Sucuri vs. Sitelock: Which is a Better Security Plugin

If you’ve been doing research on the best plugins for WordPress security, you’ve probably come across Sucuri and Sitelock. These two popular plugins offer a range of features that can help keep your website safe from online threats. However, choosing between them can be overwhelming, especially when comparing factors such as cost, ease of use, and features. There is also so much tech jargon that can be difficult to get through. We’ve got you covered! 

We have compared Sucuri vs Sitelock and put together all the key security information. We’ve also simplified the information so you can choose the best option for your website.

Sucuri is a decent security plugin when compared to Sitelock. Although their scanner isn’t perfect, their malware removal service is top-notch. The firewall is effective in blocking most threats and, overall, Sucuri is of much better value. Honestly, Sitelock is just plain awful. For the best security for your WordPress site, install MalCare.

Sucuri in a nutshell

Sucuri is definitely one of the most popular plugins, but it’s got issues. For starters, the malware scanner is unreliable. Basically, it’s not going to catch all the bad stuff that’s on your site. However, the good news is that Sucuri’s malware removal service is effective. However, they do take time to respond, and that can be very stressful when your site is hacked

The firewall is another story. It works great, but setting it up was really difficult. Basically, we had to mess around with the DNS settings to get them to point to Sucuri’s firewall server instead of our test website. Now, to be fair, you probably won’t run into this problem on your live site. Unless, you don’t have access to your domain registrar, in which case it is going to be a bumpy ride. 

One thing we found really annoying was how complicated everything was. The language Sucuri uses is confusing and borderline condescending. Plus, each security scan slowed down our test sites and caused a surge in server disk usage. Turns out Sucuri uses site resources to scan for malware, which is counterproductive. Wordfence is also guilty of this, by the way. 

All in all, Sucuri is a decent option, but there are definitely some downsides. Just keep in mind that the scanner isn’t perfect and the firewall setup can be a nightmare.

Sitelock in a nutshell

Sitelock seems to fall short on many fronts. The configuration can be challenging and often doesn’t work as intended. The critical security features like the scanner and removal are terrible and don’t work at all. 

Even the secondary security features like two-factor authentication don’t seem to function properly. It’s difficult to understand why this plugin is even on the market given the numerous issues it seems to have. Overall, it appears that Sitelock leaves much to be desired in terms of functionality and effectiveness.

Sucuri vs Sitelock: Head-to-head comparison of security features

While both Sitelock and Sucuri are designed to provide comprehensive security for websites, they have distinct differences in their features and capabilities. We will examine their key features such as malware scanning and removal, web application firewall, among others. By the end of this section, you will have a clear understanding of the strengths and weaknesses of both Sitelock and Sucuri.

Malware scanner

Sucuri caught some of the malware, but is a resource hog. Sitelock didn’t catch anything. 

Let’s talk about Sucuri’s malware scanner. It was able to catch some of the malware on our many test sites. 

There’s both daily and on-demand scanning available, but here’s the catch: they can hog server resources and slow down your website. Plus, even if you choose to only scan certain files and folders to reduce memory consumption, it’s not foolproof. Malware could still be hiding somewhere else.

To enable the server-side scanner, you have to manually upload a file to the web server or allow Sucuri to use your FTP credentials. But then, we came across a setting called “allowlist URL paths,” which we think means we can add folders that we don’t want scanned. However, the help icon wasn’t very helpful, only saying that any links added would suppress warnings for those paths.

On the bright side, when we requested a malware cleanup, Sucuri was able to remove all instances of malware from the site. But then, a few hours later during the daily scan, it flagged malware again and suggested another cleanup. Talk about a rollercoaster ride!

During our testing, Sitelock’s malware scanner proved to be ineffective. Despite running daily scans, the scanner failed to detect any of the malware on our test site. We even ran an on-demand scan, but it still didn’t catch any malicious code. We found it surprising that Sitelock gave the site a clean bill of health despite it being heavily infected. Users can customize the frequency of automatic scans, but only one on-demand scan per day is allowed.

