Wordfence와 Sucuri는 모두 WordPress 보안 플러그인의 헤비급 챔피언입니다. 어떤 대화에서든 필연적으로 등장하며, 어떤 것이 최고의 보안 플러그인인지에 대해 사람들이 분분합니다.
Sucuri에는 웹사이트 관리자가 맬웨어를 탐지하는 데 광범위하게 사용하는 인기 있는 온라인 스캐너가 있습니다. 그들의 플러그인에는 서버 측 스캐너, 방화벽 및 기타 여러 보안 기능도 있습니다. Sucuri는 모든 계획에 대해 무제한 맬웨어 제거를 제공합니다.
Wordfence는 WordPress 보안 플러그인의 확실한 리더입니다. 팀은 많은 교육 콘텐츠로 보안 플러그인을 보완하여 관리자가 해커로부터 웹 사이트를 보호하는 방법을 이해하도록 돕습니다. 플러그인에는 스캐너와 방화벽이 있으며 일부 맬웨어도 제거할 수 있습니다. 그들에게도 맬웨어 제거 서비스가 있지만 이는 주문형 프리미엄 기능입니다.
Sucuri 대 Wordfence 전투에서 어느 것이 더 나은지 답하기 위해 두 플러그인을 광범위하게 테스트했습니다. 기사의 나머지 부분에서 볼 수 있듯이 테스트는 플러그인이 작동하지 않도록 설계되어 웹사이트 보안을 위한 최선의 결정을 내릴 수 있습니다.
5개의 보안 플러그인, 3개의 웹사이트, 45일, 수많은 악성코드. 결과는 결정적이었습니다.
평점 Sucuri 대 Wordfence 간단한 질문이 아닙니다. 둘 다 맬웨어 스캐너와 방화벽이 있습니다. Wordfence에는 자동 클리너와 값비싼 맬웨어 제거 서비스가 있는 반면 Sucuri는 계획에 따라 무제한 정리를 제공합니다. 모든 요소를 고려한 후 Wordfence가 확실히 승자입니다. 자세히 알아보려면 계속 읽어보세요.
우리의 선택
이 시리즈를 위해 우리는 3개의 테스트 웹사이트를 개발했습니다. 둘째, 취약한 플러그인과 다양한 수준의 모호한 테마가 있는 사이트입니다. 마지막으로 다양한 종류의 맬웨어가 로드된 사이트입니다.
효과적인 플러그인의 기준은 다양하지만 우리는 한 가지 간단한 질문에 집중하고 싶었습니다. 플러그인이 해커와 맬웨어로부터 웹사이트를 잘 보호합니까?
45일 후, 우리는 답을 받았습니다. 플러그인 5개 중 4개에 대해 대답은 아니오였습니다. 1개의 플러그인이 모든 카운트에서 승리했습니다. 그 플러그인은 MalCare입니다.
MalCare는 파일, 데이터베이스 및 폴더의 맬웨어가 얼마나 잘 숨겨져 있는지에 관계없이 찾아내는 최고의 맬웨어 스캐너를 보유하고 있습니다. 실제로 작동하는 자동 클리너가 있어 외과적 정밀도로 맬웨어만 제거합니다. 마지막으로 웹사이트를 악용할 수 있는 위협을 차단하는 고급 방화벽입니다.
WordPress 사이트를 위한 최고의 보안 플러그인은 단연 MalCare입니다.
Sucuri 대 Wordfence 비교 요약
이 투구 대결에서 Wordfence가 승자입니다. Sucuri도 요점을 가지고 있기 때문에 그것이 가까운 전화였다는 것을 인정해야 합니다.
Wordfence의 결함이 Sucuri의 강점이고 그 반대의 경우도 마찬가지이기 때문에 사람들이 어느 것이 더 나은지에 대해 그렇게 열광하는 이유를 알 수 있습니다. 따라서 개인의 개인적인 경험에 따라 특정 문제를 해결한 플러그인을 옹호할 것입니다.
