How to Use the WordPress Security Plugin

Introduction

At Sucuri, we believe in making the internet safe for everyone. One way we show this dedication is by maintaining a free security plugin for WordPress.

In this guide, we will explain how our WordPress security plugin works – from installation and features, to what you can expect from our free monitoring and security plugin.

Using the Sucuri WordPress plugin does not require a paid Sucuri subscription.

Step 1

Installation & Activation

The WordPress security plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture, offering its users a set of security features for their website:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blocklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notification
  • Website Firewall (premium)

For full-spectrum malware and DDoS protection, we recommend installing a website firewall. A complete security plan should also include backups, server-side detection, and emergency response.

Get Protected

Looking for enhanced website security? We’ve got you covered with our monitoring and web application firewall.

1.1 Install the WordPress Security Plugin

The Sucuri Scanner is in the official WordPress.org plugin repository. It can be installed and activated by a WordPress user with administrative privileges. Keep in mind that you will require WordPress version 3.6 and up.

To install the WordPress security plugin:

  1. From the WordPress Dashboard go to the repository Plugins > Add New on the left side of the dashboard.
  2. Type Sucuri in the repository search query box.
  3. At the upper side of all available plugins you will see the Sucuri logo and the title Sucuri Security – Auditing, Malware Scanner and Security Hardening
  4. Click Install.
  5. Click Activate. This will take you to the installed plugins page.

Once completed, you can access all features by clicking on the Sucuri Plugin option on the right-side menu of your WordPress dashboard.

Sucuri Plugin Add new search

1.2 Generate API

Activating the API allows your WordPress account to connect to our server. If an attacker somehow compromises your site and removes the plugin’s audit logs from your server, they can be recovered from our server for investigation.

To generate the API key for the Sucuri plugin:

  1. Log into your WordPress website as an administrator and open the Sucuri plugin.
  2. Click Generate API Key to the upper right side of your screen.
  3. Check the Terms of Service and Privacy Policy boxes once you have read them.
  4. Click Submit. An email confirmation will be sent to the primary email address with confirmation.

Sucuri Plugin Generate API Key Popup

Note

The keys are free. The key is used to authenticate the HTTP requests sent by the plugin to an API service managed by Sucuri Inc.

1.3 API Service Communication

Once the API key is generated, the plugin will communicate with a remote API service that will act as a safe data storage for the audit logs generated when the website triggers certain events that the plugin monitors. If the website is hacked, the attacker will not have access to these logs. Now you can investigate any modifications (for malware infection) and/or how the malicious person gained access to the website.

1.4 Multisite & Subdomains

This section is relevant if you use a WordPress Multisite installation. However, if you have a single site in your WordPress install, skip to the next section.

The plugin uses the administrator email and the domain name of the site in order to generate an API key (this also applies for subdomains). The information communicated through the API interface will be transferred using this key.

A high percentage of the data processed by the API interface is dependent on the WordPress core files, along with the information stored in the uploads folder. That is why a unique installation of the plugin (in the main site) will not work 100% for subdomains installed in different locations.

For the multisite installations, this is different. A WordPress MU installation will force each site to share the core files. Generally the content is inside the “wp-content” directory (where the plugin’s data is stored). All information processed by the plugin, except the settings, will be shared among every site inside the network.

Subdomains with Unique Installation

This is when multiple subdomains are created and there is a unique installation of WordPress per site. In cases like this, each subdomain has its own database so you will need to install the plugin separately for each subdomain. Each subdomain will not be affected by the API key, audit logs, hardening, or any settings applied to the other subdomains.

Subdomains with MultiSite

This is when you have a network-based installation associated with a unique installation of WordPress. This means there is only one database with multiple “options” tables. In this case, when you install the plugin, the audit logs, hardening, and login information will be shared among all the sites inside the network. The settings, however, will affect only the site where they were applied.

In short, you install the plugin one time for a network-based installation (aka. WordPress MultiSite), otherwise, install the plugin for each

STEP 2

WordPress Hardening

Security hardening options are preventative measures to increase security in areas of your website that could become avenues for attack. This is done by adding a set of rules in your .htaccess file and verifying secure configurations.

