To help fit your site’s needs, the Sucuri Firewall offers you many security options. All of them can be


found under Security in the Sucuri Firewall settings page.





Here is what they mean:

  • Admin panel restricted to only Whitelisted IP addresses

Most popular content management systems have an administrative panel. Example: /wp-admin

on WordPress or /administrator on Joomla. If you set it to On, only whitelisted IP addresses will

be able to access those directories. If you have a membership site and you allow anyone to create

an account and login there, do not enable this option.


  • XMLRPC, Comments and Trackbacks blocked

If your site does not allow comments (or trackbacks/pingbacks), or if you use an external commenting

system (like Disqus or Facebook comments), you can block any comment attempt, since it is likely to

be spam.


  • Stop unfiltered HTML from being sent to your site

This option prevents users from inserting or sending unfiltered HTML content to your site. It will block

things like iframes and script calls from being used. If you have a forum or membership site and you

allow your users to send messages and post open content, do not enable this option. Note that

whitelisted IP addresses are not affected by this setting.


  • Stop upload of PHP or executable content

This option will prevent anyone from uploading PHP, Perl or executable content to your site. We

recommend enabling this option unless you do allow users to do uploads. Note that whitelisted IP

addresses are still allowed to do uploads.


  • Enable Emergency DDOS protection

The HTTP flood protection will prevent anyone using a browser without JavaScript enabled from

visiting the site (except major search engines). This is very useful when the site is under DDOS.

You can turn off this option once things normalize. Note that this option may prevent legitimate

visitors from accessing your website and should only be applied only when your website is

unavailable due to Distributed Denial of Service (DDoS) attacks.


  • Block anonymous proxies and the top three attack countries

Enabling this option will prevent anyone from China, Russia or Turkey from interacting with your site.

They are still able to view all content but cannot register an account, submit comments or attempt to

login. The same restriction applies to users using anonymous proxy services to hide their IP addresses.


  • Aggressive bot filter

This setting will block invalid user agents that do not match real browsers such as empty user agents,

user agents that start with PHP/, and improper user agents from common browsers.


  • Force passing the hostname via TLS/SSL

This option will force passing the hostname during the SSL/TLS handshake. NOTE: enabling it may

break the site, do not enable it unless it’s already broken.


  • Advanced evasion detection

This option will enable our advanced evasion detection signatures. We recommend keeping it on,

but if your site supports URL’s with non-ascii characters (like Japenese, Hindi, Russian, etc.) you

may need to disable it.





  • Additional Security Headers added to your site.

This option will add some recommended security headers to your site in order to protect you against

some forms of XSS and clickjacking attacks. If you allow other sites to ‘iframe’ your content, do not

enable this option. The following headers will be added: X-XSS-Protection, X-Frame-Options,

X-Content-Type-Options. You can also enable HSTS and HSTS Full if you are under Professional

or Business plans.