그러나 이 때문에 모든 WordPress 사이트에 전체적으로 어느 것이 더 나은지에 대한 객관적인 대답은 없습니다. 그리고 그것에 대한 대답은 둘 다입니다. 보안의 한 측면이나 다른 측면에서 타협할 필요가 없습니다. MalCare에 가입하여 모든 것을 누리십시오.
Wordfence 요약
Wordfence는 MalCare 다음으로 WordPress 사이트를 위한 최고의 보안 플러그인입니다. 무료 버전은 강력한 보안 기능과 함께 강력합니다. 스캐너는 대부분의 파일 기반 맬웨어를 탐지하고 탐지한 대부분을 치료할 수 있습니다. 방화벽은 가장 업데이트된 방화벽 중 하나이며 여러 위협을 차단합니다. 단점은 Wordfence를 사용하면 웹 사이트 성능이 크게 저하되고 맬웨어 제거 서비스가 비싸다는 것입니다.
Wordfence의 스캐너는 우리가 무료 플러그인과 테마에 삽입한 모든 파일 기반 맬웨어를 탐지할 수 있었습니다. 그것이 이상하게 구체적으로 들린다면, 그것은 때문입니다. 데이터베이스에 있는 멀웨어나 프리미엄 플러그인 및 테마에 삽입된 멀웨어를 감지하지 못했습니다. 이는 Wordfence가 사용하는 파일 일치 탐지 메커니즘이 공개적으로 사용 가능한 코드에 크게 의존하기 때문입니다.
검사 결과는 설치된 테마 및 플러그인의 악성코드와 취약점을 표시했습니다. 재미있게도 Wordfence는 일부 프리미엄 플러그인을 맬웨어 또는 오류로 표시했습니다. 이것은 우리가 WordPress 코드를 파헤치는 데 익숙하기 때문에 볼 수 있는 오탐지입니다. 그러나 일부 웹 사이트 관리자는 이 때문에 완벽하게 실행 가능한 플러그인을 제거하게 될 수 있습니다.
또한 검사 결과가 표시된 후 맬웨어에 감염된 파일을 자동으로 복구하는 옵션이 있었습니다. 우리는 그것을 시도했고 효과가 있었습니다. 탐지된 모든 맬웨어는 웹사이트에서 제거되었습니다. 물론 애초에 탐지하지 못한 악성코드는 복구할 수 없다.
다음으로 방화벽을 시도했습니다. 우리가 던진 많은 위협을 차단하는 데 효과적이었습니다. 그러나 방화벽이 위협을 차단할 때마다 우리는 경고를 받았습니다. 테스트하는 동안 경고가 너무 많이 발생하여 실제 사이트에서 어떤 일이 일어날지 상상할 수 있습니다. 관리자는 압도되어 중요한 경고를 놓칠 것입니다.
이 세 가지 주요 기준 외에도 Wordfence에서 사용할 수 있는 다른 옵션이 많이 있습니다. 무차별 대입 보호가 탁월하며 이중 인증이 매력처럼 작동합니다.
실제로 플러그인을 몇 단계 끌어 올린 것은 뛰어난 사용성이었습니다. Wordfence는 복잡한 보안 플러그인이지만 초보자도 쉽게 접근할 수 있습니다. 팁 및 관련 문서와 함께 대시보드가 배치되는 방식으로 누구나 실수로 사이트를 사용할 수 없게 만드는 일 없이 보안 플러그인을 구성할 수 있습니다. 이것은 나중에 보게 되겠지만, 특히 Sucuri와 대조될 때 우리의 의견으로는 큰 장점입니다.
Wordfence에는 놀랍게도 활동 로그가 없습니다. 우리는 이것이 매우 이상하다고 생각했습니다. 그러나 진짜 낙오자는 리소스 싱크입니다. 웹 사이트에서 실행할 때마다 디스크 사용량이 급증하고 웹 사이트 성능이 급락했습니다. 이러한 이유로 많은 웹 호스트가 Wordfence를 금지했습니다.
