In the world of cybersecurity, it is easy to be confused by the multitude of options. Sucuri, is worth paying attention to though. The name is after the mighty anaconda or the Brazilian tank destroyer of the same name. Sucuri was founded in 2010 by the extremely well respected Daniel Cid and Tony Perez. In 2017, it was purchased by GoDaddy to form the basis of their own security offering.
Their platform is designed to provide a platform agnostic solution to website security. What has made this platform so successful and attractive to small businesses around the world? Read on to find out.
Pricing and features
Sucuri has two distinct offerings, a Web Security Platform, and a Website Firewall. The difference is the security platform provides ongoing monitoring and malware/hack repair as well the firewall. If you are interested in what the monitoring does, you can try their site check tool for free. Given the cost associated with a typical malware remediation, this can be a valuable offering for the small premium.
The options are quite well featured, and even their Professional tier is reasonably priced. Unfortunately, Sucuri is priced per website, this means if you have a subdomain, you’ll pay for an additional service.
One attractive element of the Sucuri package is an additional firewall is only $10 per month if you already have monitoring. The firewall is equivalent to whatever package you already have as well. Consequently, if you have paid a premium for the full security platform, you will receive an extra site’s firewall of equivalent functionality at the entry cost.
Firstly, let us explore the Website firewall and the standard features for all packages. Secondly, we look at why you should upgrade to the full security platform.
The firewall includes some basic features similar to other platforms. These include a CDN, application firewall for virtual patching of security vulnerabilities and denial of service protection.
$9.99 per month
$19.98 per month
$69.93 per month
Layer 7 only
Layer 3, 4 and 7
Layer 3, 4 and 7
SSL certificate & HTTP/2
High availability / Redundancy
Layer 3, 4 and 7 DDoS protection costs over $200 per month from Cloudflare, so to get it for $20 per month is a bargain. Similarly, the Professional option allows you to use your certificates, another feature that costs an order of magnitude more.
Web security platform
Sucuri provides some rare features in their web security platform, monitoring, malware removal and hack repair. The malware removal and repair is a nice feature to fall back on. Although you hope you never need it, if you do this feature alone will be worth the cost. The cost, while yearly only, is also not a hefty premium to the firewall prices. The pricing is as follows:
Basic – $199 per year (equivalent to $16.58 per month)
Professional – $299 per year (equivalent to $24.92 per month)
Business – $499 per year (equivalent to $41.58 per month)
The different levels, other than offering different firewalls, primarily offer different monitoring frequencies and SLAs. Monitoring is the second major feature, which proactive alerting for malware, blacklisting or certain website changes. This feature is most noteworthy for e-commerce sites but all sites can benefit from alerting.
Especially noteworthy given the small price difference, you are better off investing in the monitoring if you’ll need a second site with a firewall.
Unfortunately, no solution is perfect. While Sucuri provides an excellent platform, it is essential to understand what it doesn’t offer so you can decide whether it is right for your needs.
First of all, with only 10 datacentre locations, Sucuri has one of the smallest CDN footprints. By contrast, Cloudflare is expanding to 100 data centre locations. If you are in a major area of the US or Europe, you probably won’t see the impact of this. If you operate in Asia, Hawaii, the Middle East or several other locations, you will notice the effect. As an example, this site has better performance to a location 10,000 km away than 20 km from its server location.
While Sucuri reports 98% satisfaction, when I found a bug with their DNS during setup, the service was disappointing. In particular, they made a suggestion that was technically not feasible as a solution. They also did configuration as a test that they didn’t remove that created risks. When I raised the issue, the response from a second person was excellent. While I believe the service is excellent value, they can make mistakes, although they will work hard to resolve it.
Setup and ease of use
Online security is a complex field, so to make it easy to understand is no simple task. Making it easy is especially hard for small businesses that don’t necessarily have the training of larger organisations. Thankfully, Sucuri does an admirable job.
As you’ll see from the screenshots above, the setup screens are very easy. Each option has descriptive tooltips, and if that is insufficient there is excellent documentation. Please note, this is not every page, merely a selection for reference.
Their geoblocking page also provides options to block entire regions and proxy traffic. Giving both the opportunity to make the site read-only, or prevent access entirely. Read-only functionality can be particularly useful where the primary focus may be reading information rather than interaction.
You may notice a brief period of downtime in one of the screenshots, this is actually from an e-commerce site where I had to put up a maintenance page during a database update. Still it detects it admirably.
Almost anybody with a basic knowledge could pick up the Sucuri solution and use the firewall straight away. All it requires is directing your domain to their name servers and setting up the DNS. If you don’t want to use their DNS, they will walk you through amending your DNS records. Unfortunately, there are no apparent means of importing these settings from another provider. However, if you had a large number of entries, you could potentially raise a ticket for assistance. Overall, the solution is incredibly easy to both understand and setup. Although there is some level of jargon, it is relatively minimal.
As with the StackPath review, I’m going to refrain from giving exact value on the performance as I believe the indicators can provide a misleading representation of the offering.
Firewall performance – This is ultimately a security platform so this is an important consideration. While I didn’t quantify this, analysis of logs showed the performance was very good.
Caching – Performance here is excellent. With no enhancement, it serves 52.4% of traffic from its cache (see image to the right). This is a significant reduction in the amount of traffic going to the web server.
Load speed – While there are a number of tools on the website that report excellent numbers with Sucuri, I found several didn’t seem to match user experience. In fact, so bad was the discrepancy that it was the primary reason we adopted New Relic to monitor actual user performance. What New Relic uncovered was a greater amount of variation than some other platforms. It also showed particularly poor performance into Australia and New Zealand relative to some alternatives.
There is no question Sucuri is a leader in security research, and I have no hesitation to trust my environments to their platform.
Sucuri review – Why they are perfect for small business
We used Sucuri for many years and never regretted it. Although we shifted away, it was only because of the cost benefit when running three or more sites. For a single small or medium business though, the platform is easy to use and fully featured. Sucuri offers benefits that some platforms would make you pay significantly more to receive.