Malware cleaning

Sucuri’s support team was able to clean our site but it took 12 hours. We couldn’t test Sitelock’s malware removal feature because it didn’t flag any malware.

Although Sucuri gave our hacked site a clean bill of health, we reached out to the support team to check for a cleaning service. They responded with a 12-hour turnaround time. They performed an exceptional job in eliminating the malware. The only thing they required was our FTP credentials.

Once they finished the cleanup, they pointed out two of the three vulnerable plugins that we were using for our experiments, and requested us to update them. They also presented us with a set of security measures to follow after the cleanup was completed.

Unfortunately, malware isn’t known for being waiting around patiently, so this is an extremely lengthy—and stressful—wait. To get a quicker response time, you would need to upgrade your plan.

Sitelock’s automatic malware removal feature, SMART, was unavailable for testing due to issues with FTP connectivity. The failure of Sitelock’s scanner to detect malware raises doubts about the effectiveness of its automatic cleaner. Additionally, it is unclear how the expert malware removal feature would function if the scanner cannot identify malware in the first place.


Sucuri’s firewall was hard to install but mostly effective. Sitelock doesn’t have a firewall in the basic plan we installed.

We put it to the test and it successfully blocked attacks like SQL injections, remote injections, and cross-site scripting attacks. Our test website was full of vulnerabilities, but the firewall stood strong and kept it safe from harm. 

However, we did have one issue with the firewall: its installation. Sucuri has what is known as a DNS firewall, as opposed to plugin-based or network firewalls. To activate the firewall, you need to direct your traffic to their servers, which will filter out any malicious traffic and send only good traffic to your website. 

This may sound like a great idea, but boy, was it difficult to configure. Our test websites were not attached to any domain registrars, so we had to call in our engineering team to figure it out. Let’s just say it wasn’t the smoothest ride, but we eventually got there. We’ve talked about this more in the section about installation. 

Anyone who doesn’t have access to their domain registrars or DNS settings, will struggle to install Sucuri’s firewall.

The basic plan offered by Sitelock does not include a firewall or bot protection, which means we were unable to test these features during our evaluation. Disappointing. 

Vulnerability detection

Sucuri was able to detect 2 out of 3 vulnerable plugins. Sitelock detected 0.

Sucuri’s vulnerability detection is average at best, but at least it exists. With the server-side scanner enabled, it was able to detect two out of the three vulnerable plugins on our website. While it’s not a 100% success rate, it’s still a solid effort—something we have grown to appreciate after testing other so-called security plugins.

Despite Sitelock’s claim to have vulnerability detection, our testing revealed that it failed to identify any vulnerabilities on our site. The scanner feature, which includes vulnerability detection for SQL injection and XSS, produced clean results even though both types of vulnerabilities existed on our site. This is a significant failure on the part of Sitelock.

Brute force login protection

Both failed. 

To test Sucuri’s brute force login protection, we changed the setting to 30 failed logins per hour. Initially, we were a bit apprehensive about the lockout settings and being locked out of the site.

However, when we attempted to test the system by trying 40+ incorrect logins in a span of 3 minutes, we were disappointed to find that Sucuri did not raise an alert. We checked the audit logs and found that the failed authentication attempts were recorded, but we could not figure out why Sucuri did not alert us of the attack. This was concerning, as the lack of alert could leave the website vulnerable to further attacks.

Are you sensing a trend yet? Sitelock does not provide brute force login protection, which is an essential feature for preventing unauthorized access to a website.

Activity log

Sucuri has great logs and Sitelock doesn’t have any.

Logs are important. They help you keep track of what’s happening on your website, like who’s doing what and when.

To make sure these logs are safe from attackers, Sucuri needs an API key to store the data about your website offsite. This way, even if someone tries to delete the logs, they won’t be able to.

The good news is that the logs work great! They record the time, user, and action, which is super helpful. The only downside is that sometimes the updates can be a bit unclear. For example, when you install a new plugin, it might show up as “plugin activated,” and there might be seven more entries in the log that show how the installation has affected things. But, unfortunately, there’s not a lot of explanation about what those entries actually mean.

