सुकुरी बनाम वर्डफेंस:आपकी वर्डप्रेस वेबसाइट के लिए कौन सा सुरक्षा प्लगइन सबसे अच्छा है

Wordfence और Sucuri दोनों ही WordPress सुरक्षा प्लगइन्स के हैवीवेट चैंपियन हैं। किसी भी बातचीत में, वे अनिवार्य रूप से सामने आते हैं, और लोग विभाजित होते हैं कि कौन सा सबसे अच्छा सुरक्षा प्लगइन है।

सुकुरी में एक लोकप्रिय ऑनलाइन स्कैनर है, जिसका व्यापक रूप से वेबसाइट व्यवस्थापक द्वारा मैलवेयर का पता लगाने के लिए उपयोग किया जाता है। उनके प्लगइन में एक सर्वर-साइड स्कैनर, एक फ़ायरवॉल और कई अन्य सुरक्षा सुविधाएँ हैं। सुकुरी अपनी किसी भी योजना के साथ असीमित मैलवेयर हटाने की पेशकश करता है।

Wordfence, WordPress सुरक्षा प्लगइन्स के लिए निर्विवाद नेता है। टीम अपने सुरक्षा प्लगइन को बहुत सारी शैक्षिक सामग्री के साथ पूरक करती है, जिससे व्यवस्थापक को यह समझने में मदद मिलती है कि उनकी वेबसाइट को हैकर्स से कैसे बचाया जाए। प्लगइन में एक स्कैनर और फ़ायरवॉल है, और कुछ मैलवेयर को भी हटा सकता है। उनके पास मैलवेयर हटाने की सेवा भी है, लेकिन यह एक ऑन-डिमांड प्रीमियम सुविधा है।

सुकुरी बनाम वर्डफ़ेंस लड़ाई में कौन सा बेहतर है, इसका उत्तर देने के लिए, हमने दोनों प्लगइन्स का बड़े पैमाने पर परीक्षण किया। जैसा कि आप बाकी लेख में देखेंगे, परीक्षण प्लगइन्स को ट्रिप करने के लिए डिज़ाइन किए गए थे ताकि आप अपनी वेबसाइट की सुरक्षा के लिए सबसे अच्छा निर्णय ले सकें।

5 सुरक्षा प्लगइन्स, 3 वेबसाइटें, 45 दिन, और ढेर सारे मैलवेयर। परिणाम निर्णायक थे।

<ब्लॉकक्वॉट क्लास ="डब्ल्यूपी-ब्लॉक-कोट">

VERDICT सुकुरी बनाम वर्डफ़ेंस सरल प्रश्न नहीं है। दोनों में मैलवेयर स्कैनर और फायरवॉल हैं। वर्डफ़ेंस में एक स्वचालित क्लीनर और एक महंगी मैलवेयर हटाने की सेवा है, जबकि सुकुरी के पास अपनी योजनाओं के साथ असीमित सफाई है। सभी कारकों को तौलने के बाद, Wordfence निश्चित रूप से विजेता है। और अधिक जानने के लिए आगे पढ़ें।

हमारी पसंद

इस श्रृंखला के लिए, हमने 3 परीक्षण वेबसाइटें विकसित की हैं:पहला, एक साधारण ब्लॉग जिसमें बहुत सारी छवियां और टिप्पणियां नियंत्रण के रूप में हैं; दूसरा, एक साइट जिसमें बहुत सारे संवेदनशील प्लगइन्स और अस्पष्टता के विभिन्न स्तरों के विषय हैं; और अंत में, विभिन्न प्रकार के मैलवेयर से भरी हुई साइट।

एक प्रभावी प्लगइन के मानदंड कई गुना हैं, लेकिन हम एक साधारण प्रश्न पर शून्य करना चाहते थे:क्या प्लगइन आपकी वेबसाइट को हैकर्स और मैलवेयर से बचाने का अच्छा काम करता है?

45 दिन बाद, हमारे पास हमारा जवाब था। 5 में से 4 प्लगइन्स के लिए, उत्तर नहीं था। 1 प्लगइन सभी मामलों में जीता। वह प्लगइन मालकेयर है।

MalCare में सबसे अच्छा मैलवेयर स्कैनर है जिसे हमने देखा है, फ़ाइलों, डेटाबेस और फ़ोल्डरों से मैलवेयर को उठाकर, चाहे वह कितनी भी अच्छी तरह से छिपा हो। इसमें एक स्वचालित क्लीनर है जो वास्तव में काम करता है, सर्जिकल परिशुद्धता के साथ केवल मैलवेयर की सफाई करता है। और अंत में, एक उन्नत फ़ायरवॉल जो उन खतरों को रोकता है जो आपकी वेबसाइट का फायदा उठा सकते हैं।