요약하면 Wordfence는 뛰어난 보안 플러그인이지만 심각한 결함이 있습니다. MalCare가 가지고 있는 모든 이점과 결점 없이 MalCare가 가야 할 길입니다.
간단히 말해 수쿠리
Sucuri는 우수한 방화벽을 보유하고 있으며 맬웨어 제거 서비스가 훌륭했습니다. 그러나 맬웨어 스캐너는 팀에서 나중에 제거했음에도 맬웨어를 감지하지 못했습니다. 멀웨어 스캐너가 작동하지 않는 보안 플러그인은 효과가 없습니다.
Sucuri는 최소한 때때로 보안 플러그인으로 기능하기 때문에 MalCare 및 Wordfence와 함께 고려될 가능성이 있는 유일한 다른 플러그인입니다. Jetpack과 iThemes는 상각되었습니다.
틀림없이 가장 인기 있는 보안 플러그인 중 하나이지만 근본적인 영역인 맬웨어 검사에서는 여전히 실패합니다. 나중에 보게 되겠지만, 그들의 맬웨어 제거 서비스는 최고입니다. 그들은 효율적이고 신속했으며 예상보다 빨리 우리에게 돌아와 웹 사이트 청소를 잘했습니다. 그러나 우리가 만들고 맬웨어로 채운 테스트 웹 사이트가 아니었다면 스캐너가 해킹에 대한 깨끗한 정보를 제공했기 때문에 처음부터 감염 사실을 몰랐을 것입니다. 따라서 실제로 Sucuri는 마차를 말 앞에 두는 고전적인 경우입니다. 사이트를 정리하려면 해킹된 사이트라는 것을 알아야 하지만 Sucuri의 스캐너로 해킹된 사이트인지 알 수 있는 방법은 없습니다.
계속해서 방화벽이 잘 작동했습니다. SQL 인젝션 및 원격 코드 실행 공격과 같은 공격을 쉽고 일관되게 차단했습니다. 그러나 설정하는 것은 악몽이었습니다. 테스트 사이트를 이용하다 보니 테스트 사이트가 아닌 수큐리의 방화벽 IP를 가리키도록 네임서버를 변경하는데 많은 어려움이 있었습니다. 마지막 문장 중 하나라도 의미가 없다면 괜찮습니다. 구성하는 데도 오랜 시간이 걸렸습니다. 공정하게 말하면 라이브 사이트에서는 이러한 어려움이 발생하지 않지만 스테이징 또는 로컬 사이트로 구성하려면? 문제가 예상됩니다.
다른 구성 옵션을 살펴보았을 때 이미 방화벽에 불만이 있었습니다. 왜 모든 것이 그렇게 복잡합니까? 언어는 혼란스럽고 어떤 경우에는 완전히 겸손합니다. 그리고 각 보안 검사가 테스트 웹사이트의 속도를 늦춘다는 것을 깨닫기 전이었습니다. 서버 디스크 사용량을 확인했을 때 놀라운 급증이 있었습니다.
Sucuri는 사이트 리소스를 사용하여 작동하지 않는 스캐너인 맬웨어를 검사합니다. 따라서 원래 해야 할 일을 하지 않고 여전히 사이트 성능을 저하시킵니다. Sucuri의 멋진 모습이 아닙니다.
어떤 보안 플러그인이 가치가 있습니까?
워드프레스 보안 조언은 훌륭하고 좋은 의도지만 종종 나쁜 조언입니다. 우리는 웹사이트가 해킹된 적이 없고 정기적으로 플러그인을 업데이트하고 좋은 비밀번호를 사용하며 null이 적용된 소프트웨어를 사용하지 않으며 엄청난 행운. GoDaddy에 데이터 유출이 있을 수 있다면 웹사이트도 마찬가지입니다.
문제의 핵심은 좋은 보안 플러그인을 선택하는 방법입니다. 보안과 관련이 없는 항목은 제외하고 필수 목록을 작성했습니다.