Surprise, surprise! Sitelock does not have an activity log feature, which could be useful for monitoring and tracking user activity on a website.

Two-factor authentication

Sucuri doesn’t have it for WordPress sites. Sitelock claims it does but we couldn’t set it up successfully.

Enabling 2FA on your Sucuri account is possible but it is currently not available for your WordPress site.

Although Sitelock offers two-factor authentication, our experience with it was disappointing. We attempted to use the text message option but encountered a failed message when we clicked to test the configuration. Furthermore, our attempts to set up mobile verification were also unsuccessful.

Server resource usage

Sucuri is a resource hog, but Sitelock has minimal impact on the server. 

Sucuri’s scanners have a huge impact on server resources. So much so that they even discourage frequent scans because of this, which is not great. Why should you have to choose between security and good performance and reasonable server bills?


So, in the General Settings of Sucuri, there’s a Data Storage option that seems to indicate a lot of data (mostly logs) gets stored on the website itself. This is why the API key is needed, as the data is stored in the uploads folder, which is publicly accessible by default. There’s an option to change the storage location to a non-public folder, but it’s weird that this isn’t the default.

Sitelock’s scanner did not have a significant impact on our disk usage, which is a positive aspect of the plugin. This means that using Sitelock for website security does not cause unnecessary strain on server resources. Of course, that also means you don’t get any security either. 


Sucuri has granular settings that are confusing. Sitelock has toggle settings that are confusing. 

The settings for which security alerts to receive are really specific and granular, but the concern here is that there can be too much noise and you might miss the important stuff in all the clutter.

You can set up alerts to be sent to specific people and even customize the format of the alerts. You can also add IP address ranges so those addresses don’t get flagged for alerts, which is pretty cool. But let’s be real, the language they use can be pretty confusing. What is “classless inter domain routing”? No one has time for all that. We just want our website to be safe and sound.

Sucuri seems to know that they can send too many alerts, so they have a setting where you can configure the maximum number of alerts you receive in an hour, like up to 5 emails. But here’s the thing: what if the first 5 were all false alarms and the 6th one is actually legitimate? They do have a disclaimer for this, but it’s still better to have the actual information than a useless feature, right?

Sitelock has a feature for users to toggle notifications for security issues on and off from the dashboard. However, the nature of these alerts is not clear, leaving users unsure of what to expect.

Installation, configuration and usability

Both were hard for us to install. 

There is a lot to say about Sucuri’s installation, configuration and use. So, let’s break it down:


The installation process for Sucuri is generally straightforward, with the exception of the firewall setup, which requires a little more attention. When it comes to the firewall installation, Sucuri’s documentation states that changing your DNS A record to point to their firewall IP addresses is all that is necessary. This step will redirect all traffic to their servers, where it can be filtered for malicious content. This process ensures that only legitimate traffic is forwarded to your site, providing an added layer of security. If you have experience with DNS records, the process should be relatively simple.

Unfortunately, our test sites lack domain names and we do not have access to their nameservers, which prevents us from pointing them to the Sucuri firewall. Although we were able to purchase a firewall plan for one of the test sites without any issues, we were unable to automatically integrate it as Cloudways does not offer cPanel or Plesk.

To proceed with testing, we needed to ensure that the internal domain link was functioning correctly and loading our website properly, which it did. We then attempted to use Sucuri’s DNS servers, but were hesitant to do so for fear of being unable to revert the changes.

Our first attempt was unsuccessful as the domain was not managed by our account. However, we were able to successfully install the firewall on another test site, which included the Audit logs page previously mentioned.

You may not face these issues on a live site, unless you don’t have access to its DNS settings. In which case, you will require engineering assistance to set it up. 


Sucuri’s settings can be challenging to navigate due to the technical terminology used, which can take a significant amount of time to understand. Although the plugin does provide some recommended settings, users may have to trust the suggestions blindly. Additionally, the effectiveness of Sucuri’s malware scanner has been questioned, which can cause doubts about the plugin’s overall capabilities.