Sucuri helps you take steps to fortify your website from outside threats. You can enable each feature with the click of a button.

Note

The instructions will vary depending on your server software and system. Some systems do not support Certbot, but you can find a list of other reputable clients that should work with your server environment.

2.1 Enable Hardening Options

To enable and disable security hardening in the WordPress security plugin:

  1. Log into the WordPress dashboard.
  2. From the right-side menu under the Sucuri Plugin, go to Settings.
  3. Go to the top menu and select Hardening.
  4. Click the Apply Hardening button to any of the security options described below.
Sucuri WordPress Plugin guide Hardening Options

Sucuri Plugin Settings & Hardening Options

Hardening options:

  • Website Firewall Protection — If you are a Sucuri customer, you can link to your firewall account to view statistics in WordPress.
  • Verify WordPress Version — Checks when your website, or any of its components are not up to date, this section will warn you with a prompt to the newest version.
  • Verify PHP version — Checks whether your server is running the latest version of PHP.
  • Remove WordPress Version — Allows you to remove the version of your CMS from being publicly displayed.
  • Block PHP Files in Upload Directory — Disables the execution of PHP files inside your uploads directory. This can break certain plugins so test beforehand.
  • Block PHP Files in WP-CONTENT Directory — Places a .htaccess file inside the wp-content to prevent external access.
  • Block PHP Files in WP-INCLUDES Directory — The same as above but for wp-includes.
  • Information Leakage — Checks for the presence of a readme.html file on your site, which contains your WordPress version and deletes it.
  • Default Admin Account — Checks for the admin user. This used to be standard in former times and is a favorite target for hackers.
  • Plugin & Theme Editor — Disables the plugin and theme editor to prevent access to sensitive files by other users (and possible hackers who have broken into your site).

Note

You will also find the option to Allowlist PHP Files that have been blocked by scrolling down the page. After you apply the hardening in either the includes, content, and/or upload directories, the plugin will add a rule in the access control file to deny access to any PHP file located in these folders.

 

This is a good precaution in case an attacker is able to upload a PHP script. With a few exceptions, the “index.php” is the only one that should be publicly accessible. However, many theme/plugin developers decide to use these folders to process some operations. In this case, applying the hardening may break functionality, so allowlisting can be used to allow only these files.

2.2 Revert Hardening

At some point, you may need to revert hardening settings to make changes to your site. Hardening should be disabled at this time, then re-enabled once you are done.

To revert the WordPress security plugin hardening features:

  1. Log into your WordPress admin dashboard.
  2. Under the Sucuri Plugin on the right side menu, click on Settings.
  3. From the upper side menu, select Hardening.
  4. Identify the option to revert and click the Revert Hardening button.

Revert hardening options:

  1. Block PHP Files in uploads
  2. Block PHP Files in wp-content
  3. Block PHP Files in wp-includes
  4. Plugin and Theme Editor

Sucuri Plugin Settings – Hardening Allowlisting php files

STEP 3

Email Alerts

By default, the plugin will send the email alerts to the primary admin account, the same account created during the installation of WordPress in your web server.

You can add more people to the list and they will receive a copy of the same security alerts. You will receive daily scan reports automatically to the default email used to set up your Sucuri WordPress Plugin. Or you can choose to manually push a scan at any time.

3.1 Custom Email Alerts

You can customize the email and recipients for any alerts generated by the plugin.

To modify the Sucuri WordPress security plugin email alerts:

  1. Log into your WordPress admin account.
  2. Once on the WordPress dashboard, click on to the Sucuri Plugin.
  3. Then, click on Settings.
  4. On the upper side of the screen, click on Alerts from the menu bar.
  5. Change the options described in the next section.

Sucuri plugin settings alerts and receipient

Note

Even if you disable the email alerts, the plugin will keep monitoring the events triggered by WordPress and the information will be sent to our API service which powers the “Audit Logs” panel located in the plugin’s dashboard page.

