Sucuri CloudProxy Firewall Review

by Sunny Hoi

What is Sucuri CloudProxy (Firewall)?

Sucuri CloudProxy incorporates a state-of-the-art Web Application Firewall (WAF), Intrusion Detection System (IDS), and a Content Delivery Network (CDN) to shield against contemporary perils and incursions. The enterprise-level protection provided by this cloud-based firewall plays a fundamental role in securing some of the largest sites in the world today. I personally have and continue to use CloudProxy to secure my site. As a matter of fact, the firewall has blocked and continues to block thousands of malicious requests while simultaneously accelerating my site drastically.

Disclosure: I did not get paid by Sucuri to write this review. I only recommend products that not only have I used but also believe will add value to my readers and have met my exceedingly high standards. Yes, I can be hard to be satisfied at times. If you click on the affiliate links in this review and purchase CloudProxy or any other products offered by Sucuri, I will gain a small commission.

CloudProxy employs a Blacklist based protection which impedes innumerable application layer attacks. Sucuri’s Website Firewall offers protection against Cross Site Scripting (XSS), Remote File Inclusion (RFI), Local File Inclusion (LFI), Zero-Day Exploits, SQL Injections, Out-Of-Date Software, and all known attacks. The Website Firewall operates as a reverse proxy, signifying that all traffic transmitted to an application hiding behind the Firewall would initially be directed to Sucuri’s network which would inspect if a specific request is legitimate or fabricated. If the request is illegitimate, it is blocked. CloudProxy’s vast protections against these common attack vectors ultimately protect the infrastructure of Content Management Systems (CMS) such as WordPress and Drupal. Oh yeah and CloudProxy includes Brute force protection against bots and script kiddies!

The CloudProxy servers operate over Sucuri’s high-performance Anycast network. Hence, the CDN will automatically route the site visitors to the nearest geographical location. If one location goes down, the incoming traffic will seamlessly be routed to another available location. Sucuri’s Anycast network data centers are located in some of the most significant networking locations around the planet. They have at least ten data centers which are located in the United States, Canada, Australia, Asia, and Europe. And they are always adding more data centers. This makes your site faster and gives it high performance. Furthermore, the CDN provides you and your site visitors fast connect time and thus fast loading times for your site.



Several Reasons Why I Love Sucuri CloudProxy

Value & Overall Protection

Do you require protection from layer 3, 4, and 7 DDoS attacks? Sucuri specializes in dealing with Layer 7 (HTTP floods), but their service also protects against all Layer 3 and 4 variations as well. Layer 7 application attacks are increasingly growing into a bigger problem for sites. This attack occurs when a malicious actor utilizes standard GET / POST requests which are meant to strain your site’s server reaction capability. The attack is the preferred attack technique since it is unchallenging to execute and it is also cost-efficient too, making it ideal for booter services. Sucuri’s Pro plan for their CloudProxy (Sucuri Firewall) costs $19.98 and also includes advanced DDoS mitigation for layers 3, 4, and 7. In comparison, other services like Cloudflare and Incapsula merely offer these DDoS mitigation capabilities on their significantly more expensive plans. Cloudflare, for example, offers a WAF at $20 on their Pro plan but excludes any advanced DDoS mitigation (does not cover layers, 3, 4 and 7) and no custom certificate. Cloudflare does offer the same DDoS advanced protection on their Business plan which costs $200 a month. Incapsula starts offering DDoS mitigation for layers 3, 4, and 7 on their Business plan for $299 per month. Incapsula’s Pro plan includes a WAF but excludes the DDoS mitigation found on their Business plan. In contrast, Sucuri CloudProxy’s cheapest Basic plan starts at $9.99 which includes a WAF, CDN, Layer 7 DDoS Protection, a LetsEncrypt SSL Certificate, and a 30 Day Money Back Guarantee. Moreover, Sucuri’s Basic Website Security Stack plan starts at $199.99 for one year, which includes everything from the CloudProxy Basic Plan with the addition of full website monitoring and malware removal. These two plans are cheaper than the other companies and clearly offer immense value for what you would be paying. Notably, if you were to go with Cloudflare and desired the same features offered by Sucuri’s CloudProxy Pro Plan which is only $19.98, you would be forced to pay $2400 for one year with Cloudflare’s Pro plan or $3588 for one year with Incapsula’s Pro plan. Evidently, the plans offered by other companies are incredibly more expensive. Why not just go with Sucuri’s plans such as CloudProxy Pro Plan which would only cost you $240 a year or even Sucuri’s most expensive Website Security Stack Business plan for $499.99 per year. Nevertheless, the CloudProxy Basic Plan is suitable for most sites that are merely seeking WAF protection, and it is packed with numerous features, only costing $9.99 per month. You would be saving a lot with any of Sucuri’s plans! And rest assured, there is no quality sacrifice. This is a win-win!



All the traffic that passes through the WAF also goes through CloudProxy’s Intrusion Prevention and detection systems. Therefore, the IPS and IDS will correlate and scrutinize all incoming traffic requests. This serves as another defense mechanism since these systems will attempt to find patterns of attacks that may be missed by the WAF.


Recently, the WordFence team was able to bypass Cloudflare’s WAF using conventional hacker scripts despite putting everything to ‘High’ in the settings area and enabling all rules. (And the WAF that is included in the Cloudflare’s Pro plan is $240 for a year.) I can’t say the same for Sucuri.