Post-hack features

Upon exploring this feature, we discovered some drawbacks.

For instance, updating secret keys by changing WordPress salts from the dashboard is risky since it’s in plaintext and visible to all admins logged into wp-admin. Hackers with admin access pose a significant threat, and this feature should only be utilized after confirming that none of the admin accounts are compromised, a point that isn’t emphasized.

The reset user password feature appears promising but has a caveat. Users are chosen from a list to change their passwords, terminate their sessions, and receive a password reset link via email. However, the plugin changes passwords before sending emails, so users could be locked out of the site if the web server fails to send emails.

Resetting installed plugins is only marginally useful for free plugins. Premium plugins still require reinstallation, while themes are not mentioned, presumably because it could cause the loss of customizations. Instead of reinstalling everything, it’s advisable to clean the code.

The available plugin and theme updates feature only provides basic version management and doesn’t enhance the existing admin dashboard functionality. Nevertheless, it may educate users on the connection between outdated plugins and themes and security risks.


Initially, we were impressed with the layout of the wp-admin dashboard. However, we noticed that the largest infobox focused on WordPress integrity, which is a file change monitor in disguise. Although this feature may prove useful in some situations, it could mislead inexperienced users into thinking it is the only tool necessary for detecting malware.

As we explored the settings further, we discovered an integrity diff utility that could be used to compare core files and detect differences. This feature may be more user-friendly than an online diffchecker utility. However, we also found some of the settings, such as log analysis software and reverse proxy, could be challenging for non-technical users to understand. It was frustrating to receive condescending instructions to avoid certain options unless we knew what a reverse proxy was. The complexity of the settings may be overwhelming for some users.

Installing Sitelock was not a straightforward process. The plugin is installed and activated like any other plugin, which gives a first impression that it will be easy to use. However, finding the plugin dashboard was a bit tricky as it’s located under the Tools menu in wp-admin, and there’s no settings link on the plugins menu. 

After a bit of hunting, the plugin dashboard was located, but it required a connection to Sitelock’s site. Clicking the button led to the ‘how it works’ page, which wasn’t what we wanted. Clicking the button again led to the pricing page, and after purchasing a plan, we were taken to the Sitelock homepage with instructions to expect an email. The email contained a payment acknowledgement with a link to the Sitelock dashboard on our site. From there, we had to configure the plugin to access its options.  

However, the SMART setup required FTP access to our site, which was unsuccessful despite having credentials that work with dedicated clients. After abandoning the SMART setup, we tested out the plugin on the dashboard.



Hardening features

It is worth noting that implementing these security measures can impact the user experience. For example, disabling the plugin and theme editor can make it more difficult to make certain changes to the website. The company also claims that they will block all PHP files, but it is likely that this only applies to remote execution of PHP files in the includes folder, as blocking all PHP files on the website would render it dysfunctional.

However, the caveat about some plugins and themes needing access to PHP files in these folders is not sufficient. For instance, Sucuri themselves save PHP files in the uploads folder. It is unclear if they need access to their own files from their external dashboard, or if this is an exception to the rule. This indicates that the rules for implementing security measures may be flexible in ways that are not readily apparent to the user.

API service communication

The documentation around API service communication can be confusing, and it can take a considerable amount of time to understand the settings and evaluate their impact on security.


The Sitelock dashboard seems to have anti-spam features, but it’s unclear how to handle spam once identified.

The inclusion of full site backups, instead of just database backups, is impressive. Unfortunately, the backups are stored on the site server, rendering them useless in the event of a server failure.

What’s missing?

Sucuri has room for improvement. Sitelock needs to reconsider if they’re a security plugin in the first place.

The malware scanner is not great. The brute force login protection is a bit of a letdown and can really eat up your server’s resources. Plus, there’s no built-in bot protection, which is a bit of a bummer. It also doesn’t have two-factor authentication—you’ll need to install a separate plugin for that. All in all, Sucuri could definitely use some improvements in these areas.