3.2 Security Alert Options

You can manage the types of alerts you receive from the plugin and allow trusted IP addresses so they do not generate alerts.

  • Alerts Recipients – Set to the associated email used on account setup, but you can add as many as you want.
  • Trusted IP Addresses – If you are working in a LAN (Local Area Network) you may want to include the IP addresses of all the nodes in the subnet. This will force the plugin to stop sending email alerts about actions executed from trusted IP addresses.
  • Alert Subject – Format of the subject for the email alerts. By default the plugin will use the website name and the event identifier that is being reported.
  • Alerts Per Hour – Configure the maximum number of email alerts per hour. If the number is exceeded and the plugin detects more events during the same hour, it will still log the events into the audit logs but will not send the email alerts. Be careful with this, as you will miss important information.
  • Password Guessing Brute Force Attack – This is one of the most common vectors used to compromise websites. Here you can determine how many failed login attempts can happen per hour before an email alert is sent.
  • Security Alerts – Here you can select from the list provided which events will trigger a security alert.
  • Post-type Alerts – If you enable alerts for new site content, in this section you can specifically choose post types that will not trigger alerts.

Note

The Sucuri plugin does not monitor every event triggered by WordPress, only the ones that we consider relevant for security – like possible indicators of compromise. If you notice any events that were not initiated by you or your team, it may prompt further investigation. Additionally, we monitor global setting changes and core WordPress updates.

3.3 Failed Login Alerts

If you are receiving many emails about “Failed Logins”, your website is likely being targeted in a Brute Force Attack.

  1. Follow the same steps in section 3.1, then navigate to the Email Alerts dashboard.
  2. Disable the alerts for failed logins from the Security Alerts list.
  3. Install a website application firewall to block unauthorized IP addresses from accessing your WordPress login page.

The plugin alerts you to a Brute Force Attack after it detects more than 30 failed login attempts within an hour. This can also be modified following the above steps, under the Password Guessing Brute Force Attack section.

Sucuri WordPress Plugin guide sailed login attempts

Note

It is recommended to disable the email alerts for failed logins and enable the alerts for brute force attacks. This will force the Sucuri WordPress plugin to collect all of the failures per hour and send a single email notification.

STEP 4

Malware Scanning

The malware scanner is one of the most popular tools integrated into the Sucuri WordPress security plugin.

This free tool, powered by Sucuri SiteCheck, scans your website for:

  • Malware
  • Blocklist Status
  • Website Errors
  • Out-of-Date Software
  • Security Anomalies

4.1 Malware Detection

SiteCheck is a free website security scanner. Remote scanners have limited access and results are not guaranteed. It finds malicious code that is visible in the external source code of your site. Your site could be hosting malware on the server that doesn’t show up on the frontend of the site. For a full server-side scan, contact our team.

To change malware detection settings in the Sucuri plugin:

  1. Log into your WordPress admin account.
  2. Once on the WordPress dashboard, click on to the Sucuri Plugin.
  3. Then, click on Settings.
  4. Click on Scanner located on the menu options on the upper side of the screen.
  5. If this is your first time using this tool, it is recommended you go through all the available settings:
    • Scheduled Tasks – These are rules registered in your database by a plugin, theme, or the base system itself; they are used to automatically execute actions at a scheduled time. This is the lace to configure the frequency of “sucuriscan_scheduled_scan” task.
    • WordPress Integrity Diff Utility – If your server allows the execution of system commands, you can configure the plugin to use the Unix Diff Utility to compare the actual content of the files installed in the website and the original files provided by WordPress. This will show the differences between both files and then you can act upon the information provided.
    • Ignore Files and Folders During the Scans – Select the files and/or folders that are too heavy for the scanner to process.

Sucuri plugin settings scanner menu and scheduled tasks

STEP 5

Core Integrity Check

The Sucuri WordPress plugin comes with tools that check the integrity of the core WordPress files – PHP, JavaScript, CSS – and other files that come with your original WordPress version.