- 필수 보안 기능
- 맬웨어 검사
- 맬웨어 제거
- 방화벽
- 좋은 보안 기능
- 취약점 감지
- 무차별 대입 로그인 보호
- 활동 기록
- 이중 인증
- 잠재적 문제
- 서버 리소스에 미치는 영향
보시다시피, 걱정할 필요가 있는 필수 기능은 3개뿐입니다. A security plugin should be great at these 3 things:malware scanning, malware cleaning, and firewall. Everything else is gravy. We aren’t putting down brute force protection or two-factor authentication, because those are important too. But you can get other plugins for that functionality.
MalCare is the only security plugin that has great malware scanning and cleaning capabilities, and an advanced firewall that keeps out threats. Every other plugin fails in one place or the other.
Sucuri vs Wordfence:Head-to-head comparison of features
Choosing the right security plugin can be a bewildering experience, especially when you have to test drive each one for efficacy, hoping all the while that it works.
In this section, we have presented our testing results organised by feature. Comparing and contrasting the same features across plugins gives a clearer picture of the effectiveness of the security plugin.
We have spelt out our results as fairly and transparently as possible, with the view to helping people make a better choice for their websites. However, if you want to secure your websites quickly, install MalCare instead and skip to the end.
Malware scanning
Sucuri has 2 scanners:an online one called SiteCheck, and a server-level one that is part of the plugin. Both didn’t detect malware. Wordfence has a decent malware scanner, which can detect malicious scripts in core files and folders, and those in free plugins and themes. Otherwise, it missed malware in the database and premium plugins and themes.
We often recommend Sucuri SiteCheck as a first-level diagnostic for malware, in case someone suspects their WordPress has been hacked. It cannot scan the full website, but it can identify common malware infections quickly, and without the need of installing a plugin for the express purpose.
We had greater expectations of the server-level scanner, considering it would have full access to the website. The installation is a little different compared to other plugins, because the scanner needs to be installed onto your web server. This can be done so manually, or by putting in FTP details on your dashboard. We finished the installation and waited for the scan to complete.
A considerable time later, the scan was completed and our malware-ridden website was apparently free of hacks. Ran the scan a second time to see if there was a mistake the first time around. Nope, still no malware according to Sucuri. Major failure.
On installation, Sucuri is set up to run once daily, but you can request on-demand scans. The requests are queued and then executed based on availability. The plugin itself will warn you that scanning your website will use up server resources, and therefore impact the performance of your website. Honestly, that is terrible because security shouldn’t come at the expense of performance and user experience. We will go into that in greater detail in another section.
Wordfence also runs a scan automatically on installation. There was a little confusion here though, because we assumed the percentage circle on the dashboard was the scanner’s progress. After we saw that it hadn’t moved past 60% for a few hours, we looked more closely and realised it was a measurement of scanner efficiency. To get to 100%, you need to upgrade the plugin.
Restarted the scanner to benchmark how much time it took, and because our test sites are small, the scanner was done in less than a minute. That is definitely a plus. The scan results were only above-average though, not perfect, because it detected most of the malware, not all of it.
The reason for this is that Wordfence uses signature matching to detect malware. This means the Wordfence scanner compares your website’s code to a database of malware signatures. If there is a match, the scanner flags it as malware. While Wordfence has a formidable malware database, which they update regularly based off of their security research, it can never be 100% complete because the team would need to have seen the malware to update it in the database, and irrespective of comprehensive research, new malware shows up all the time
Therefore, Wordfence is adept at picking up malware found in WordPress core files and folders, as well as malicious scripts in free plugins and themes. But it cannot detect malware in premium software, like Elementor for instance, because they do not have access to the source code for analysis. For the same reason, Wordfence also fails at detecting malware in the database, because that requires a mechanism beyond signature matching to discover.
That being said, Wordfence detected all our file-based malware. By our estimation, it is able to detect 70 to 80% of malware. It is prone to false positives as well, and tends to generate a ton of alerts. We will get to that in a separate section as well.
Malware cleaning
Wordfence has an auto-repair feature to clean malware, but the efficacy is debatable for more complex malware. They have a premium malware removal service but it can gouge a hole in the pocket at $490 per site. Sucuri on the other hand has an unlimited manual malware cleaning service included with all their plans.