आपकी WordPress साइट के लिए सबसे अच्छा सुरक्षा प्लगइन स्पष्ट रूप से MalCare है।

सुकुरी बनाम वर्डफ़ेंस तुलना का सारांश

इस कठिन लड़ाई में, Wordfence विजेता है। हमें यह स्वीकार करना होगा कि यह एक करीबी कॉल थी, क्योंकि सुकुरी के भी अपने बिंदु हैं।

सुकुरी बनाम वर्डफेंस:आपकी वर्डप्रेस वेबसाइट के लिए कौन सा सुरक्षा प्लगइन सबसे अच्छा है

हम देख सकते हैं कि लोग इतने काम में क्यों आते हैं कि कौन सा बेहतर है, क्योंकि वर्डफेंस की खामियां सुकुरी की ताकत हैं, और इसके विपरीत। इसलिए किसी व्यक्ति के व्यक्तिगत अनुभव के आधार पर, वे उस प्लगइन की वकालत करेंगे जिसने उनकी विशेष समस्या का समाधान किया।

लेकिन इस वजह से, कोई वस्तुनिष्ठ उत्तर नहीं है जिसके बारे में सभी वर्डप्रेस साइटों के लिए समग्र रूप से बेहतर है। और इसका जवाब भी नहीं है। आपको सुरक्षा के एक या दूसरे पहलू से समझौता नहीं करना चाहिए। इसके बजाय MalCare प्राप्त करके यह सब प्राप्त करें।

संक्षेप में शब्द

<ब्लॉकक्वॉट क्लास ="डब्ल्यूपी-ब्लॉक-कोट">

मालकेयर के बाद वर्डप्रेस साइट के लिए वर्डफेंस सबसे अच्छा सुरक्षा प्लगइन है। महान सुरक्षा सुविधाओं के साथ मुफ्त संस्करण मजबूत है। स्कैनर अधिकांश फ़ाइल-आधारित मैलवेयर का पता लगाता है, और जो कुछ भी पता लगाता है उसे साफ़ करने में सक्षम होता है। फ़ायरवॉल सबसे अद्यतन में से एक है, और कई खतरों को रोकता है। नकारात्मक पक्ष यह है कि वेबसाइट का प्रदर्शन Wordfence के साथ बहुत प्रभावित होता है, और उनकी मैलवेयर सफाई सेवा महंगी होती है।

Wordfence का स्कैनर उन सभी फ़ाइल-आधारित मैलवेयर का पता लगाने में सक्षम था, जिन्हें हमने अपने मुफ़्त प्लगइन्स और थीम में डाला था। अगर यह अजीब तरह से विशिष्ट लगता है, ऐसा इसलिए है क्योंकि यह है। यह मैलवेयर का पता नहीं लगा सका जो डेटाबेस में था, न ही मैलवेयर प्रीमियम प्लगइन्स और थीम में डाला गया था। ऐसा इसलिए है क्योंकि Wordfence द्वारा उपयोग की जाने वाली फ़ाइल-मिलान पहचान प्रणाली सार्वजनिक रूप से उपलब्ध कोड पर बहुत अधिक निर्भर करती है।

स्कैन परिणामों ने मैलवेयर और इंस्टॉल किए गए थीम और प्लगइन्स में कमजोरियों को चिह्नित किया। मजेदार बात यह है कि Wordfence ने हमारे कुछ प्रीमियम प्लगइन्स को मैलवेयर या त्रुटियों के रूप में भी फ़्लैग किया है। ये झूठे सकारात्मक हैं, जिन्हें हम देख सकते हैं क्योंकि हम वर्डप्रेस कोड में चारों ओर खुदाई करने के आदी हैं। लेकिन कुछ वेबसाइट व्यवस्थापक इस वजह से पूरी तरह से व्यवहार्य प्लगइन्स को हटा सकते हैं।

साथ ही, स्कैन परिणाम प्रदर्शित होने के बाद मैलवेयर से ग्रस्त फाइलों को स्वचालित रूप से सुधारने का विकल्प था। हमने इसे आजमाया, और यह काम कर गया। सभी खोजे गए मैलवेयर को वेबसाइट से हटा दिया गया था। बेशक, यह मैलवेयर की मरम्मत नहीं कर सकता है कि यह पहली जगह में पता लगाने में सक्षम नहीं था।