Attackers modify core files to add backdoors, which are fragments of code that allow them to bypass the security measures. Removing all backdoors from an infected site is crucial to avoid reinfection.

Identifying modified WordPress core files can alert you to backdoors and other indicators of compromise.

5.1 Automatic Integrity Checks

The Sucuri plugin automatically checks your WordPress files and alerts you if any files have been added, modified, or removed.

The integrity tool uses an API maintained by the WordPress organization to determine which files in the installation were added, removed or modified. The API returns a list of files with their respective checksums. This checksums can be used to guarantee that the installation is not corrupt.

If you are receiving a notification from the integrity check, follow the steps below to deal with added, removed, or modified files.

5.2 Added Files

When a file is marked as added, it means that it was not found in the official WordPress archives – at least not for the version number detected in your current website.

For example, if your site has a file named wp-protect.php in the document root and the official WordPress repository does not include this file, a hacker may have added it.

However, you may wish to upload files for legitimate reasons. If this is so, the file may not be malicious but the plugin does not know this. If you trust the file then you can force the plugin to ignore them in future scans by marking them as fixed.

For suspicious files that were added, you can choose to delete them. Delete any file if you do not trust they are safe.

5.3 Deleted Files

When a file is marked as deleted, it means that you are missing a core WordPress file.

You will not see this frequently because when a file is deleted from the core directories, the site generally goes down. There are some exceptions, like the xmlrpc.php file, which is used by WordPress to allow users and services to interact with the site through RPC.

From the plugin, you can choose restore and the file will be replaced from the official WordPress repository.

The plugin provides an option to do this automatically. If you need additional assistance or would like to learn more about why backups can save your website, visit our Website Backups page.

5.4 Modified Files

When a file is marked as modified, it means that the core file on your WordPress site does not match the official repository.

You should never modify core files because this causes difficulties with the upgrades and maintainability of the code.

If you find modified files, you should choose the restore option. The corrupt version will automatically be replaced using a copy from the official WordPress repository.

5.5 Dev Sites

If you are using a custom version of WordPress (like the development version of the code), you can point the integrity tool to a GitHub repository to check your files against it.

To run an integrity check against a custom repository:

  1. Log into your WordPress admin account.
  2. Once on the WordPress dashboard, click on to the Sucuri Plugin.
  3. Then, click on Settings.
  4. Click on the API Service Communication tab on the menu in the upper side of the screen.
  5. Scroll down to the WordPress Checksums API.
  6. Type in the URL of the repository to run the checksum and click Submit.

STEP 6

Post-Hack

If your website is hacked, you need to take immediate action to protect your visitors and prevent further damage.

This section of the plugin offers measures for when your site has been compromised. More information is available on the steps to take when your site has been compromised on our free How to Clean a Hacked WordPress Guide.

Here is an overview of the post-hack features of the WordPress security plugin:

  1. Reset Security Keys — This option generates new SALTs inside wp-config.php.
  2. Reset User Password — Selects users for which new random passwords will be created.
  3. Reset Installed Plugins — In case plugins are infected, this allows you to reinstall them at the touch of a button.
  4. Available Plugins and Themes Updates — Shows all components on your site that can (and typically should) be updated.


Below, you can observe the step-by-step for each one of Post-Hack settings.

6.1 Reset Security Keys

WordPress uses browser cookies to keep user sessions active for two weeks. If an attacker has a session cookie, they will retain access to the website even after a password is reset.

To fix this, we recommend forcing active users off by resetting WordPress secret keys.

To generate new secret keys using the Sucuri plugin:

  • Log into WordPress as an admin and go to Sucuri Plugin > Settings.
  • Click on Post Hack.
  • Click Generate New Security Keys.
    This will force all users out of the WordPress dashboard.

Sucuri plugin settings post hack menu and update secret keys

6.2 Reset User Passwords

It is critical that you change passwords for all access points. This includes WordPress user accounts, FTP/SFTP, SSH, cPanel, and your database.

