How Can We Help?
< All Topics

Web Security Unveiled: Exploring Sucuri Firewall Options

Sucuri Firewall offers a variety of security options to suit your site’s requirements, accessible through the Security section on the Sucuri Firewall settings page.


1. The admin panel is restricted to only whitelisted IP addresses

Popular content management systems have an admin panel, like /wp-admin on WordPress or /administrator on Joomla, which restricts access to directories to whitelisted IP addresses. Enable this option for membership sites.

2. XMLRPC, comments, and trackbacks are blocked

If your site doesn’t allow comments or uses external commenting systems like Disqus or Facebook comments, you can block any attempt to comment as it’s likely spam.

3. Stop unfiltered HTML from being sent to your site

This setting prevents users from sending unsanitized HTML content to your site, iframes, and script calls. It’s not recommended for forums or membership sites that allow open content posting. Whitelisted IP addresses aren’t affected by this setting.

4. Stop uploading PHP or executable content

This option restricts uploading PHP, Perl, or executable content to your site, but it’s recommended to enable it unless users upload, and uploads are still allowed from whitelisted IP addresses.

5. Enable emergency DDOS protection

HTTP Flood Protection prevents non-JavaScript-enabled browsers from accessing a site, except major search engines, during a DDOS attack. It’s useful for websites unavailable due to DDoS attacks but can be turned off once everything is fine.

6. Block anonymous proxies and the top three attack countries

Enabling this option restricts user interaction with your site, allowing them to view content but not register for an account, submit comments, or log in. The same restrictions apply to anonymous proxy users who hide their IP addresses.

7. Aggressive bot filter

This setting prevents invalid user-agents that don’t match real browsers, including empty, PHP/starting user-agents, and incorrect user-agents from common browsers.

8. Force passing the hostname via TLS/SSL

Enabling this option may cause the SSL/TLS handshake to break the site, so it’s best not to enable it unless it’s already broken.

9. Advanced evasion detection

The option activates advanced evasion detection signatures but may be disabled if your site supports URLs with non-ASCII characters like Japanese, Hindi, or Russian.

10. Additional security headers have been added to your site

This option adds security headers to your site to protect against XSS and clickjacking attacks. It’s not recommended if you allow other websites to ‘iframe’ your content. Professional or business plans can enable HSTS and HSTS Full.

Table of Contents