins check” to WordPress Security Recommendations
  • Add “File editing check” to WordPress Security Recommendations
  • Add “WordPress debug check” to WordPress Security Recommendations
  • Add “Basic hardening check” to WordPress Security Recommendations
  • Add a delete button on Last Logins sections
  • Add register of logs removal on Audit Logs
  • Fix display of Access File Integrity on NGINX/IIS servers
  • Remove PHP version check from hardening page


  • Add WordPress Security Recommendations section in the dashboard
  • Add PHP version check
  • Fix links
  • Fix post_type pattern match to allow numbers and max of 20 chars
  • Fix Audit Logs queue timezone issue
  • Fix regex in template string replacement
  • Update translation file to include WordPress Security Recommendations section fields
  • Make the menu icon use the menu color styling
  • Remove block button from failed logins page


  • Add dynamic core directories in the hardening whitelist options
  • Modify scheduled tasks panel to load the table via Ajax
  • Allow hosting details display to be filterable
  • Preparation for translations


  • Add option to refresh the SiteCheck malware scan results
  • Add support for a CLI command to ignore files in the core integrity check
  • Fix text


  • Keep settings when the plugin is deactivated, unless the plugin is uninstalled



  • Make default plugin options filterable
  • Fix missing button to manually activate the advanced features
  • Remove unnecessary tags from README per WordPress guidelines
  • Modify resolution of the images to respect retina display


  • Add filter to allow automatic configuration of the settings


  • Add new version of the GPL v2 license file
  • Remove unused option to reduce number of failed logins
  • Fix multiple typos in the code found after a diff parse
  • Modify name of the base library file for consistency
  • Modify wording of the API key panel in the settings page
  • Add option to include the hostname in the alert subject
  • Fix open_basedir restriction was not considered on scans
  • Remove firewall API key deletion on re-authentication


  • Fix invalid array when deselecting all security alerts
  • Add language files to the list of ignored changes
  • Modify internal response to the log file not found error
  • Add option to force the firewall cache flush
  • Fix unexpected exception when open_basedir is in place
  • Add support to export and import trusted IP addresses
  • Add link to the audit logs API endpoint for developers
  • Add reverse ip address in all email alerts from visitor
  • Remove API key from the settings that can be exported
  • Modify code to make default plugin options filterable
  • Add ability to store the settings in the object cache
  • Add support for wp-cli and command to generate an API key
  • Fix missing documentation tags in the command line library
  • Fix format and coding standard in CSS and JavaScript files
  • Add button to toggle the visibility of the post-types table
  • Modify order of the added, modified, removed core files
  • Fix relative file path when ABSPATH is point to root
  • Add additional notifications for changes on users


  • Modify Sucuri firewall detection with regular expressions
  • Modify option to force scanner to ignore directories
  • Modify form to monitor and ignore post-types
  • Modify miscellaneous changes in some alert messages
  • Modify error message displaying for invalid CSRF validations
  • Fix minor issues with the version detection code
  • Remove internationalization support for consistency
  • Add support for the RTL reading direction
  • Add API key in admin notice when it is being deleted
  • Fix modification date for corrupt core files
  • Fix audit log parser for incompatible JSON data
  • Fix password visibility when the option is changed


  • Version bump skipped


  • Remove duplicated failed user authentication log
  • Remove trailing forward slash from asset URL
  • Fix post-type ignore tool to allow hyphens in the ID
  • Fix queries to the database in the last logins page
  • Remove unnecessary option queries to the database
  • Fix PHP notice for a string offset cast occurred
  • Remove unnecessary data from the website info page
  • Modify timing for the execution of the Ajax requests