Even though Sucuri’s scanner said our site didn’t have malware—which it definitely did—we requested a cleanup, not expecting a lot. However, the site came back to us spotless. We ran it through MalCare to check. Oddly enough, after the Sucuri team cleaning our site, the scanner flagged malware on it. Clearly, a bug somewhere.
The malware removal service was very prompt. Although our plan guaranteed a response in 30 hours, we got a cleaned site back in less than 10. That’s terrific. The only caution we would want to point out is that, when you have a hacked site, time is of the essence. You cannot afford to have malware languishing on your website for long. Just to underscore how important it is to act fast, Google blacklist also measures your response time to notifications of malware.
For malware removal, you need to request a cleanup from Sucuri. Fill out a form with all the information you can provide, and the team takes over from there. We got a message back from Sucuri with a post-hack checklist with great recommendations. So overall, the malware cleaning feature with Sucuri is a thumbs up.
Wordfence has 2 options for dealing with hacked files on the dashboard:delete all deletable files and repair all repairable files. This is apart from a CTA suggesting we opt for their expert cleaning service.
We tried both options, and they were both fairly successful at removing the malware off of our website. The problem is that the automatic removal is preceded by dire warnings of the site breaking due to changes.
Our test sites are backed up on BlogVault, and frankly we weren’t all that fussed about them breaking. While we were able to power through without too much thought, it is because we were interested in testing the repair feature. However, the case would be very different for, say, someone’s ecommerce store or a high-traffic website.
In our testing series, we usually stopped at this point because most of the other security plugins failed. Wordfence cleaned all the file-based malware from our website, so we tried the feature with database malware and some in our premium plugins. The scanner wasn’t able to detect this lot of malware, and therefore automatic repair wasn’t even an option.
The other alternative was to request malware removal. The service purports to remove malware, backdoors, and do a security audit of the website, assessing for vulnerabilities. In case your site has landed on a blacklist, Wordfence will help get rid of that as well. The service is guaranteed for a year, contingent on whether the site admin has followed the post-hack recommendations to the letter. Please note:We cannot speak to the efficacy of Wordfence’s malware removal service, as we didn’t try it out.
On the other hand, we used MalCare to remove all the malware automatically, and we were able to do so without an issue. No dire warnings, no missed malware, and our site was squeaky clean in minutes. That’s the sort of malware cleaning that we want for our website.
Firewall
Both Sucuri and Wordfence have great firewalls which block out most common and major threats. But Sucuri’s firewall was a nightmare to install, and Wordfence’s free firewall worryingly gets updates later than their premium version.
Sucuri’s firewall kept out attacks like SQL injections, remote injections and cross-site scripting attacks. Our test website had a ton of vulnerabilities, like unsecured file uploads for instance, and remained safe behind the firewall.
Our issue with Sucuri’s firewall was its installation. To use the firewall, you need to point your traffic to their nameservers, so that the bad traffic is filtered out and only good traffic is sent forward to your website. Excellent idea, but what a nightmare to configure. Our test websites weren’t attached to any domain registrars, so we had to enlist the engineering team to figure this out.
Wordfence’s firewall also works out of the box, and keeps out attacks successfully.
Straight after installation, the firewall went into learning mode. Wordfence recommended that we leave learning mode on for a week. This is fair, because firewalls need live traffic to learn how to be effective. However, because we don’t have live traffic to our test websites, we saw little point in waiting for a week and turned it out right away.
With Wordfence, the free firewall is supposedly only 35% effective. This is not an assumption on our part, but is actually on the dashboard. We dug a little deeper to figure why that might be the case. There are 2 reasons:
One:the free firewall loads like a plugin, after WordPress has finished. Load order affects security significantly, because if the firewall loads after WordPress core that means it can keep out only some malicious traffic, not all of it.
Two:While Wordfence has the most updated firewall, the premium version receives those updates in real-time. The free version however receives updates after an unspecified length of time. We have no way of knowing what the delay is, but it is potentially problematic. Hackers can strike in the window after all.
