BugWP logo BugWP
Back to Community
Home / Community / General

How to Manage and Reduce Sucuri Security Plugin Email Alerts

23 threads Sep 16, 2025

Content

Many WordPress administrators use the Sucuri Security plugin for its robust auditing and malware scanning capabilities. However, a common point of frustration is the volume of email notifications it can generate. This guide explains why this happens and provides the most effective solutions to regain control of your inbox.

Why Am I Getting So Many Emails?

The Sucuri Security plugin is designed to be highly vigilant by default. It monitors a wide range of activities on your site, from login attempts and new posts to file changes and plugin updates. Each of these events can trigger an individual email alert. The two most common culprits for notification overload are:

  • Failed Login Attempts: The plugin can send an email for every single failed login attempt. On a popular site, this can quickly lead to hundreds of emails per day from brute-force attacks.
  • Broad Alert Settings: By default, any email address added to the alert recipient list will receive notifications for every enabled event type, with no built-in way to send different alerts to different people.

How to Reduce Sucuri Email Notifications

1. Switch to Brute-Force Summary Alerts

Instead of receiving an email for every failed login, you can configure the plugin to send a single, hourly summary. This is the most effective way to reduce email clutter from brute-force attacks.

  1. Navigate to Sucuri Security → Settings → Alerts.
  2. In the "Security Alerts" section, locate these two options:
    • ✓ Enable "Receive email alerts for password guessing attacks"
    • ✗ Disable "Receive email alerts for failed login attempts"
  3. Just below these options, you will find the "Password Guessing Brute Force Attacks" panel. Here, you can set the number of failed logins per hour that must occur before the summary email is sent. Setting a higher number will further reduce the frequency of these alerts.
  4. Click "Save Changes".

2. Review and Customize Your Alert Preferences

You can fine-tune exactly which events trigger an email. If you don't care about new post publications or Akismet spam updates, you can disable those specific alerts.

  1. Go to Sucuri Security → Settings → Alerts.
  2. Scroll down to the "Security Alerts" section, which contains a long list of checkboxes for different events.
  3. Uncheck any alert you do not wish to receive. Common alerts to disable include:
    • New post has been published
    • Post has been deleted
    • Akismet cleared a comment as spam
    • Theme editor was used
  4. Click "Save Changes".

3. Remove Your Email Address Completely

If you are no longer the site administrator but are still receiving alerts, or if you simply want to stop all emails, you need to remove your address from the plugin's settings. This must be done by someone with access to the WordPress dashboard.

  1. A current administrator must go to Sucuri Security → Settings → Alerts.
  2. In the "Alerts Recipient" field at the top of the page, delete any email addresses that should no longer receive alerts.
  3. Click "Save Changes".

Note: Unlike some other security plugins, the Sucuri Security plugin does not currently include an "unsubscribe" link in its alert emails. Removal must be handled within the WordPress admin area.

Troubleshooting: Alerts That Won't Stay Off

Some users have reported that their alert settings revert back to default after being changed. This is a known bug that has been addressed in previous updates but may still occur in some specific environments.

  • Solution: Ensure your plugin is updated to the latest version. If the problem persists, check for conflicts with other plugins or your server configuration. The settings are stored in wp-content/uploads/sucuri/sucuri-settings.php; file permission issues here could cause the problem.

What the Plugin Cannot Do

It's important to understand the limits of the Sucuri Security plugin regarding emails:

  • It cannot stop spam emails from reaching your mailbox (e.g., comment spam, contact form spam). For that, you need an anti-spam solution like reCAPTCHA or a honeypot plugin.
  • It does not currently support sending granular alerts to different email addresses (e.g., failed logins to one address and new posts to another). All recipients receive all enabled alerts.
  • It does not currently offer a way to ignore specific files from integrity scans, which can cause repeated alerts for temporary files.

By carefully configuring your alert settings, you can maintain critical security visibility without overwhelming your inbox. The key is to use the brute-force attack summary feature and disable notifications for events that are not a priority for your website's operation.

Related Support Threads Support