Sucuri Review – The good and the bad

I have been using Sucuri since almost 2 years and thought of writing a review for the service. In this post, I will cover both – the good and the bad about sucuri. Might be a lengthy post.

The most necessary part – Sucuri WAF.

If you are someone who receives even 5000 views per day on your site, then you should consider Sucuri firewall or Web application firewall. Why? Because robots will attack your site consistently once u reach certain traffic. I know several bloggers who have more then 100 attacks in a day. These might be DDOS or malware or any other types. Even behind Sucuri WAF, I was infected with malware twice in last 2 years. But I had the malware protection plan so sucuri saved my site. If you cant afford a malware scanner in the start, you should definitely have a WAF at least.

The second most necessary part – Speed and performance

Yes – most of us use CDN’s. And many of us look for cheaper alternatives. But did u know, that for just $10, you could afford a WAF and a CDN. Sucuri acts like a proxy and it caches your pages in its server. I have found its image delivery and overall page caching to be fantastic.

A firewall has to cache your pages. This is done so that your website is not affected when a DDOS attack happens. The DDOS happens on sucuri’s server instead. Thus saving your own server a lot of bandwidth.

In this, there is one point I will add – change your login URL. Change it to something other then wp-admin. Whether u use firewall or not, this is a very important step for your wordpress install.

The problematic part – Caching duration

This is something I discovered recently and I was surprised by it. Sucuri will cache your pages for 4 hours and ur images for 3 days. Additional caching is not provided by sucuri at all. I tried changing the site cache headers and changing sucuris caching to respect site headers. But sucuri will not respect those headers for static. And in dynamic, sucuri will cache wp-admin pages too.

So the best caching is the SITE ENABLED caching which is 4 hours of page cache and 3 days of static image caching. This is far less then a CDN delivers. NOTE – I don’t have a problem with this caching. But sometimes it slows down sucuri and this they should understand themselves. Caching static for long period of times is a fantastic way to control server resources… their own server resources.

Problematic part number 2 – The service

The service of sucuri is average. Maybe it is good in other parts. But one of my friends and myself saw that they had issues but they do not agree to issues in their system. As Sucuri is owned by godaddy, It seems logical to assume that their growth has stopped and now they are only focused on revenue. So possibly this is the reason that initially service is great for setup and initial reaction wll be great, but like cloudways, expect service to be average – not the best out there.

If ever you need a firewall, then sucuri is one of the best in the business. I have checked cloudflare. And cloudflare has a lot of bells and tinkers. If u want something simple and straight, then sucuri is one of the best out there.


WordPress by default set …

which hint cache provider to

  1. do not serve cached HTML of WordPress dashboard area in the browser
  2. do not cache the HTML document itself at anywhere

As far I seen, Sucuri respect wordpress_logged_in cookie and automatically bypass cache for logged in user, that’s a good thing. For what ironically, Cloudflare charges $200/mo per domain for respecting cookie in their business plan! At this point of pricing and important feature Sucuri is better in my opinion.

I have not seen this case yet. I have one question.

  • Were you using any Cloudflare page rule along with Sucuri while noticing cached wp-admin page?

No. i was using custom cache conrtrol headers which were showing on admin pages also due to which Sucuri was caching them.

But thats where i realized that tweaking sucuri cache is impossible which was dissapointing. They will cache regardless of whatever headers we keep. So i removed cache control headers altogether.

Ideally, they should themselves allow us to choose whether cache should be 4 hours or 12 hours or something like that.

1 Like