इसके बाद, हमने फ़ायरवॉल की कोशिश की। यह प्रभावी था, हमने इस पर चकित होने वाले बहुत सारे खतरों को रोक दिया। लेकिन हर बार फ़ायरवॉल ने किसी खतरे को रोक दिया, हमें अलर्ट मिला। हमारे परीक्षण के दौरान इतने सारे अलर्ट थे, हम केवल कल्पना कर सकते हैं कि लाइव साइट पर क्या होगा। व्यवस्थापक निश्चित रूप से अभिभूत हो जाता है और महत्वपूर्ण अलर्ट चूक जाता है।

इन तीन मुख्य मानदंडों के अलावा, Wordfence पर कई अन्य विकल्प उपलब्ध हैं। ब्रूट फोर्स प्रोटेक्शन शानदार है, और टू-फैक्टर ऑथेंटिकेशन एक आकर्षण की तरह काम करता है।

क्या वास्तव में प्लगइन को कई पायदान ऊपर ले गया, इसकी भयानक उपयोगिता थी। Wordfence एक जटिल सुरक्षा प्लगइन है, लेकिन यह नौसिखिए के लिए भी पहुंच योग्य है। डैशबोर्ड को जिस तरह से तैयार किया गया है, सुझावों और साथ में दस्तावेज़ों के साथ, कोई भी गलती से अपनी साइट को अनुपयोगी बनाए बिना सुरक्षा प्लगइन को कॉन्फ़िगर कर सकता है। यह हमारी राय में एक बड़ा प्लस है, खासकर जब सुकुरी के साथ तुलना की जाती है, जैसा कि आप बाद में देखेंगे।

Wordfence में आश्चर्यजनक रूप से एक गतिविधि लॉग नहीं है, जो हमें लगा कि यह बहुत ही अजीब है। लेकिन वास्तविक गिरावट यह है कि यह एक संसाधन सिंक है। हमारी वेबसाइट पर चलाए गए प्रत्येक स्कैन ने डिस्क उपयोग स्पाइक और वेबसाइट के प्रदर्शन को कम कर दिया। यही कारण है कि कई वेब होस्ट ने Wordfence पर प्रतिबंध लगा दिया है।

संक्षेप में, Wordfence एक उत्कृष्ट सुरक्षा प्लगइन है, लेकिन गंभीर कमी के साथ। इसके सभी लाभों के लिए, और किसी भी दोष के लिए, MalCare जाने का रास्ता है।

संक्षेप में सुकुरी

<ब्लॉकक्वॉट क्लास ="डब्ल्यूपी-ब्लॉक-कोट">

सुकुरी में एक अच्छा फ़ायरवॉल है और उनकी मैलवेयर हटाने की सेवा बहुत अच्छी थी। लेकिन मैलवेयर स्कैनर किसी भी मैलवेयर का पता लगाने में विफल रहा, भले ही उनकी टीम ने बाद में इसे हटा दिया हो। एक कार्यशील मैलवेयर स्कैनर के बिना एक सुरक्षा प्लगइन अप्रभावी है।

सुकुरी एकमात्र अन्य प्लगइन है जिसमें मालकेयर और वर्डफेंस के साथ विचार करने का कोई मौका है, क्योंकि यह कम से कम कभी-कभी सुरक्षा प्लगइन के रूप में कार्य करता है। Jetpack और iThemes राइट-ऑफ़ थे।

यह यकीनन सबसे लोकप्रिय सुरक्षा प्लगइन्स में से एक है, लेकिन यह अभी भी एक मूलभूत क्षेत्र में विफल रहता है:मैलवेयर स्कैनिंग। जैसा कि हम बाद में देखेंगे, उनकी मैलवेयर हटाने की सेवा शीर्ष पर है। वे कुशल और तत्पर थे, हमारी अपेक्षा से पहले हमारे पास वापस आ रहे थे और वेबसाइट की सफाई के साथ अच्छा काम कर रहे थे। हालाँकि, अगर यह एक परीक्षण वेबसाइट नहीं थी जिसे हमने बनाया और मैलवेयर से भरा हुआ था, तो हमें कभी नहीं पता होगा कि यह पहली जगह में संक्रमित था क्योंकि स्कैनर ने हमें हैक के लिए क्लीन चिट दी थी। तो, वास्तव में, सुकुरी गाड़ी को घोड़े के आगे रखने का एक उत्कृष्ट मामला है। आपको यह जानना होगा कि साइट को साफ करने के लिए हैक किया गया है, लेकिन यह जानने का कोई तरीका नहीं है कि इसे सुकुरी के स्कैनर से हैक किया गया है।

