When it comes to WordPress sites, security and performance are two essential aspects that need to be taken into consideration. With the increasing number of cyber threats and the need for faster-loading websites, it’s necessary to have reliable web security and performance services.
In this article, we’ll compare Sucuri vs Cloudflare delving into their features, ease of use, pricing and so much more. We will compare them side by side, so you’ll have a better idea of which service to choose to ensure your WordPress site is secure and performing at its best.
Both Cloudflare and Sucuri offer a firewall, DDoS protection, and CDN but that’s where the similarities end. A WordPress security plugin needs a malware scanner, cleaner, and a firewall to be complete. Sucuri has the scanner and firewall, but malware removal is done via their support team. Cloudflare is focused on web traffic services, so cannot be considered a security plugin, but a hybrid between performance and security. In this pitched battle, Sucuri is the winner, but only because it has all the necessary features. For complete security features that actually protect your site from malware, you need MalCare.
Sucuri in a nutshell
Sucuri is undeniably a popular plugin, but it’s not without its flaws. Firstly, its malware scanner is unreliable, because it doesn’t detect all malware that is on a site. We would peg the scanner at about 40 to 50% efficiency, which is below average. On top of that, the security scans slow down sites while causing a surge in server disk usage.
However, the malware removal service is effective. The trouble we see here is that if the scanner doesn’t alert you to malware, you will be hard-pressed to know if your site is infected. In fact, unless you are seeing very clear symptoms of a hacked WordPress site, you wouldn’t know to use their malware removal service at all.
The firewall is excellent, but setting it up is difficult and requires playing around with DNS settings. Also, in our opinion, Sucuri’s language can be confusing and condescending.
Cloudflare in a nutshell
Cloudflare provides security and performance services for websites. One of their main features is a firewall that protects against cyber attacks, such as DDoS attacks.
The free plan only includes DDoS protection, so to access the firewall and other advanced features, you need to purchase a higher plan. The better plan you purchase, the more protection you get against different types of attacks, including bot protection.
Cloudflare’s bot protection can help keep out spam bots, so you might see a reduction in spam comments and form submissions without needing to use a separate anti-spam plugin. However spam bots are not the only types of malicious bots. Brute force bots, scraper bots, and those that masquerade as search engine bots are equally bad, if not worse. Sophisticated bot protection keeps out bad bots, without impeding the good ones.
Cloudflare also offers performance and optimization options for websites, such as a content delivery network (CDN) and load balancing. Cloudflare’s CDN is better than Sucuri’s to a significant degree.
Sucuri vs Cloudflare: Head-to-head comparison of security features
Sucuri and Cloudflare have a few security features in common, and some performance features in common, which is why people want to compare the two services. However, during our testing, we see that they have different goals. Sucuri is more of a security service, whereas Cloudflare leans towards performance.
Even so, we have compared the like features, while indicating which security features Cloudflare doesn’t have. As security experts, our perspective and emphasis will always be on WordPress site security. So, let’s dive in and find out which plugin will keep the bad guys out.
Sucuri is a little good at scanning for malware. Cloudflare doesn’t scan at all.
Sucuri’s malware scanner offers both daily and on-demand scanning for your website.
Enabling the server-side scanner requires uploading a file to the web server or allowing Sucuri to use your FTP credentials. If you’re concerned about security, you can opt for SFTP instead. Sucuri also offers a feature called “allowlist URL paths” which allows you to add folders that you don’t want scanned.
The scans did not pick up on the malware loaded on our site. We knew that Sucuri would have trouble identifying malware in the database, but it failed to find the malware in the files as well. This is of some concern, because we had a mix of old malware and new. If the signature database was up to date, it should have at least caught the old malware.
Additionally, these scans slow down your website due to server resource consumption. Even if you choose to scan only certain files and folders to reduce memory usage, malware could still be hiding in other areas of your website. You should never have to choose between security and performance.
Post-malware cleanup, the daily scan flagged malware again and suggested another cleanup.