In short, Sitelock lacks everything needed for effective website security. Its malware scanner is non-functional, vulnerability detection is non-existent, and the cleaner is potentially hazardous to use. Two-factor authentication doesn’t work, and there is no login protection, making it an unreliable security tool.


Sucuri is more worth it. It atleast does something. Sitelock isn’t worth it.

The price of $199 a year would have been fine if the malware scanner, removal and firewall was any good. But the basic plan of MalCare is far more effective and less expensive. 

The plugin offers plans ranging from $149 to $349 per year, per site. Based on the basic plan’s performance, it seems like a wasteful investment.

We attempted to cancel our subscription but were instructed to call support, then billing or use chat. The complicated cancellation process raises concerns about the company’s customer service.

Best alternatives to Sucuri and Sitelock

We obviously don’t think either Sucuri or Sitelock are the best security plugins. They both have serious issues that are frustrating and security features that are ineffective. So, what’s the best security plugin? Well, MalCare is amazing. The scanner, malware removal, firewall and usability is so much better than the other plugins. 

How to choose the best security plugin?

The crux of the matter is how to choose the best security plugin for your website or application. With so many options out there, it can be overwhelming to know where to start. To simplify the process, we’ve compiled an essential list of security features that should be a top priority when selecting a plugin, as well as some good-to-have features that can further enhance your security measures.

Essential security features

Malware scanner: This means that the plugin will regularly scan your website or application for any malicious code or files that may have been injected by hackers. 

Malware cleaner: If malware is detected, the plugin should be able to clean it up as well. Otherwise, it’s pointless. 

Firewall: A firewall is another essential feature that should be included in any security plugin you choose. A firewall acts as a barrier between your website or application and the rest of the internet, blocking any unauthorized access attempts and preventing malicious traffic from reaching your site. 

Good-to-have features

Vulnerability Scanner: This can help identify any weaknesses in your website or application that may be exploited by attackers. 

Brute force login protection: Brute force login protection is another useful feature that can prevent automated login attempts by guessing usernames and passwords.

Activity log: It can help you monitor any suspicious activity on your site, such as failed login attempts or unauthorized changes to your content.

Two-factor authentication: This is also becoming increasingly popular as an additional layer of security, requiring users to enter a code sent to their phone or email in addition to their password.

Potential problems

Impact on server: Some plugins can be resource-intensive, causing your website or application to slow down or crash. Be sure to choose a plugin that is lightweight and optimized for performance to avoid any negative impact on your site’s speed and stability.

Final thoughts

The core features to evaluate when picking a security plugin are the scanner, cleaner and firewall. All the other features can be implemented with other plugins. Sucuri and Sitelock are subpar on these fronts. MalCare is the way to go, if you’re looking for a stress-free security plugin that protects your site. 


Is Sucuri’s firewall worth it?

It is a reasonably effective security tool. But, it can be a bit difficult to install if you don’t have access to DNS information. Plus a firewall, by itself, is not enough to protect a WordPress site. 

What is Sitelock used for?

Sitelock is a security plugin for WordPress sites. Or at least, that’s what they claim. They fail at basic security functions like scanning, cleaning and firewalls. 

What are the benefits of Sucuri?

Sucuri offers website owners malware detection and removal, a website firewall, website speed optimization, SSL certificate management, reputation monitoring, and professional support. It provides a comprehensive set of website security services to protect your website from various threats and improve its performance.

The post Sucuri vs. Sitelock: Which is a Better Security Plugin appeared first on MalCare.

Posted in

About Us

I believe that everyone should have a mechanic that they can trust and after spending several years helping out various customers for large companies I've seen my fair share of issues.

Honesty, Integrity, and Compassion are what we share with everyone that we work with. Stop scouring the internet for help and see how we can help you today.

Our Services

Website Migrations

Plugin & Theme Updates

IDX Broker Customizations

Facebook Chatbots

DNS & Email Integrations