आगे बढ़ते हुए, फ़ायरवॉल ने अच्छा प्रदर्शन किया। यह आसानी से और लगातार एसक्यूएल इंजेक्शन और रिमोट कोड निष्पादन हमलों जैसे हमलों को रोकता है। लेकिन इसे स्थापित करना एक बुरा सपना था। क्योंकि हम परीक्षण साइटों का उपयोग कर रहे हैं, इसलिए हमारी परीक्षण वेबसाइट के बजाय सुकुरी के फ़ायरवॉल आईपी को इंगित करने के लिए नेमसर्वर को बदलने में बहुत परेशानी हुई। अगर उस आखिरी वाक्य में से कोई भी समझ में नहीं आया, तो ठीक है। हमें इसे कॉन्फ़िगर करने में भी उम्र लग गई। निष्पक्ष होने के लिए, आपको अपनी लाइव साइटों पर ऐसी कठिनाई का सामना नहीं करना पड़ेगा, लेकिन यदि आप इसे किसी स्टेजिंग या स्थानीय साइट पर कॉन्फ़िगर करना चाहते हैं? समस्याओं की अपेक्षा करें।

हम पहले से ही फ़ायरवॉल से निराश थे, जब हमने अन्य कॉन्फिग विकल्पों को देखा। सब कुछ इतना जटिल क्यों है? भाषा भ्रामक है, और कुछ मामलों में, सर्वथा कृपालु। और इससे पहले कि हम महसूस करते कि प्रत्येक सुरक्षा स्कैन ने हमारी परीक्षण वेबसाइटों को धीमा कर दिया है। जब हमने सर्वर डिस्क उपयोग की जाँच की, तो एक खतरनाक उछाल आया।

सुकुरी मैलवेयर के लिए स्कैन करने के लिए साइट संसाधनों का उपयोग करता है-एक स्कैनर जो काम नहीं करता है, याद रखें। तो यह वह नहीं करता है जो इसे माना जाता है, और अभी भी साइट के प्रदर्शन को बर्बाद कर देता है। सुकुरी के लिए अच्छा लुक नहीं है।

कौन सा सुरक्षा प्लगइन आपके पैसे के लायक है?

वर्डप्रेस सुरक्षा सलाह विरासत और सुविचारित है, लेकिन यह अक्सर बुरी सलाह होती है। हमने लोगों को iThemes के लिए वकालत करते देखा है—जो हमने अब तक देखे गए सबसे खराब सुरक्षा प्लगइन्स में से एक है—क्योंकि उनकी वेबसाइटें कभी हैक नहीं हुई हैं, इस तथ्य को पूरी तरह से छूट देते हुए कि वे नियमित रूप से प्लगइन्स अपडेट करते हैं, अच्छे पासवर्ड का उपयोग करते हैं, अशक्त सॉफ़्टवेयर का उपयोग नहीं करते हैं, और भाग्य की ढेर सारी खुराक। यदि GoDaddy में डेटा भंग हो सकता है, तो आपकी वेबसाइट भी ऐसा कर सकती है।

इस मामले की जड़ यह है कि एक अच्छा सुरक्षा प्लगइन कैसे चुना जाए। हमने उन चीजों से छुटकारा पाने के लिए एक आवश्यक सूची तैयार की है जो सुरक्षा से संबंधित नहीं हैं।

आवश्यक सुरक्षा सुविधाएं
- मैलवेयर स्कैनिंग
- मैलवेयर क्लीनिंग
- फ़ायरवॉल
अच्छे सुरक्षा सुविधाएं
- भेद्यता का पता लगाना
- क्रूर बल लॉगिन सुरक्षा
- गतिविधि लॉग
- दो चरणों वाला प्रमाणीकरण
संभावित समस्याएं
- Impact on server resources

As you can see, there are only 3 essential features you need to worry about. A security plugin should be great at these 3 things:malware scanning, malware cleaning, and firewall. Everything else is gravy. We aren’t putting down brute force protection or two-factor authentication, because those are important too. But you can get other plugins for that functionality.

MalCare is the only security plugin that has great malware scanning and cleaning capabilities, and an advanced firewall that keeps out threats. Every other plugin fails in one place or the other.

Sucuri vs Wordfence:Head-to-head comparison of features

Choosing the right security plugin can be a bewildering experience, especially when you have to test drive each one for efficacy, hoping all the while that it works.

In this section, we have presented our testing results organised by feature. Comparing and contrasting the same features across plugins gives a clearer picture of the effectiveness of the security plugin.

We have spelt out our results as fairly and transparently as possible, with the view to helping people make a better choice for their websites. However, if you want to secure your websites quickly, install MalCare instead and skip to the end.

Malware scanning

Sucuri has 2 scanners:an online one called SiteCheck, and a server-level one that is part of the plugin. Both didn’t detect malware. Wordfence has a decent malware scanner, which can detect malicious scripts in core files and folders, and those in free plugins and themes. Otherwise, it missed malware in the database and premium plugins and themes.