  • Add smart limit to send logs from the queue to the API
  • Add option to ignore events for post transitions
  • Fix infinite loop with email alerts and SMTP plugin
  • Add option to configure the malware scanner target URL
  • Add option to enable the auto clear cache firewall function
  • Modify status of the directory hardening using the Firewall
  • Modify error message in audit logs when the API key is missing
  • Modify timing for the dashboard alerts after an update
  • Modify firewall clear cache button to execute via Ajax
  • Modify firewall settings page to load data via Ajax
  • Add option to blacklist IP addresses with the Firewall API
  • Fix order of the audit logs when the queue is merged
  • Add more directories to ignore during the scans
  • Add option to customize the URL for the malware scans
  • Fix error interception for Firewall API errors
  • Add support for other English and Spanish based languages
  • Modify mechanism to ignore files from integrity checks
  • Add option to stop sending the failed login passwords
  • Modify default value for some of the alert settings
  • Remove unnecessary statistics panel for the audit logs
  • Modify output for the malware results to simplify links
  • Add option to override the timezone for the datetime
  • Add option to configure the WordPress checksums API
  • Add maximum execution time avoidance in the integrity tool
  • Add support to run diff on deleted WordPress files


  • Fix multiple issues with the API calls
  • Add queue system to fix website performance
  • Fix non-dismissable newsletter invitation message
  • Fix performance of the audit log parser without regexp
  • Add conditional to check for the availability of SPL
  • Add cache for the audit logs to make dashboard responsive
  • Modify frequency of the file system scans to run daily
  • Remove option to configure the maximum API timeout
  • Modify location of the scanner options and scheduled tasks
  • Add button to send the logs from the queue to the API


  • Add default language for internationalization fallback


  • Fix minor bugs after post-testing of the new release
  • Add full support for internationalization with en_US locale
  • Add full support for internationalization with es_ES locale


  • Modify the entire interface to offer a fresh design
  • Add support for internationalization via gettext
  • Modify the structure of the project for maintainability
  • Remove minified files to facilitate future contributions
  • Add warning message in the reset plugin tool page
  • Fix loading sequence for additional PHP files
  • Add restriction to prevent direct access to PHP files
  • Fix file search by name when the directory is passed
  • Add HTTP request parameters to track some settings
  • Fix reset plugin tool with the new WordPress API
  • Fix length of the pagination helper with many pages
  • Add performance boost for the failed logins page
  • Modify structure of the failed logins data analyzer
  • Fix deactivation of all the scheduled tasks from settings
  • Modify entire code base to enforce HTTPS over HTTP
  • Remove heartbeat settings after performance improvement
  • Remove unnecessary XHR event monitor and report
  • Remove deprecated functions from previous releases
  • Remove deprecated tool to scan for error_log files
  • Modify failed logins logger with wrong passwords
  • Remove plugin checksum dependency to avoid asset cache
  • Modify minimum PHP version in hardening page
  • Fix email alerts with non-existing site_url option
  • Add tool to import and export the plugin settings
  • Add uninstall instructions during deactivation of the plugin
  • Fix plugin reinstall procedure with backup and prechecks
  • Modify mechanism to ignore irrelevant WordPress core files
  • Modify list of available scheduled task frequencies
  • Fix lazy load of the CSS and Scripts on the correct pages
  • Add audit log message fixer for the wpephpcompat_jobs event
  • Fix website URL in the template for the email alerts
  • Add message in the core integrity tool for false positives
  • Add option to reset the content of some storage files
  • Add mechanism to display self-hosting logs as fallback
  • Fix incoherent failed login processor on pagination
  • Add option to display differences in core integrity checks
  • Modify the default and maximum timeout for the API
  • Fix static data storage path to allow server migrations
  • Add option to ignore non-registered custom post-types
  • Add more details into the event that monitors post deletions
  • Fix event monitor for plugin activation and deactivation
  • Fix dynamic directory tree deletion with improved performance
  • Fix automatic deletion of conflicting plugins
  • Add event monitor for all supported post status transitions
  • Add one-time newsletter invitation after plugin updates
  • Add code to delete legacy plugin options from database
  • Modify error on non-processed files in the integrity checks
  • Fix overflow of HTTP requests to SiteCheck API on failures
  • Fix handling of the actions in the core integrity checks
  • Add message and button to reset the audit logs cache
  • Add ajax request to load malware scans for performance