Overall, Sucuri’s malware scanner isn’t effective, and is a resource hog to boot.
Cloudflare does not have a built-in malware scanner that can scan your website for malicious code or files.
Sucuri has a good but delayed response to malware removal. Cloudflare has none.
For starters, the scanner found no traces of malware on our hacked site, as we detailed in the previous section. This should have been the end of the road, but we tested the malware cleaner anyway.
When we requested the malware removal service, they responded with a cleanup in 12 hours. Unfortunately, malware gets worse the longer it is left. You can opt for a higher plan to speed up wait times, but even a few hours can be excruciating when your site is hanging in the balance.
Sucuri did, however, do a fantastic job of cleaning the malware on the WordPress site. Our MalCare scan came out squeaky clean. Kudos to Sucuri for that. The only thing they needed was the FTP details.
Once they had cleaned up our site, they pointed out some vulnerable plugins that needed to be updated. They caught 2 out of 3 of the vulnerable plugins we had installed for our tests. This is helpful because let’s be real, we love cleaning up malware as much as we love going to the dentist.
Cloudflare does not offer any specific features for removing malware from websites.
Firewall was difficult to install with Sucuri and Cloudflare has an incomplete firewall that mostly protects against bots.
We put the firewall through the wringer, and it did an excellent job of blocking all sorts of attacks like SQL injections, remote injections, and cross-site scripting attacks. Our test website was full of vulnerabilities, but the firewall held its own and kept it secure.
However, we did encounter one hiccup with the firewall: its setup process. You have to redirect your traffic to Sucuri’s servers. Sucuri then sifts through all incoming traffic and filters out anything malicious, sending only the good traffic to your site.
Sounds good, right? But it was a tough install. Our test sites weren’t connected to any domain registrars, so we had to call in our engineering squad to sort it out. We’ll delve deeper into this later on when we talk about installation.
On Cloudflare’s free plan, users can create up to 5 custom firewall rules, but it requires specialist knowledge, so most users may need developer assistance. The free firewall provides basic bot protection, and there is also a separate Scrape Shield feature that protects against scraper bots. Geoblocking is available, but it is a premium feature.
Sucuri has an average vulnerability scanner. Cloudflare has none.
While Sucuri’s server-side scanner can detect some vulnerabilities, it’s important to note that it isn’t foolproof. A scan of our site detected 2 out of 3 vulnerabilities. The more obscure plugins or themes, with fewer than 200 installs are likely to be glossed over.
Cloudflare does not offer any vulnerability detection features.
Brute force login protection
Sucuri failed at our tests. Cloudflare may be able to stop bots but there are no login protection features.
We conducted a test on Sucuri’s brute force login protection by configuring the settings to allow for 30 failed logins per hour. Initially, we were hesitant about the lockout feature, fearing being locked out of the site.
To assess the system, we attempted to test it by trying over 40 incorrect logins within a 3-minute time frame. However, we were disappointed to discover that Sucuri did not trigger an alert.
While the failed login attempts were logged in the audit logs, we could not determine why Sucuri failed to send an alert. This situation is concerning since the absence of an alert could leave the website vulnerable to subsequent attacks.
Cloudflare does offer bot protection and that can help. However, Cloudflare does not have specific login security features that are required for preventing brute force login attacks.
Sucuri has a complex activity log, but at least has one. Cloudflare only has firewall logs, which don’t track user activity on the site.
On Sucuri’s dashboard, this feature is called an audit log. You’ll notice that they record the timestamp of specific actions, as well as the user who performed them.
Although the logs are comprehensive, we found them too confusing to use. For instance, installing a new plugin will typically show up as a “plugin activated” entry in the log. But there might be several more entries that show what the installation affected, without clear explanations for what those changes were.
On a separate note, to prevent potential attackers from deleting the logs, you can obtain an API key. This key allows Sucuri to store the website data they collect and keep it safe on their servers.