We often recommend Sucuri SiteCheck as a first-level diagnostic for malware, in case someone suspects their WordPress has been hacked. It cannot scan the full website, but it can identify common malware infections quickly, and without the need of installing a plugin for the express purpose.

We had greater expectations of the server-level scanner, considering it would have full access to the website. The installation is a little different compared to other plugins, because the scanner needs to be installed onto your web server. This can be done so manually, or by putting in FTP details on your dashboard. We finished the installation and waited for the scan to complete.

A considerable time later, the scan was completed and our malware-ridden website was apparently free of hacks. Ran the scan a second time to see if there was a mistake the first time around. Nope, still no malware according to Sucuri. Major failure.

On installation, Sucuri is set up to run once daily, but you can request on-demand scans. The requests are queued and then executed based on availability. The plugin itself will warn you that scanning your website will use up server resources, and therefore impact the performance of your website. Honestly, that is terrible because security shouldn’t come at the expense of performance and user experience. We will go into that in greater detail in another section.

Wordfence also runs a scan automatically on installation. There was a little confusion here though, because we assumed the percentage circle on the dashboard was the scanner’s progress. After we saw that it hadn’t moved past 60% for a few hours, we looked more closely and realised it was a measurement of scanner efficiency. To get to 100%, you need to upgrade the plugin.

Restarted the scanner to benchmark how much time it took, and because our test sites are small, the scanner was done in less than a minute. That is definitely a plus. The scan results were only above-average though, not perfect, because it detected most of the malware, not all of it.

The reason for this is that Wordfence uses signature matching to detect malware. This means the Wordfence scanner compares your website’s code to a database of malware signatures. If there is a match, the scanner flags it as malware. While Wordfence has a formidable malware database, which they update regularly based off of their security research, it can never be 100% complete because the team would need to have seen the malware to update it in the database, and irrespective of comprehensive research, new malware shows up all the time

Therefore, Wordfence is adept at picking up malware found in WordPress core files and folders, as well as malicious scripts in free plugins and themes. But it cannot detect malware in premium software, like Elementor for instance, because they do not have access to the source code for analysis. For the same reason, Wordfence also fails at detecting malware in the database, because that requires a mechanism beyond signature matching to discover.

That being said, Wordfence detected all our file-based malware. By our estimation, it is able to detect 70 to 80% of malware. It is prone to false positives as well, and tends to generate a ton of alerts. We will get to that in a separate section as well.

Malware cleaning

Wordfence has an auto-repair feature to clean malware, but the efficacy is debatable for more complex malware. They have a premium malware removal service but it can gouge a hole in the pocket at $490 per site. Sucuri on the other hand has an unlimited manual malware cleaning service included with all their plans.

Even though Sucuri’s scanner said our site didn’t have malware—which it definitely did—we requested a cleanup, not expecting a lot. However, the site came back to us spotless. We ran it through MalCare to check. Oddly enough, after the Sucuri team cleaning our site, the scanner flagged malware on it. Clearly, a bug somewhere.

The malware removal service was very prompt. Although our plan guaranteed a response in 30 hours, we got a cleaned site back in less than 10. That’s terrific. The only caution we would want to point out is that, when you have a hacked site, time is of the essence. You cannot afford to have malware languishing on your website for long. Just to underscore how important it is to act fast, Google blacklist also measures your response time to notifications of malware.

For malware removal, you need to request a cleanup from Sucuri. Fill out a form with all the information you can provide, and the team takes over from there. We got a message back from Sucuri with a post-hack checklist with great recommendations. So overall, the malware cleaning feature with Sucuri is a thumbs up.

Wordfence has 2 options for dealing with hacked files on the dashboard:delete all deletable files and repair all repairable files. This is apart from a CTA suggesting we opt for their expert cleaning service.

We tried both options, and they were both fairly successful at removing the malware off of our website. The problem is that the automatic removal is preceded by dire warnings of the site breaking due to changes.

Our test sites are backed up on BlogVault, and frankly we weren’t all that fussed about them breaking. While we were able to power through without too much thought, it is because we were interested in testing the repair feature. However, the case would be very different for, say, someone’s ecommerce store or a high-traffic website.

In our testing series, we usually stopped at this point because most of the other security plugins failed. Wordfence cleaned all the file-based malware from our website, so we tried the feature with database malware and some in our premium plugins. The scanner wasn’t able to detect this lot of malware, and therefore automatic repair wasn’t even an option.

The other alternative was to request malware removal. The service purports to remove malware, backdoors, and do a security audit of the website, assessing for vulnerabilities. In case your site has landed on a blacklist, Wordfence will help get rid of that as well. The service is guaranteed for a year, contingent on whether the site admin has followed the post-hack recommendations to the letter. Please note:We cannot speak to the efficacy of Wordfence’s malware removal service, as we didn’t try it out.

