Sucuri WordPress Plugin

The Sucuri WordPress plugin is available for free installation in the WordPress repository. Our security plugin comes with hardening features, malware scanning, core integrity check, post-hack features and email alerts, to help keep your website protected.

Install Plugin Now

Before Installing

Sucuri WordPress Plugin Compatibility

Keep in mind that the Sucuri Security plugin requires WordPress version 3.6 or higher, and administrative privileges for installation.

Security Settings Customization

You have control over the Sucuri plugin settings to fit your website needs. Customize email alerts, schedule scans, allowlist or blocklist files, and more.

Additional Support & Resources

Our security plugin is user-friendly, but if you need additional help, you can always read our How to Use the WordPress Security Plugin Guide.

SiteCheck & Integrity Scanner

The Sucuri SiteCheck scan finds malicious code that is visible in the external source code of your site and identifies any core file integrity issues.

Features of the Sucuri WordPress Plugin

WordPress Hardening

Security hardening options are preventative measures to increase security in areas of your website that could become avenues for attack. This is done by adding a set of rules to the website .htaccess file and verifying secure configurations.

Email Alerts

Email alerts are enabled by default. You can customize the email and recipients for any alerts generated by the plugin. These alerts will keep you informed of any suspicious activity observed on your website.

Malware Scanning

Our scanning engine is fast and lightweight for any environment. SiteCheck remote scanners are constantly updated to address the spread of malicious content, blocklisted status, website errors and out-of-date software.

Core Integrity Check

The Sucuri WordPress plugin comes with tools that check the integrity of the core WordPress files – PHP, JavaScript, CSS – and other files that come with your original WordPress version.


This section of the plugin offers measures for when your site has been compromised. More information is available on steps to take when your site has been compromised in our free How to Clean a Hacked WordPress Guide.

Sucuri Firewall Integration

You can connect the Sucuri Firewall to the WordPress plugin using the Firewall (WAF) option of the Sucuri plugin for advanced protection. This is only available for customers who have any of our platform plans and not as a feature included in the Sucuri plugin.

90 k+

Sites Hacked
Every Day

10 k+

Sites Blocklisted
Every Day

4-12 hrs

Website Scan

100 %


Getting Started with the Plugin


Install the WordPress Security Plugin

In a few simple steps, you can install the WordPress Security Plugin. Download the Sucuri Security plugin directly from the WordPress official repository to install it manually.

Alternatively, from your WordPress Plugin dashboard, search for Sucuri and select Sucuri Security – Auditing, Malware Scanner and Security Hardening. Once the plugin is installed and activated, you can access all features by clicking the Sucuri Plugin option on the WordPress menu.


Generate the API Key

Activating the API allows your WordPress account to connect to our server. If an attacker somehow compromises your site and removes the plugin’s audit logs from your server, they can be recovered from our server for investigation.

To generate the API key, just open the Sucuri plugin from the WordPress Dashboard, click Generate API Key at the upper right-hand side of your screen. Be sure to check the Terms of Service and Privacy Policy box once you have read them. An email will be sent to the primary email address with confirmation after you click Submit.


API Service Communication

Once the API key is generated, the plugin will communicate with a remote API service that acts as a safe data storage for the audit logs. If the website is hacked, the attacker will not have access to these logs. You can review any modifications made as well as see how the malicious attacker gained access to the website.


Multisite and Subdomains

For the multisite installations, this is different. A WordPress MU installation will force each site to share the core files. Generally the content is inside the “wp-content” directory (where the plugin’s data is stored). All information processed by the plugin, except the settings, will be shared among every site inside the network. More details can be found in our WordPress Plugin Guide.

Your own security team to depend on!

99% Support Ticket Satisfaction
20,000+ Sites Cleaned Monthly

Additional Resources


Learn how to identify issues if you suspect your WordPress site has been hacked.

Watch Now

Email Course

Join our email series as we offer actionable steps and basic security techniques for WordPress site owners.

Sign Up


Based on our data, the three most commonly infected CMS platforms were WordPress, Joomla! and Magento.

Read Now


Learn security best practices for WordPress websites to improve website posture and reduce the risk of a compromise.

See Now