As an alternative to foreclosing features from their cheaper plans, Sucuri utilizes priority as a driving force for their more expensive plans. For example, the approximate team for malware removal in basic plans is 12 hours, while it is 6 hours for the professional plan, and 4 hours for the business plan. Nonetheless, the reality is that the removal timings are much faster than advertised for every customer.


The Control Panel

One of the best things is the Sucuri web user interface. Simply put, it’s easy to use and pleasant to look at. You are presented with many configuration options offered by CloudProxy. These include IP WhiteListing, Blacklisting IPs, Hardening, Geographical Blocking, Turning on JavaScript DDoS Protection, and many other settings. Also, you may examine the audit logs which will provide you information on any attack attempts blocked by CloudProxy. Logs are maintained within the confines of the Sucuri infrastructure and tracked by their security operations system. There is even a pie chart accompanied by statistical data on the different types of attacks blocked by the firewall. If you are interested in a real-time view of what is happening, there is an option for that accompanied by a cool world map that highlights visitors in green and red. Green means normal visitors and red means malicious visitors that were blocked by the firewall. The real-time view is by far one of my favorite features in the web user interface.



High-Security Monitoring

Sucuri’s Security Operations Center team will examine the logs and activity. They will try to determine whether any security issues or patterns warrant blacklisting or whitelisting. Hence, your site will strengthen from the intelligence Sucuri is cumulating from every activity they perceive across all of their clients.

Virtual Website Patching

One of the things that other Sucuri customers and I absolutely love is virtual website patching. CloudProxy will virtual patch and update your site including plugins, extensions, or themes. Therefore, those software vulnerabilities cannot be exploited against you. You no longer have to worry about not being aware of a software vulnerability lurking around. You can sleep better at night knowing that you’re protected by CloudProxy.

Website Acceleration

After implementing Sucuri CloudProxy to your site, your site shall experience acceleration by at least 50% than before. Depending on what CMS is on your site, there can be an increase in your site’s speed by 2x or 3x than previously. This is no surprise since high performance caching is present and functioning on top of SSD servers. The smart caching permits you to cache dynamic pages. Furthermore, there is also one-click GZIP and SPDY support. HTTP/2 is enabled by default. All of this positively affects your site’s SEO while simultaneously enhancing your visitors’ site experiences. One more thing, CloudProxy also works with the majority of CDNs such as Cloudflare and MaxCDN!

Outstanding Support

We know that any business that lacks sterling support for their customers are hindered in maintaining loyal customers for the long run. But rest assured, Sucuri provides exceptional support. Their technical support team will do their best in answering any questions you have regarding their products and fix what you need. Unlike some companies, Sucuri’s technical support comprises highly-qualified individuals with immense technical and communication skills. You have the option when submitting a ticket on their site whether you are a beginner and wanting to learn or an intermediate or advanced user. If you select the beginner and curious to learn option, their support can provide you with more information to facilitate your learning and understanding. Thus, from this perspective, you can also learn a bit while they answer your concerns or fix any issues you may have encountered. Their technical support has always taken the time to provide easy to understand instructions and insight to me. They’re friendly. It’s evident that they know what they are doing and won’t hesitant in responding with a long response if that is what takes to answer your questions like they’ve had in the past with me. That is dedication and commitment right there. What’s nice is that in many cases, they will simply fix your problems or help set up your configurations without you having to do much but provide them some details in order to do the job. They will even explain what they have done in many cases to you in regards to additions or alterations they’ve made on their part like they’ve done with me in the past. Phenomenal. Oh yeah, and did I mention that they answer most of their support requests in under 1 hour!


Since Sucuri CloudProxy is a cloud-based solution, setting it up is easy and takes five minutes or less. All you need to do is sign up for an account, go to the Sucuri dashboard, add in your site’s origin IP address and URL, and finally alter your A record to point to Sucuri’s Firewall IP Address they have assigned to you. If you don’t know, you can just submit a ticket and their technical support will quickly set it up for you. No setting up hardware or messing with wires. It’s easy, really.

My Final Thoughts (Insight and Advice)

Sucuri’s CloudProxy serves as an important layer of protection for protecting your site. However, we must remember that blacklist-based protection, like any protection, is capable of being bypassed by the malicious actor. This is particular evident with Cross-site scripting (XSS) since there are multitudinous methods JavaScript can be utilized to bypass a cloud-based protection. It is strenuous to establish a filter that is adept of impeding all conceivable combinations while producing minimum false positives. Thus, utilizing a software-based application such as WordFence (free version will suffice) along the cloud-based protection that CloudProxy provides will undoubtedly render your site’s security to go up substantially. If someone does try to bypass the firewall, you can restrict HTTP access to only CloudProxy. (I explained it here.) Keep in mind that Sucuri and all the other security companies merely tackle HTTP, HTTPS, and DNS traffic. Consequently, choosing a host that implements additional server-level security measures such as a server-level firewall, a server intrusion detection system, and regularly maintaining the server and web applications will provide additional layers of protection. On top of that, paying close attention to the server and CloudProxy logs daily don’t hurt either. In reality, no WAF or any security measure will offer a guaranteed 100% site protection and therefore should not be the only layer of protection. Nevertheless, the realization that a product like CloudProxy provides extreme merit and protection is invaluable.

I hope that you found my review of Sucuri CloudProxy useful. If you are thinking about enhancing your site’s security, then certainly take a look at Sucuri.


Related Posts