On the other hand, we used MalCare to remove all the malware automatically, and we were able to do so without an issue. No dire warnings, no missed malware, and our site was squeaky clean in minutes. That’s the sort of malware cleaning that we want for our website.

Firewall

Both Sucuri and Wordfence have great firewalls which block out most common and major threats. But Sucuri’s firewall was a nightmare to install, and Wordfence’s free firewall worryingly gets updates later than their premium version.

Sucuri’s firewall kept out attacks like SQL injections, remote injections and cross-site scripting attacks. Our test website had a ton of vulnerabilities, like unsecured file uploads for instance, and remained safe behind the firewall.

Our issue with Sucuri’s firewall was its installation. To use the firewall, you need to point your traffic to their nameservers, so that the bad traffic is filtered out and only good traffic is sent forward to your website. Excellent idea, but what a nightmare to configure. Our test websites weren’t attached to any domain registrars, so we had to enlist the engineering team to figure this out.

Wordfence’s firewall also works out of the box, and keeps out attacks successfully.

Straight after installation, the firewall went into learning mode. Wordfence recommended that we leave learning mode on for a week. This is fair, because firewalls need live traffic to learn how to be effective. However, because we don’t have live traffic to our test websites, we saw little point in waiting for a week and turned it out right away.

With Wordfence, the free firewall is supposedly only 35% effective. This is not an assumption on our part, but is actually on the dashboard. We dug a little deeper to figure why that might be the case. There are 2 reasons:

One:the free firewall loads like a plugin, after WordPress has finished. Load order affects security significantly, because if the firewall loads after WordPress core that means it can keep out only some malicious traffic, not all of it.

Two:While Wordfence has the most updated firewall, the premium version receives those updates in real-time. The free version however receives updates after an unspecified length of time. We have no way of knowing what the delay is, but it is potentially problematic. Hackers can strike in the window after all.

The biggest giveaway is that Wordfence themselves rank their free firewall at 35% effective compared to their premium version. Not great.

Vulnerability detection

Wordfence did a superb job of detecting all the vulnerabilities on our website. Sucuri missed the obscure ones altogether.

We were impressed to see that Wordfence alerted us to all the out-of-date plugins as medium threats. The vulnerabilities were flagged correctly as critical threats. Other security plugins tripped up on the more obscure plugins and themes, not alerting us at all to their serious vulnerabilities like cross-site scripting in one case. So Wordfence came up trumps here.

It isn’t possible to fix vulnerabilities directly from the Wordfence dashboard, but that makes sense. Fixing vulnerabilities essentially means updating the plugin or theme, and that functionality is already easily available on wp-admin. Unless Wordfence had a visual regression like MalCare to make sure the update didn’t break the site, there is no point in replicating an existing feature.

Wordfence also threw up errors for iThemes and Backupbuddy. This is indicative of their tendency to flag false positives on the website.

Sucuri detected all but the most obscure vulnerabilities on our test websites. You can update your outdated software from the Sucuri dashboard though, unlike Wordfence. We don’t really see the utility, since updates are easily possible through wp-admin.

The post-hack tab lists out versions of the installed plugins and themes, alongside their latest versions. Sucuri cautions against continuing with out-of-date software because they can lead to malware infections.

Interestingly, even Sucuri’s malware removal service was only able to detect some of the vulnerabilities on our website. Given our experience with the scanner, we thought that the removal service would do a better job of detecting vulnerabilities. That doesn’t appear to be the case.

Brute force login protection

Wordfence does an excellent job of blocking all brute force attacks. Sucuri’s login protection feature doesn’t seem to work.

Brute force protection is enabled by default on Wordfence. It works perfectly each time, locking out users with too many incorrect attempts, based on the configuration we set on the dashboard.

You’ll find the settings in the firewall section. There are plenty of things to customise in the options menu:setting lockouts for incorrect login attempts; how much time a user will experience lockout; और इसी तरह। The options aren’t overwhelming, and Wordfence explains each one cogently and with great documentation.

You can set password management options here too, making sure to enforce strong passwords, and preventing the use of passwords discovered in a data breach.

It is possible to whitelist IPs in this section, but we are ambivalent about their effectiveness. Device IPs are dynamic, so having an allowlist doesn’t guarantee that a legitimate user isn’t locked out.

Sucuri’s brute force protection didn’t work as expected. We didn’t experience a lockout, nor was there a captcha to make sure that we were humans not bots. We didn’t get alerts, even though the attacks showed up in the audit logs. Overall, the feature was a washout.

