How to install and set up the Sucuri Security plugin in WordPress

With millions of active installations around the world, the WordPress platform is an attractive target for hackers. Sucuri Security is a free plugin designed to protect your WordPress installation from malware, known exploits and intrusion attempts.

Follow these steps to install and set up Sucuri Security for added protection of your WordPress installation.

Sign into your WordPress administration menu and, from the sidebar, select Plugins > Add New. Search for Sucuri Security and install it, then activate the plugin. To learn more about installing WordPress plugins, read this HostPapa knowledge base article: How to install plugins in WordPress.

Install plugin

Once activated, you’ll notice a new Sucuri Security entry in your admin sidebar.

Plugin menu

Head to Sucuri Security > Dashboard and click the button that says Generate API Key to activate Sucuri’s event monitoring feature. This provides a unique key with which to authenticate your website against the remote Sucuri WordPress API service.

Generate API key

Be sure to read the notes regarding API support before clicking the Submit button.

API generation

Once Sucuri Security is active, you should start to receive email notifications of major events. These include a user authenticating, or failing to authenticate, when a file is uploaded, a post or page published and so on.

The Sucuri Security dashboard

The Sucuri Security dashboard provides a comprehensive report of your WordPress integrity. You’ll be notified if your core WordPress files have been modified (potentially, but not always signalling a security issue). You can review modified files, check blacklisting reports and review audit logs. To refresh the information on screen, click the Review button.



A premium edition of the plugin supports a powerful web application firewall (WAF) that protects your site from attacks and preventing malware infections and reinfections. It will block SQL injection attempts, brute force attacks, XSS, RFI, backdoors and many other threats.

Select Sucuri Security > Firewall (WAF) and enter your Firewall API key to unlock the feature for configuration.


Review security logs and blocked users

Sucuri Security supports automated blocking of users based on their activity. For example, if a user (or a bot) repeatedly attempted to log in to your WordPress administration dashboard using randomly generated usernames (or your site name), the plugin could detect this suspicious activity and block the IP address.

Blocked users

You can review login attempts and blocked users via Sucuri Security > Last Logins. If you find that the plugin has incorrectly blocked a user, head to the Blocked Users tab to review and unblock user access. You can also review Failed logins, currently Logged-in users and more.

Feel free to visit the plugin Settings page to configure Sucuri Security, including alerts, security hardening options, file system scanner paths and other features.

Alternate installation via file manager & FTP clients

While installing the plugin via the WordPress administration dashboard is the simplest method of activating Sucuri Security, you may prefer to do so through the cPanel File Manager.

First, download the Sucuri Security installation file from the WordPress Plugin repository.

Download plugin

Then, log in to your HostPapa Dashboard and choose My cPanel.

My cPanel Menu

Now select File Manager.


Navigate to your WordPress plugins folder using the folder tree in the left sidebar. Head to: /path/to/wordpress/wp-content/plugins

cPanel File Manager

Click Upload in the top menu and then click Select File to find your downloaded Sucuri Security zip file.

Upload button

Upload the file to your server. Once completed, return to the plugins folder and then right-click the uploaded file. Click Extract in the context menu that appears, to unpack the file.


Once extracted, you can safely delete the Sucuri Security zip file.

Return to your WordPress administration panel and navigate to the Plugins section via the sidebar. Select Installed Plugins.

installed plugins

You’ll see Sucuri Security – Auditing, Malware Scanner and Hardening in the list of installed plugins, click Activate to proceed.

You can also install the plugin using the downloaded zip file and an FTP client, rather than using the cPanel File Manager. Be sure to upload the file to your WordPress plugins folder and extract the archive before attempting to activate in the WordPress administration panel.

For further questions, or if you need help, please open a support ticket from your HostPapa Dashboard. Follow this link to learn how.

Related Articles