How to prevent hack using Sucuri plugin firewall WAF

If you are on the web, you are the target of hackers. Even though the web is relatively safe, if you do not secure your website, you will find yourself hacked sooner or later. Also, it is always better to take precautions than try to clean your site later once hacked.

WordPress offers multiple ways to secure your site. It includes using the best security practices such as using a strong password, different dashboard login paths, or harden your site in the best possible way.

One of the best ways to protect your site is to use a Website Application Firewall(WAF). It is a web filter that protects your site from HTTP application attacks. In case you didn’t know, many known WordPress security plugins with a Website Application Firewall option.

Sucuri is one of the popular security plugins that comes with the WAF option. This means that you can use the plugin to protect your website in the best possible way.

In this article, we will go through a complete tutorial on preventing hack using the Sucuri plugin Website Application Firewall(WAF).

Before we get started, let’s learn more about WAF and what it has to offer.

Table of content

What is a Website Application Firewall(WAF)?

Website Application Firewall is the shield or barrier between your site and the internet. It is commonly used for protecting your site against common threats. As it is a firewall, it can monitor and filter HTTP traffic between the application that it is protecting against the open internet.

The common attacks that WAF protect your site include cross-site-scripting(XSS), cross-site forgery, SQL injection, and so on.

WAF is always beneficial for a site as it provides additional protection to your site. WAF acts as a reverse-proxy as it protects the client from external threats. It checks out the packets and looks for abnormalities that are threatful to your site. To ensure that a WAF works as intended, it utilizes policies — a set of rules. The system administrator and network administrator can define these policies. The end goal remains the same — filter out traffic that is malicious.

Website Application Firewall is also capable of denying DDoS attacks as it rates the limit at which the site accepts the packets. 

WAF also lets you edit old policies and add new ones easily.

WAFs can be of different types:

  • Host-based: These WAF types are application software integration. They offer a practical and cheap way to implement WAF. However, one of the downsides is that they eat up the server on which they are hosted.
  • Network-based: Network-based WAF is a hardware-based implementation that minimizes latency. They are costly and require a dedicated approach to firewall implementation.
  • Cloud-based: Cloud-based WAF offers the best approach as it doesn’t cost much and also does not slow down the host server. They are also easy to configure and maintain.

About Sucuri WAF

Sucuri is a well-known player in the WordPress security market. It is an all-in-one solution, which means that it protects from most types of ongoing online attacks. However, the one product that we will discuss here is the Sucuri Web Application Firewall (WAF).

Sucuri WAF is a cloud-based approach that protects your site from malicious traffic and hence protects your site from external threats.

As a user, you need to point your DNS to them to re-route the traffic through their WAF. So, if it finds any threats, it will simply reject those packets and not send them to your site — protecting your site from any potential threats.

How Web Application Firewall Works: Source: Sucuri

Should you use Sucuri WAF to prevent hack?

It is common for webmasters to neglect the importance of WAF on their site. However, the need arise once they are hacked. As a website owner, you should always act pro-actively and protect your site from future attacks. For instance, your site can attract DDOS attacks in the future if it garners a lot of visitors. 

Apart from that, WAF also protects your site against outrages due to bad traffic. So technically, by protecting outrages, you are saving money as the bad traffic doesn’t count against the traffic bandwidth limitation set by your hosting provider.

What are the alternatives?

If you are not comfortable using WAF, then you also have some alternative approaches that you can try. These approaches include:

  • Blocking individual IP address that you find suspicious
  • Do Geo-blocking for protecting your site from most threat countries of origin

How to prevent hack using Sucuri plugin firewall WAF

Now that we have made a clear understanding of Web Application Firewall(WAF), it is now time for us to learn how to setup Sucuri WAF. Let’s go through the points below to set it up and run it on your site successfully.

1. Sign up and get a plan

The first step that you need to take is to sign up for the Sucuri Pro plan. The WAF service is only accessible through their paid plan, and hence you need to decide which paid plan you need to go for. You can get any one of the three plans that they have to offer:

  • Basic: starts from $9.99 per month
  • Pro: starts from $19.98 per month
  • Business: starts from $499.99 per year

Out of all the three plans, we recommend getting the PRO plan as it offers the best value for price and features. With the plan, you get access to their Advanced HTTPS DDoS protection, custom SSL certificates, and much more!

The plan also lets your site detect traffic increase and take proper action to ensure that your server stays up all the time. Lastly, the PRO plan also offers HTTP/2 support, which improves performance. 

If you are still not sure, then you can try out their 30-day free trial before deciding which plan is the right one for you.

2. Protect your site

The next step is to login into your account. From there, you can see the option to “Protect My Site Now!”

Click on it and then proceed to the next step.

3. Enter the necessary details

You will now be asked to enter more details about your site, including the domain name, whitelisted directories, and few other options.

You can also opt to enable the “Under a DDoS attack,” making Sucuri aggressively wander off DDoS attack. The option is very useful for sites that are already going through a DDoS attack or suspect that you can be attacked sooner or later.

The whitelisted directories let you create a group of IP addresses and directories that can access your site without any limitation.

Lastly, you can opt to set up your site to use the Sucuri DNS. You should enable the option as it provides you better optimized global performance and better availability.

4. Install SSL

If you do not have an SSL certificate on your site and got their PRO plan, you should ensure the best possible data security between you and your users.

5. Point domains

This step is crucial as it enables you to take proper advantage of their WAF service. Here, you will be given the Sucuri DNS. All you need to do is copy the DNS and paste it on your site DNS record. If you are not sure how to do it, you can as the hosting support to do it for you. However, the process is easy, and all you need to do is login into your hosting provider backend and change the DNS settings for the domain name.

6. Whitelist Sucuri IP addresses

Lastly, you need to whitelist the Sucuri IP addresses so that you can the connections between the Sucuri servers, and your hosting remains clear and accessible. To do so, you need to take the IP address generated by the site and then whitelist them through the firewall. You can find the list of IP addresses from your dashboard.


This leads us to the end of our tutorial on how to prevent hack using Sucuri plugin firewall WAF. As you can see, it is easy to setup Sucuri WAF on your site. However, you need to get their paid plans to use it — which we think is worth it if you want to protect your site against the malicious actors on the internet.

So, what do you think about Sucuri WAF? Are you going to use it on your site? Comment below and let us know.

Leave a Comment

Your email address will not be published. Required fields are marked *