  • Removed links
  • Fixed fatal error when PHPMailer failed
  • Fixed incorrect selected value in settings
  • Added SiteCheck for arbitrary domain
  • Various code cleanup


  • Modified logic of the settings in database checker
  • Modified default value for the available updates alerts
  • Fixed undefined array and object keys in audit logs
  • Fixed incompatibilities with foreign API service responses
  • Added development option to keep using the database
  • Added panel with information about the plugin settings
  • Added conditional to prevent redeclaration of class
  • Fixed cache flush method used to delete datastore


  • Modified default setting for the core integrity alerts
  • Added more files to the core integrity ignore list
  • Fixed support for custom data storage directory
  • Fixed admin notices after changing alert settings
  • Fixed settings and audit logs for the firewall page
  • Fixed regression with clear cache in firewall page


  • Added error message when storage is not writable
  • Fixed option getter to migrate plugin settings if possible
  • Fixed base directory name without PHP DIR constant
  • Fixed user authentication denial when no blocked users
  • Fixed htaccess standard rules checker with no WP_Rewrite


  • Added method to rescue HTTP requests using sockets
  • Fixed mishandled JSON data in audit logs Ajax request
  • Modified list of firewall features and promo video


  • Added options library using external file instead of the database
  • Modified API calls using custom HTTP request using Curl
  • Fixed core files marked as broken in a Windows server
  • Fixed pagination links in last and failed logins page
  • Fixed password with ampersands in email alert
  • Fixed whitelist hardening using the authz_core module
  • Removed unnecessary emails to reduce spam
  • Added constant to stop execution of admin init hooks
  • Added explanation for invalid emails and no MX records
  • Added link to open the form to insert the API key manually
  • Added more options in the IP discoverer setting
  • Added option to configure malware scanner timeout
  • Added option to configure the API communication protocol
  • Added option to reset the malware scanner cache
  • Added scheduled task and email alert for available updates
  • Added tool to block user accounts from attempting a login
  • Added tool to debug HTTP requests to the API services
  • Various minor adjustments and fixes


  • Added API service failback mechanism
  • Added core integrity email on force scan
  • Slight interface redesign
  • Various bugfixes and improvements


  • Fixing a low severity XSS (needs admin access to create it)


  • Added alternative method to send email alerts
  • Added button to reset options with explanation
  • Added suggestion for new users to check plugin settings
  • Allow mark as fixed non-writable core files
  • Fixed display menus items single or network panels
  • Fixed handle boolean values in PHP config retrieval
  • Fixed non-standard content location in core integrity
  • Fixed user identifier as integer on password reset
  • Modified css and js files to reduce size
  • Modified do not load resources on hidden sidebar
  • Modified fully redesign of general settings page
  • Modified hide update warning if versions are the same
  • Modified wording of post-types alert settings
  • Removed ellipsis of long IPv6 addresses in last logins
  • Removed unnecessary dns lookups in infosys page
  • Removed unnecessary monospace fonts in settings status
  • Removed unnecessary ssl verification option processor


  • Fixed issue affecting site performance
  • Fixed clear hardening of previous versions
  • Modified report and block non-processable ajax actions
  • Added configure DNS lookups for reverse proxy detection
  • Added option to configure comment monitor and logs
  • Added option to configure the XHR monitor and logs


  • Improved hardening options
  • Added more logging events
  • Various bugfixes and improvements


  • Reverted change for firewall detection to protect legacy users


  • Added better checks for SSL issues
  • Fix for audit log timezones
  • Various bugfixes and improvements


  • Improved reinstallation process
  • Updated sidebar banners
  • Various bugfixes and improvements


  • Fixed bug on the secret keys hardening.