The biggest giveaway is that Wordfence themselves rank their free firewall at 35% effective compared to their premium version. Not great.
Vulnerability detection
Wordfence did a superb job of detecting all the vulnerabilities on our website. Sucuri missed the obscure ones altogether.
We were impressed to see that Wordfence alerted us to all the out-of-date plugins as medium threats. The vulnerabilities were flagged correctly as critical threats. Other security plugins tripped up on the more obscure plugins and themes, not alerting us at all to their serious vulnerabilities like cross-site scripting in one case. So Wordfence came up trumps here.
It isn’t possible to fix vulnerabilities directly from the Wordfence dashboard, but that makes sense. Fixing vulnerabilities essentially means updating the plugin or theme, and that functionality is already easily available on wp-admin. Unless Wordfence had a visual regression like MalCare to make sure the update didn’t break the site, there is no point in replicating an existing feature.
Wordfence also threw up errors for iThemes and Backupbuddy. This is indicative of their tendency to flag false positives on the website.
Sucuri detected all but the most obscure vulnerabilities on our test websites. You can update your outdated software from the Sucuri dashboard though, unlike Wordfence. We don’t really see the utility, since updates are easily possible through wp-admin.
The post-hack tab lists out versions of the installed plugins and themes, alongside their latest versions. Sucuri cautions against continuing with out-of-date software because they can lead to malware infections.
Interestingly, even Sucuri’s malware removal service was only able to detect some of the vulnerabilities on our website. Given our experience with the scanner, we thought that the removal service would do a better job of detecting vulnerabilities. That doesn’t appear to be the case.
Brute force login protection
Wordfence does an excellent job of blocking all brute force attacks. Sucuri’s login protection feature doesn’t seem to work.
Brute force protection is enabled by default on Wordfence. It works perfectly each time, locking out users with too many incorrect attempts, based on the configuration we set on the dashboard.
You’ll find the settings in the firewall section. There are plenty of things to customise in the options menu:setting lockouts for incorrect login attempts; how much time a user will experience lockout; 등등. The options aren’t overwhelming, and Wordfence explains each one cogently and with great documentation.
You can set password management options here too, making sure to enforce strong passwords, and preventing the use of passwords discovered in a data breach.
It is possible to whitelist IPs in this section, but we are ambivalent about their effectiveness. Device IPs are dynamic, so having an allowlist doesn’t guarantee that a legitimate user isn’t locked out.
Sucuri’s brute force protection didn’t work as expected. We didn’t experience a lockout, nor was there a captcha to make sure that we were humans not bots. We didn’t get alerts, even though the attacks showed up in the audit logs. Overall, the feature was a washout.
You wouldn’t think that to see the configuration options on the dashboard though. There were so many options, we were reeling after a point. All in all, we’d prefer fewer options with a feature that works, rather than the opposite.
Activity log
Sucuri has an audit log, but it can be hard to comprehend. Wordfence doesn’t have an activity log.
Sucuri has an audit log which tracks all user actions, and plugin and theme changes. The logs will show all changes made to files and tables, which is good.
The logs have necessary information like user, action, timestamp, etc. But in some cases, the entries are very difficult to understand. For instance, to test the logs, we installed a gallery plugin. The resulting entries on the audit log show 7 different changes. It wasn’t clear from the entries what the change was, why it was happening, or who was responsible. Therefore, the audit log is next to useless to anyone who doesn’t speak Sucuri.
We were surprised to see that Wordfence doesn’t have an activity log, considering it is one of the pillars of website security. There is an option to enable debugging in the Diagnostics section of the Tools menu, which causes the firewall logs to become more verbose, but that’s not the same thing as an activity log.
After much digging, we discovered an activity log specifically for Wordfence events in the Scan section. It is a raw log though, clearly intended for Wordfence developers only.
Two-factor authentication
Wordfence has a great two-factor authentication feature. Sucuri doesn’t support it on your website.