Cloudflare provides a firewall log to track traffic and security events, but it does not offer an activity log that monitors user-made changes on the website.
Neither have it for your WordPress site.
While enabling two-factor authentication on your Sucuri account is possible, it’s important to note that this feature is not currently available for WordPress sites through Sucuri.
Cloudflare does not offer two-factor authentication as a security feature for user accounts.
Cloudflare’s CDN is better because they have more data centers and optimization features.
Sucuri’s global network of data centers is utilized by its CDN to serve cached content, which ultimately leads to reduced website latency and load time. This feature ensures that users can access the site quickly and efficiently, regardless of their location. Besides caching, Sucuri’s CDN also employs website optimization techniques such as compression and minification to further improve website performance.
Users have reported a noticeable decrease in website load times and performance after implementing Sucuri’s CDN. Once the CDN is set up, it requires minimal ongoing maintenance, and advanced users can customize cache settings for better control.
Cloudflare’s CDN is a globally distributed network of data centers spanning across more than 250 cities in over 100 countries. It is designed to improve website performance by caching and serving content. Coupled with advanced technologies like Argo Smart Routing and HTTP/2 prioritization, Cloudflare’s CDN results in significant improvements in website load times and performance.
Additionally, Cloudflare’s CDN offers image resizing, a feature not provided by Sucuri. Image resizing is important as it helps to reduce the size of the content served from CDN, saving up to 50-60% of data, especially in cases where a user opens a website on a device with lower dimensions than the image.
While Cloudflare’s CDN network is much larger than Sucuri’s, users in regions without Cloudflare’s CDN presence may experience slower load times.
Server resource usage
Cloudflare optimizes your site’s performance and Sucuri is a resource hog.
Sucuri’s server-side scanning can have a significant impact on server resources, which can lead to slower website performance and higher server bills. This is concerning because website owners shouldn’t have to choose between security and good website performance.
In the General Settings of Sucuri, there is an option for Data Storage that indicates a lot of data, mostly logs, is stored on the website itself. This is why an API key is needed, as the data is stored in the uploads folder, which is publicly accessible by default. While there is an option to change the storage location to a non-public folder, it’s strange that this isn’t the default setting.
It’s important for website owners to be aware of the potential impact on server resources when using Sucuri’s scanning services and to consider adjusting their settings accordingly.
Cloudflare can enhance server usage metrics by preventing bad requests with its firewall protection. It does not provide a scanner or cleaner for malware which usually takes up server resources. Therefore, it’s better for performance than security.
Sucuri has granular settings for alerts and Cloudflare has none.
Sucuri’s security alert settings are highly specific and detailed, which can be both a blessing and a curse. On one hand, users can customize which alerts they receive and even choose the format and recipient of those alerts. It’s also possible to exclude certain IP address ranges from being flagged, which is a handy feature.
However, the language used in the settings can be confusing for non-experts. Terms like “classless inter domain routing” can be intimidating and hard to understand. Ultimately, most users just want their website to be secure without having to navigate complicated technical jargon.
Sucuri acknowledges that too many alerts can be overwhelming, and offers a setting to limit the number of alerts received per hour to a maximum of five emails. While this feature may seem useful at first, it’s important to note that the most critical alerts could still be lost in a flood of false alarms. Sucuri does provide a disclaimer for this limitation, but it’s important to weigh the pros and cons of this feature carefully.
There were no alerts generated by Cloudflare during our testing, and we did not find any settings for configuring notifications within the platform.
Installation, configuration and usability
They are both fairly difficult to configure without some external help.
We have a lot to say about Sucuri’s usability and configuration. So, let’s get started:
Installing Sucuri is typically a straightforward process, but configuring the firewall requires a bit more attention. The documentation instructs users to change their DNS A record to point to Sucuri’s firewall IP addresses, which redirects all traffic to their servers for filtering. This process adds an extra layer of security by ensuring that only legitimate traffic reaches your site. However, if you lack experience with or access to DNS records, the process may be a little complicated.
