7 days of WordPress plugins, themes & templates - for free!* Unlimited asset downloads! Start 7-Day Free Trial
FREELessons: 10Length: 37 minutes

Next lesson playing in 5 seconds

  • Overview
  • Transcript

2.7 Install the Sucuri Plugin

In this lesson I’ll show you some of the settings and features of Sucuri, another powerful WordPress security plugin. You’ll see how to use Sucuri to protect your core WordPress files and to guard against brute-force login attempts.

Related Links

2.7 Install the Sucuri Plugin

Hello everyone. I am Reggie Dawson. Welcome to WordPress Security Tips Course with Tuts+. Now, the next security plugin Sucuri doesn't have as many options as Wordfence, but that's not necessarily a bad thing. It still offers a lot of protection but of course some of it's more advanced features are premium. Now, if we install Sucuri, we would get a new menu item. If we click on this menu item, the security dashboard will open. Don't mind the error you see, it's only because I'm using a local install of WordPress without a valid domain. The dashboard confirms the core integrity of WordPress. This is just a fancy way of saying that none of the files that make up the WordPress application itself have been altered in any way. I won't bother to generate an API keys since I cannot generate one without a valid domain anyway. Now the security firewall is similar to Wordfence and blocks different methods of intrusion to our WordPress site. Unfortunately, this is a premium feature and works with the use of the API key. Then the last login menu shows all the users, all the admin users, any logged-in users, any failed logins, and any blocked users. Now we can see the number of failed attempts here and blocked the user if we think it's a brute force attack. It seems that our only option is to send an alert when a threshold is met for failed logins but it will not automatically block the account like Wordfence will. Blocked users just lets us know what users we have blocked. Now in the Settings there is a lot that we can configure. General has the general settings of security. Most notably there is a scheduled tasks where we can schedule our different security checks to run. Scanner just configures how our different security scans will run. Now even though the good features, such as the firewall, are only available to the premium version, Hardening gives you some decent options to protect your site. Here we can verify our version of WordPress and PHP are up to date. It also make sure that the WordPress version is properly hidden. We can also protect our Upload Directory, restrict WP content access, and WP includes access. Another layer of protection I didn't mention was that you could actually manipulate the permissions of your directories where WordPress is installed. I didn't mention this because you really have to be careful doing this. This plugin has made it easy to protect some areas and files of WordPress that could be used to gain access to your site. Then we have Information Leakage, which determines if the readme.html file is present. This file leaks our WordPress version, which could be used to determine the best exploit to use against our site. Remember in an earlier video, we talked about using the Admin account? This plugin will actually make sure that this username is not in use. The plugin and theme editor can be disabled as another security measure to keep users from being able to edit these files. This plugin also automates this task for us. Then in the Whitelist Blocked PHP Files, any files that we have blocked by harming, we can whitelist them here if a theme or plugin needs them. Then the Post Hack tab allows us to take steps before a site gets hacked. First, to update security keys will allow us to generate security keys which are used to ensure better encryption of your information. And the Reset User Password tab, we can reset the passwords of any or all of our users. This will generate a new random password that is emailed to the user. The reset installed plugins will allow you to reinstall the plugins of your choice but premium plugins aren't reinstalled. Now as I mentioned previously, you should keep your plugins and themes updated. And available plugin and theme updates we can manage that from a central location. Even though this tab is labeled post-hack, is has a lot of uses even if our site wasn't compromised. Then in the Alerts we can configure how our alerts will be sent. Here is also where we set the threshold to be considered a brute force attack and when to send an alert. Again, this will not block it for us, we have to block the account manually. API service is used to configure how the API request work but since I am not using this we won't worry about it. The in the Website Info tab, we have general information about our WordPress installation. First, we have our Website Environment Variables. This gives you some information about how your WordPress is configured and how the server hosting it is set up. After that, we have our WordPress Configuration Variables. And the Access File Integrity. Now Sucuri seems to have less features, at least in the free version, than Wordfence. This doesn't mean that you should choose one over the other, as Sucuri has some good features in the hardening tab that are easy to use, and provide good protection. Again, it's all a matter of preference which one you choose, and I am just trying to make you aware of all of your options. In the next video, we will look at the I Team Security Plugin.

Back to the top