Wordfence two-factor authentication works out of the box, with an easy set of options to customise the experience. It used to be a premium feature, but has since been added to the free plugin as well.
Sucuri doesn’t support two-factor authentication for your website, but you can secure your Sucuri account with it.
Server resource usage
Both Sucuri and Wordfence are resource hogs. We saw unmistakeable blips in disk usage with scans and because of the firewall.
This is one factor where there is nothing to choose between Wordfence and Sucuri:they both did equally badly.
Every single action these plugins perform on your website consumes server resources. Our websites are relatively small, and we saw the disk usage double and sometimes triple when we set up scans. This impacted load time, response time and the overall experience on the website.
If you have a WooCommerce website, or one with high-traffic, this effect will be noticeable to your users. If you are on shared hosting, your web host will raise flags and your hosting expenses can potentially increase. In fact, many web hosts have banned Wordfence for this very reason.
While people rarely talk about server resources when discussing security, it is an important factor. No one should have to compromise on either performance or security. It is entirely possible to optimise both.
Not with Sucuri or Wordfence, though. For that, you’ll need MalCare.
Alerts
Both Sucuri and Wordfence are notorious for innumerable alerts and false positives.
We are firm believers in taking the burden off our customers when it comes to WordPress administration. Firewalls should block traffic quietly. Bot protection should work out of the box. Admin should only be alerted if there is something that needs their attention and action. WordPress security should be stress-free and easy, otherwise what is the point of a security plugin?
Apparently neither Sucuri nor Wordfence subscribe to this school of thought, because their alerts are overwhelming. Our inboxes were flooded in no time at all. Too many alerts is as bad as no alerts, because ultimately both lead to inaction when necessary.
Installation, configuration, and usability
Wordfence is designed to be very straightforward for a novice user. Sucuri is not.
Wordfence’s installation, configuration and overall use is one of the best we have ever seen. There are walkthroughs on each major section, explaining the most important settings and features in simple, non-threatening language.
Wordfence has great recommendations for configuration. Their documentation is accessible from the tooltips on the dashboard, making it highly contextual. Each feature is clearly explained, and instructions on how to make it work on your website are instantly accessible.
These may seem like odd things to point out. However, if you have ever tried Sucuri, you realise that ease of understanding is a non-trivial part of any user experience. In fact, if we had to describe Sucuri in one word, that word would be bewildering.
Installing Sucuri was easy, and it went downhill from there. To use the server-side scanner and firewall, you have to configure them manually. There are so many options that we spent hours trying to make sense of them, in addition to figuring out if they had any real impact on security.
Overall, these two plugins are at opposite ends of the spectrum.
Wordfence:Extras
Wordfence is strictly security. There isn’t a single feature, option or line that is even security-adjacent, like updates or user management options. In spite of that, there are several extras.
There was a notifications section for site updates, which showed us which plugins and themes needed to be updated on priority because they were either critical or medium threats.
Wordfence has an external dashboard to manage multiple sites on the same account called Wordfence Central. It has an accompanying section on the wp-admin of each connected site as well, presumably so you have a bird’s eye view of every site regardless of which site you are currently working on. In our opinion, this is of limited utility and will not work for agencies with hundreds of managed sites.
Next we looked at the Tools section. There is a section for live traffic, which seemed to replicate Google Analytics, but was more than that. These logs classify traffic with a key to see what type of traffic the website is getting:human, bot, warning, blocked.
There is a Whois lookup option, in case you want to see who the attacker is without leaving wp-admin. Again, this is an incidental feature at best.
We thought Diagnostics was really interesting, as it had a lot of information about the website. Everything is very granular there, right from process owners to database tables. Developers will find this info vastly useful, because it is like a spec of the website all in one place.
Sucuri:Extras
Sucuri has a lot of extra frills and furbelows in their plugin. Whether any have an impact on security is another matter altogether.
The first thing you will see on installation is the WordPress integrity infobox. It really is a fancy version of a WordPress core file change monitor. Obviously, it is somewhat useful to have a file change monitor for WordPress core files, but the efficacy is not as much as is made out to be. Hackers can and will change file metadata, like update timestamps, to work around these measures. So yes useful, but not so much.