  • Added better support for directory separators
  • Added option to remove API key from plugin
  • Various bugfixes and improvements


  • Added audit log reporting.
  • Added more settings for better control.
  • Added support for more actions.
  • Improved multisite support.
  • Added support for reverse proxies.
  • Various bugfixes and improvements.


  • Added better handling of API responses of remote scanner.


  • Added option for keeping failed logins until the user removes them.
  • Bugfixes for user reported issues.


  • Error log panel.
  • Various bug fixes.


  • Messaging and FAQ updates.


  • Fixed remote scanning that was not loading automatically on some installs.


  • Added Hardening option to remove error log files
  • Bug fixes on some new registrations.
  • Changed format of the internal logs to json.


  • Multiple bug fixes (as reported on the support forums).
  • Added heartbeat for the file scans.
  • Code cleanup.


  • Fixing interface.


  • Added Support for integrity checks on i18n installations.
  • Fixed the setting change bug.


  • Internal code cleanup and re-organization.
  • More white lists for the integrity checks.
  • Additional settings to customize some of the warnings.


  • Fixed integrity checking display.


  • Fixed API generation bug.


  • Added proper brute force alerts.
  • Added option to restrict number of emails.
  • Added more description to the emails.
  • Added a list of failed login attempts inside the last login tab.


  • Setting a maximum number of emails per hour.
  • Fixing typos.


  • Initial release with new auditing options.


  • A new dashboard to welcome users to the new features of the plugin.
  • Overall design of the interface of all the pages were modified.
  • SiteCheck scanner results were filled with more information.
  • SiteCheck scanner results markers when the site is infected/clean.
  • System Info page were simplified with tabulation containers.
  • Integrity check for administrator accounts was optimized.
  • Integrity check for outdated plugins/themes was optimized and merged.
  • IPv6 support in last logins statistics.


  • WordPress 3.9 compatibility


  • Added IPv6 support.
  • Fixed links and messaging.


  • Added list of logged in users.
  • Added system page.
  • Change the integrity checking to use WP API.


  • Bug fixes.


  • Adding additional information about .htaccess hacks and the server environment.


  • Fixing last login and giving better warns on permission errors.
  • Making the integrity check messages more clear.


  • New and clean design for the scan results.
  • Adding a web firewall check on our hardening page.


  • Cleaning up the code a bit.
  • Only displaying last login messages to admin users.
  • Storing the logs into a log file instead of the db.


  • Increasing last login table to the last 100 entries.


  • Fixing some issues on the last login and allowing the option to disable it.


  • Small bug fixes + forcing a re-scan on every scan attempt (not using the cache anymore).


  • Fixing a few PHP warnings.


  • Fixing a few PHP warnings.


  • Small bug fixes.
  • Adding last IP to the last login page.


  • Added post-hack options (reset all passwords).
  • Added last-login.
  • Added more hardening and the option to revert any hardening done.


  • Removed some PHP warnings and code clean up.
  • Added WordPress integrity checks.
  • Added plugin/theme/user checks.


  • Tested on WP 3.5.1


  • Tested on WP 3.5-RC4
  • Style changes


  • Cleared PHP warnings
  • Added /inc directory
  • Added /lib directory
  • Logo added
  • Default stylesheet added
  • Header area added
  • Sidebar area added
  • Restyled 1-click hardening page
  • Removed old malware page


  • Tested on WP 3.5-RC3.


  • Upgrading for WP 3.3.


  • Removed PHP warnings / code cleaning.


  • Cleaning up the results.
  • Added 1-click hardening.


  • First release that is good to be used (debugging code removed).


  • First public release.
Download different versions
Screenshot gallery
sucuri-scanner-screenshot-1.png sucuri-scanner-screenshot-2.png sucuri-scanner-screenshot-3.png sucuri-scanner-screenshot-4.png sucuri-scanner-screenshot-5.png sucuri-scanner-screenshot-6.png sucuri-scanner-screenshot-7.png sucuri-scanner-screenshot-8.png