You wouldn’t think that to see the configuration options on the dashboard though. There were so many options, we were reeling after a point. All in all, we’d prefer fewer options with a feature that works, rather than the opposite.

Activity log

Sucuri has an audit log, but it can be hard to comprehend. Wordfence doesn’t have an activity log.

Sucuri has an audit log which tracks all user actions, and plugin and theme changes. The logs will show all changes made to files and tables, which is good.

The logs have necessary information like user, action, timestamp, etc. But in some cases, the entries are very difficult to understand. For instance, to test the logs, we installed a gallery plugin. The resulting entries on the audit log show 7 different changes. It wasn’t clear from the entries what the change was, why it was happening, or who was responsible. Therefore, the audit log is next to useless to anyone who doesn’t speak Sucuri.

We were surprised to see that Wordfence doesn’t have an activity log, considering it is one of the pillars of website security. There is an option to enable debugging in the Diagnostics section of the Tools menu, which causes the firewall logs to become more verbose, but that’s not the same thing as an activity log.

After much digging, we discovered an activity log specifically for Wordfence events in the Scan section. It is a raw log though, clearly intended for Wordfence developers only.

Two-factor authentication

Wordfence has a great two-factor authentication feature. Sucuri doesn’t support it on your website.

Wordfence two-factor authentication works out of the box, with an easy set of options to customise the experience. It used to be a premium feature, but has since been added to the free plugin as well.

Sucuri doesn’t support two-factor authentication for your website, but you can secure your Sucuri account with it.

Server resource usage

Both Sucuri and Wordfence are resource hogs. We saw unmistakeable blips in disk usage with scans and because of the firewall.

This is one factor where there is nothing to choose between Wordfence and Sucuri:they both did equally badly.

Every single action these plugins perform on your website consumes server resources. Our websites are relatively small, and we saw the disk usage double and sometimes triple when we set up scans. This impacted load time, response time and the overall experience on the website.

Sucuri

Wordfence

If you have a WooCommerce website, or one with high-traffic, this effect will be noticeable to your users. If you are on shared hosting, your web host will raise flags and your hosting expenses can potentially increase. In fact, many web hosts have banned Wordfence for this very reason.

While people rarely talk about server resources when discussing security, it is an important factor. No one should have to compromise on either performance or security. It is entirely possible to optimise both.

Not with Sucuri or Wordfence, though. For that, you’ll need MalCare.

Alerts

Both Sucuri and Wordfence are notorious for innumerable alerts and false positives.

We are firm believers in taking the burden off our customers when it comes to WordPress administration. Firewalls should block traffic quietly. Bot protection should work out of the box. Admin should only be alerted if there is something that needs their attention and action. WordPress security should be stress-free and easy, otherwise what is the point of a security plugin?

RIP inbox

Apparently neither Sucuri nor Wordfence subscribe to this school of thought, because their alerts are overwhelming. Our inboxes were flooded in no time at all. Too many alerts is as bad as no alerts, because ultimately both lead to inaction when necessary.

Installation, configuration, and usability

Wordfence is designed to be very straightforward for a novice user. Sucuri is not.

Wordfence’s installation, configuration and overall use is one of the best we have ever seen. There are walkthroughs on each major section, explaining the most important settings and features in simple, non-threatening language.

Wordfence has great recommendations for configuration. Their documentation is accessible from the tooltips on the dashboard, making it highly contextual. Each feature is clearly explained, and instructions on how to make it work on your website are instantly accessible.

These may seem like odd things to point out. However, if you have ever tried Sucuri, you realise that ease of understanding is a non-trivial part of any user experience. In fact, if we had to describe Sucuri in one word, that word would be bewildering.

Installing Sucuri was easy, and it went downhill from there. To use the server-side scanner and firewall, you have to configure them manually. There are so many options that we spent hours trying to make sense of them, in addition to figuring out if they had any real impact on security.

Overall, these two plugins are at opposite ends of the spectrum.

Wordfence:Extras

Wordfence is strictly security. There isn’t a single feature, option or line that is even security-adjacent, like updates or user management options. In spite of that, there are several extras.

There was a notifications section for site updates, which showed us which plugins and themes needed to be updated on priority because they were either critical or medium threats.

Wordfence has an external dashboard to manage multiple sites on the same account called Wordfence Central. It has an accompanying section on the wp-admin of each connected site as well, presumably so you have a bird’s eye view of every site regardless of which site you are currently working on. In our opinion, this is of limited utility and will not work for agencies with hundreds of managed sites.

Next we looked at the Tools section. There is a section for live traffic, which seemed to replicate Google Analytics, but was more than that. These logs classify traffic with a key to see what type of traffic the website is getting:human, bot, warning, blocked.