To reset user passwords using the Sucuri plugin:

  1. Log into WordPress as an admin and go to Sucuri Plugin > Settings.
  2. Click on Post-Hack.
    Scroll down to the Reset User Password section.
  3. Check the box next to the user accounts.
    Click Submit.
  4. The user will receive an email with a strong temporary password.

Sucuri plugin settings post hack and reset user password

You should reduce the number of admin accounts for all of your systems. Practice the principle of least privileged. Only give people the access they require to do the job they need.

6.3 Reset Installed Plugins

After you clean all malicious code from your site, we recommend reinstalling your plugins in case one of them was infected as well. We also highly recommend that you delete any plugins you are not using.

To reset WordPress plugins in the Sucuri security plugin:

  1. Log into WordPress as an admin and go to Sucuri Plugin > Settings.
  2. Click on Post Hack.
  3. Scroll down to the Reset Installed Plugins section.
  4. Check the box next to the plugins you would like to reinstall.
  5. Click Submit.

Sucuri plugin settings post hack reset installed plugins

Note

Premium plugins will not be reinstalled to prevent backward compatibility issues and problems with licenses.

6.4 Plugin & Themes Updates

WordPress powers over 30% of all websites on the internet. This makes it an attractive target for attackers who scan the code for vulnerabilities. They also target popular plugins and themes.

You should keep every plugin and theme up to date to prevent attacks as soon as vulnerabilities are patched and made available via updates.

To update your plugins and themes:

  1. Log into WordPress as an admin and go to Sucuri Plugin > Settings.
  2. Click on Post Hack.
  3. Scroll down to the Available Plugin and Themes Updates section.
  4. Identify which plugin/theme you want to update.
  5. Click Download, this will prompt a file download to your computer.
  6. Once the download is complete, you can manually upload them in:
    • Appearance > Themes > Add New > Upload Theme.
    • Plugins > Add New > Upload Plugin.

Sucuri plugin settings post hack available plugin and theme updates

STEP 7

Sucuri Firewall Integration

This section applies if you are a Sucuri customer who has activated the web application firewall.

7.1 Enable WAF Dashboard

You can connect the Sucuri Firewall to the WordPress plugin using the Firewall (WAF) option of the Sucuri plugin.

To connect your Sucuri account to the plugin:

  • Log into your WordPress admin.
  • Under the Sucuri Plugin, go to Dashboard.
  • Click the Firewall (WAF) button on the upper right side of the screen.
  • Find the Sucuri Security plugin on the sidebar and go to Firewall (WAF).
  • Paste your API Key and then click Save.

7.2 Website Firewall Benefits

The number of vulnerabilities exploited by attackers grows everyday. Trying to keep up is challenging for administrators. Website Firewalls were invented to provide a perimeter defense system surrounding your website.

Benefits to using a website firewall:

  • Prevent a Future Hack – By detecting and stopping known hacking methods and behaviors, a website firewall keeps your site protected against infection in the first place.
  • Virtual Security Update – Hackers quickly exploit vulnerabilities in plugins and themes, and unknown ones are always emerging (called zero-days). A good website firewall will patch your holes in your website software even if you haven’t applied security updates.
  • Block Brute Force Attack – A website firewall should stop anyone from accessing your wp-admin or wp-login page if they aren’t supposed to be there, making sure they can’t use brute force automation to guess your password.
  • Mitigate DDoS Attack – Distributed Denial of Service attacks attempt to overload your server or application resources. A website firewall detects and blocks all types of DDoS attacks, ensuring your site is available if you are attacked by a high volume of fake visits.
  • Performance Optimization – Most WAFs will offer caching for faster global page speed. This keeps your visitors happy and is proven to lower bounce rates while improving website engagement, conversions, and search engine rankings.

We offer all of these features with the Sucuri Firewall.

If you need further help with the plugin, please submit a ticket in the Support Forum.

Defend against hackers with our web application firewall.

Sucuri Resource Library

Say on top emerging website security threats with our helpful guides, email, courses, and blog content.

Webinar

Learn how to identify issues if you suspect your WordPress site has been hacked.

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Report

Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.