Our test sites did not have domain names, so we were unable to point them to the Sucuri firewall. Even though we were able to purchase a firewall plan for one of the test sites without any issues, integrating it automatically was not possible as Sucuri did not offer cPanel or Plesk. To continue with testing, we had to make sure that the internal domain link was functioning correctly and loading the website correctly, which it did.
We attempted to use Sucuri’s DNS servers, but we were hesitant to make the change as we were concerned about being unable to revert it. Although our first attempt was unsuccessful, we were able to successfully install the firewall on another test site, which included the previously mentioned audit logs page.
The usability of Sucuri is challenging due to the complexity of its settings. Understanding the technical terms used in the plugin takes some effort. In certain instances, the plugin suggests recommended settings, but the user may have to operate on blind faith. Unfortunately, the issue is that Sucuri’s malware scanner is ineffective, which diminishes trust in the plugin’s capabilities.
It would be helpful if Sucuri’s plugin was more user-friendly. While it appears to offer decent functionality, it is difficult to be certain as key features like brute force protection don’t seem to be effective.
After examining these features, we identified some drawbacks. For example, changing WordPress salts from the dashboard can be risky since it’s visible in plaintext and accessible to all admins logged into wp-admin. This feature should only be used after verifying that none of the admin accounts have been compromised, which is not emphasized.
The reset user password feature is promising, but there is a catch. Users are selected from a list to change their passwords, terminate their sessions, and receive a password reset link via email. However, the plugin changes passwords before sending emails, so users may be locked out of the site if the web server fails to send emails.
Resetting installed plugins is only moderately useful for free plugins. Premium plugins still require reinstallation, while themes are not mentioned, presumably because it could result in the loss of customizations. If you require this feature because of a hack, it is better to use a malware cleaner instead of reinstalling everything.
The available plugin and theme update feature provides basic version management and does not enhance the existing wp-admin dashboard functionality. Nonetheless, it can help educate users on the connection between outdated plugins and themes and security risks.
Upon accessing the wp-admin dashboard, we were initially impressed with its layout. However, we noticed that the largest infobox pertained to WordPress integrity, which seemed to be a dressed-up version of a file change monitor. While this feature may prove useful in certain situations, it could also be misleading for inexperienced users who may believe that it is the only tool needed for malware detection.
As we delved further into the settings, we came across an integrity diff utility that could be used to compare core files and detect differences. This feature may be more user-friendly than an online diffchecker utility. However, we also found that some of the settings, such as log analysis software and reverse proxy, may be difficult for non-technical users to comprehend. It was frustrating to receive condescending instructions to avoid certain options unless we knew what a reverse proxy was. Overall, the complexity of the settings may be overwhelming for some users.
Installing and activating the Cloudflare plugin is a straightforward process that requires signing up for a Cloudflare account and verifying your email address. However, configuring the plugin can be a complex process, especially for users who are not familiar with DNS configuration. The firewall operates through DNS settings, which must be properly verified to ensure that it works as intended. Additionally, changing nameservers is necessary for the firewall to function properly.
One important note is that connecting the wp-admin to your Cloudflare account requires an API key, which can be found under the API tokens section of the Cloudflare dashboard. It is essential to use the API key rather than the zone ID or account ID, as these will not work. However, even with the API key, the configuration process can be challenging and may require external assistance.
The hardening features of Sucuri are essential for improving website security, but they can also affect the user experience. For instance, disabling the plugin and theme editor can make it challenging to make certain changes to the website. Additionally, while the company claims to block all PHP files, this may only apply to remote execution of PHP files in the includes folder, as blocking all PHP files on the website would render it inoperable.
However, the caveat about some plugins and themes needing access to PHP files in these folders is not sufficient. Sucuri themselves save PHP files in the uploads folder, but it is unclear if they need access to their own files from their external dashboard, or if this is an exception to the rule. This indicates that the rules for implementing security measures may be flexible in ways that are not immediately clear to the user.