There is a Whois lookup option, in case you want to see who the attacker is without leaving wp-admin. Again, this is an incidental feature at best.

We thought Diagnostics was really interesting, as it had a lot of information about the website. Everything is very granular there, right from process owners to database tables. Developers will find this info vastly useful, because it is like a spec of the website all in one place.

Sucuri:Extras

Sucuri has a lot of extra frills and furbelows in their plugin. Whether any have an impact on security is another matter altogether.

The first thing you will see on installation is the WordPress integrity infobox. It really is a fancy version of a WordPress core file change monitor. Obviously, it is somewhat useful to have a file change monitor for WordPress core files, but the efficacy is not as much as is made out to be. Hackers can and will change file metadata, like update timestamps, to work around these measures. So yes useful, but not so much.

There is an integrity diff utility to compare core files on the website with the original WordPress installation. It is certainly easier than using an online one, if you are cleaning out malware manually—which we don’t at all recommend.

Sucuri has lots of WordPress hardening features. Blocking PHP in the uploads folder protects against one category of hacks, and we like the ability to change WordPress salts quickly from the dashboard. It could have been done better though. If the feature was on the Sucuri’s external dashboard rather than on wp-admin, it would have been safer. Imagine a hacker gains access to wp-admin, the salts would be easily compromised as they are in plaintext.

Some of the other options are of limited utility, like verifying WordPress version, removing WordPress version, avoiding information leakage, and verifying default admin account. They are meaningless from a security perspective.

Other hardening features were confounding. For instance, if we were to disable plugin and theme editor, how could we update plugins and themes with vulnerabilities? Counterproductive to say the least.

The password management feature held some promise, but the warning would terrify all but the most brave:“Select users from the list in order to change their passwords, terminate their sessions and email them a password reset link. Please be aware that the plugin will change the passwords before sending the emails, meaning that if your web server is unable to send emails, your users will be locked out of the site.”

What’s missing from Wordfence and Sucuri

Sucuri doesn’t have a good malware scanner. The brute force login protection doesn’t work, and it takes up too much of server resources. There is no bot protection either, and you would need a separate plugin for two-factor authentication.

Wordfence misses out on bot protection and an activity log. The scanner is above average; definitely a cut above the other security plugins available apart from MalCare. Apart from these things, it is an exceptional security plugin.

Wordfence vs Sucuri:Pricing

Sucuri’s plans start at $199.99 a year per site, which is a great deal for unlimited malware removal. The firewall works well, but the scanner is a let down. Wordfence premium plans are at $99 for the year per site, with attractive bulk pricing options. However, our opinion is that the free version is almost as good as the premium version.

Sucuri is a winner when it comes to the unlimited malware removal feature. The support team was great, with a quick turnaround time, helpful response and a proactive post-hack checklist. But the malware scanner was a complete failure, and that’s not a small flaw to overlook.

The free version of Wordfence is strong enough to stand on its own. The premium version is not all that different, the efficiency percentages on the dashboard notwithstanding. The real expense to consider with Wordfence is the cleaning service at $490 a pop, over and above the site license. If you are considering Wordfence seriously, read the fine print. Although they say unlimited pages, there are additional charges for sites above 10 GB. They guarantee the service for a year, but there are terms and conditions. None of this is unreasonable, but it is important to be aware before taking the plunge.

Better alternative to Wordfence and Sucuri:MalCare

The best security plugin for your website isn’t Wordfence or Sucuri, it is MalCare. It has an excellent scanner that detects malware in all parts of your website:core WordPress, files and the database. Additionally, the auto-clean feature removes all malware surgically, without breaking your website.

MalCare has an advanced firewall that proactively blocks bad traffic from reaching your website. The brute force protection makes sure that your login page is safe from malicious attacks, and the bot protection goes even further to make sure only bad bots are kept away from your website.

There is a formidable support team of WordPress security experts to help with any issues that come up. Any malware removal cleanups necessary beyond the auto-clean are covered with the site license.

Thus, in a feature-to-feature comparison, MalCare undoubtedly comes out on top. MalCare’s $99 plan is vastly better than Sucuri’s $199.99 Basic Platform plan, and includes unlimited malware removal, which is over and above Wordfence’s $99 plan.

Conclusion

When choosing a WordPress security plugin for your website, make sure to evaluate the scanner, cleaner and firewall. All the other features can be implemented with other plugins, but these 3 features form the essence of a good plugin.

At MalCare, our goal is to make security stress-free and painless, so that you can focus on the more important aspects of your website. Leave the security to us, as you grow your business.

We hope this comparison was helpful, as we have presented all our findings transparently. Have further questions? Drop us a line. We would love to hear from you.