There is an integrity diff utility to compare core files on the website with the original WordPress installation. It is certainly easier than using an online one, if you are cleaning out malware manually—which we don’t at all recommend.
Sucuri has lots of WordPress hardening features. Blocking PHP in the uploads folder protects against one category of hacks, and we like the ability to change WordPress salts quickly from the dashboard. It could have been done better though. If the feature was on the Sucuri’s external dashboard rather than on wp-admin, it would have been safer. Imagine a hacker gains access to wp-admin, the salts would be easily compromised as they are in plaintext.
Some of the other options are of limited utility, like verifying WordPress version, removing WordPress version, avoiding information leakage, and verifying default admin account. They are meaningless from a security perspective.
Other hardening features were confounding. For instance, if we were to disable plugin and theme editor, how could we update plugins and themes with vulnerabilities? Counterproductive to say the least.
The password management feature held some promise, but the warning would terrify all but the most brave:“Select users from the list in order to change their passwords, terminate their sessions and email them a password reset link. Please be aware that the plugin will change the passwords before sending the emails, meaning that if your web server is unable to send emails, your users will be locked out of the site.”
What’s missing from Wordfence and Sucuri
Sucuri doesn’t have a good malware scanner. The brute force login protection doesn’t work, and it takes up too much of server resources. There is no bot protection either, and you would need a separate plugin for two-factor authentication.
Wordfence misses out on bot protection and an activity log. The scanner is above average; definitely a cut above the other security plugins available apart from MalCare. Apart from these things, it is an exceptional security plugin.
Wordfence vs Sucuri:Pricing
Sucuri’s plans start at $199.99 a year per site, which is a great deal for unlimited malware removal. The firewall works well, but the scanner is a let down. Wordfence premium plans are at $99 for the year per site, with attractive bulk pricing options. However, our opinion is that the free version is almost as good as the premium version.
Sucuri is a winner when it comes to the unlimited malware removal feature. The support team was great, with a quick turnaround time, helpful response and a proactive post-hack checklist. But the malware scanner was a complete failure, and that’s not a small flaw to overlook.
The free version of Wordfence is strong enough to stand on its own. The premium version is not all that different, the efficiency percentages on the dashboard notwithstanding. The real expense to consider with Wordfence is the cleaning service at $490 a pop, over and above the site license. If you are considering Wordfence seriously, read the fine print. Although they say unlimited pages, there are additional charges for sites above 10 GB. They guarantee the service for a year, but there are terms and conditions. None of this is unreasonable, but it is important to be aware before taking the plunge.
Better alternative to Wordfence and Sucuri:MalCare
The best security plugin for your website isn’t Wordfence or Sucuri, it is MalCare. It has an excellent scanner that detects malware in all parts of your website:core WordPress, files and the database. Additionally, the auto-clean feature removes all malware surgically, without breaking your website.
MalCare has an advanced firewall that proactively blocks bad traffic from reaching your website. The brute force protection makes sure that your login page is safe from malicious attacks, and the bot protection goes even further to make sure only bad bots are kept away from your website.
There is a formidable support team of WordPress security experts to help with any issues that come up. Any malware removal cleanups necessary beyond the auto-clean are covered with the site license.
Thus, in a feature-to-feature comparison, MalCare undoubtedly comes out on top. MalCare’s $99 plan is vastly better than Sucuri’s $199.99 Basic Platform plan, and includes unlimited malware removal, which is over and above Wordfence’s $99 plan.
Recommended Read:MalCare vs Wordfence
결론
When choosing a WordPress security plugin for your website, make sure to evaluate the scanner, cleaner and firewall. All the other features can be implemented with other plugins, but these 3 features form the essence of a good plugin.
At MalCare, our goal is to make security stress-free and painless, so that you can focus on the more important aspects of your website. Leave the security to us, as you grow your business.
We hope this comparison was helpful, as we have presented all our findings transparently. Have further questions? Drop us a line. We would love to hear from you.