The documentation around API service communication can also be confusing, and it may require a significant amount of time to understand the settings and assess their impact on security.
Cloudflare offers SSL setup as an option, but since our domain registrar provided a free SSL certificate, we did not utilize Cloudflare for this purpose.
Cloudflare also provides several features that replicate functions typically found in the .htaccess file, including URL rewrites for prettier URLs, page rules for redirecting traffic, and redirect rules for 301 and 302 redirects. Additionally, transform rules can be used to add security headers to the site.
The performance of Sucuri’s malware scanner leaves much room for improvement. The brute force login protection feature may not meet expectations and can strain server resources. Furthermore, there is a lack of native bot protection, which is disappointing. Two-factor authentication is also not built-in and requires a separate plugin to be installed. These areas represent opportunities for Sucuri to enhance its features.
When it comes to security, there are a few missing components with Cloudflare. One of the biggest ones is the absence of a scanner and a cleaner. These are essential for complete WordPress security, as they can detect and remove any malware on your site. Additionally, while Cloudflare does offer some security features like DDoS protection and a firewall, it does not have login-specific security features such as brute force protection. One can argue that DDoS is a bigger threat, but the fact is that WordPress sites rarely experience DDoS attacks.
Sucuri is better priced and has more features.
If Sucuri’s malware scanner and firewall were effective, the price of $199 a year would have been reasonable. However, compared to the basic plan of MalCare, which is less expensive and more efficient at protecting sites, Sucuri’s pricing is unjustified.
Cloudflare’s pricing can be relatively high, with plans starting at $20 per month per site. However, the free version of Cloudflare does offer some useful features, such as basic bot protection, a reliable CDN, and a basic firewall.
Best alternatives to Sucuri and Cloudflare
Clearly, our assessment is that neither Sucuri nor Cloudflare qualify as the top security plugins. These options present significant problems, including ineffective security features and frustration.
So, which plugin should you choose for maximum security? In our opinion, MalCare stands out as the superior choice. Its scanner, malware removal, firewall, and overall usability are far superior to those of other plugins.
Recommended read: Sucuri alternative
Which security plugin is worth your money?
Choosing the best security plugin for your website or application can be a daunting task, given the multitude of options available. To make this process less overwhelming, it’s essential to focus on key security features that should be your top priority when selecting a plugin. We’ve compiled a list of these essential features and also highlighted some additional features that can further enhance your security measures.
Essential security features
- Malware scanner: Does the plugin conduct regular scans for malicious code or files?
- Malware cleaner: Is the plugin capable of removing detected malware?
- Firewall: Does it act as a barrier between the website and the internet, blocking unauthorized access attempts and preventing malicious traffic?
- Vulnerability scanner: Can it identify weaknesses in plugins and themes that may be exploited?
- Brute force login protection: Does it prevent brute force attacks by preventing multiple login attempts?
- Activity log: Monitors suspicious activity on the site.
- Two-factor authentication: Requires users to enter a code sent to their phone or email in addition to their password.
- Impact on server: Some plugins can be resource-intensive, causing website/application to slow down or crash.
The fundamental elements to consider in a security plugin are the scanner, cleaner, and firewall. Supplementary features can be obtained through alternative plugins. Unfortunately, both Sucuri and Cloudflare fall short in these key areas. For a hassle-free security plugin that will effectively safeguard your website, we recommend MalCare as the optimal choice.
Do I need Sucuri and Cloudflare?
No. You don’t need both. Both Sucuri and Cloudflare have similarities like a firewall, DDoS protection, and a CDN. Sucuri has actual security features like malware scanner and removal in addition. For security, consider using MalCare which is a better security plugin when compared to Sucuri.
Which is better? Wordfence or Sucuri?
Wordfence is better. The scanner is more effective. Firewall was easier to install. Malware removal is vastly more expensive. Better than both? MalCare.