Back to Community
Home / Community / General

Troubleshooting Common Sucuri Security Plugin Connection and API Errors

52 threads Sep 9, 2025

Content

Many WordPress administrators rely on the Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin for its robust security features. However, a frequent category of issues users encounter involves connectivity problems and API communication errors. These often manifest as cryptic messages in the WordPress dashboard, such as "Failed to connect," "SSL certificate problem," or "Something went wrong with an API call." This guide will help you understand why these errors occur and walk you through the most common solutions.

Why Do These Connection Errors Happen?

These errors typically stem from a failure in the communication channel between your WordPress website and Sucuri's external API servers (wordpress.sucuri.net). The plugin uses this connection to send security event logs, perform remote malware scans, and check for updates. Several factors can disrupt this link:

  • Server Configuration: Your web host's PHP configuration or firewall might be blocking outgoing connections to Sucuri's servers.
  • SSL Certificate Verification: The plugin, by default, verifies the SSL certificates of the servers it talks to. Occasionally, an expired certificate on Sucuri's end (as seen in Threads 8 and 14) or a misconfiguration on your server's end can cause a handshake failure.
  • DNS Issues: Temporary DNS problems, either on your server or during updates on Sucuri's infrastructure (Thread 18), can prevent your site from resolving the hostname wordpress.sucuri.net.
  • Timeouts: If your server is slow to respond, the Sucuri scanner might timeout before it can complete a scan, reporting a failure (Thread 1).

Common Solutions to Try

1. Change the API Request Handler and SSL Settings

This is often the most effective fix. Within your WordPress dashboard, navigate to Sucuri Security → Settings → API Service. Here, you can modify two key options:

  • API Request Handler: Switch from the default value to "socket". This changes how the plugin makes its external connections and can bypass certain configuration issues.
  • API Request with SSL: If you are seeing SSL-related errors (e.g., "SSL certificate problem" or "SSL3_READ_BYTES"), try changing this option to "Stop peer's cert verification". This instructs the plugin to connect even if it encounters an SSL certificate verification error. Note: This is generally safe for the purposes of this plugin's communication.

These changes have resolved connection issues for many users, as indicated in Threads 9 and 17.

2. Check for a Missing API Constant

After an update, some users received a critical error: Uncaught Error: Undefined constant “SUCURISCAN_API_URL”. This error suggests a necessary configuration value is missing. The solution is to manually define this constant in your wp-config.php file.

Add the following line to your wp-config.php file, above the line that says /* That's all, stop editing! Happy publishing. */:

define('SUCURISCAN_API_URL','https://waf.sucuri.net/api?k=[APIkey]&s=[domain_secret]');

You can find your unique API key and domain secret key on the Sucuri Security plugin's dashboard page in WordPress. This solution was confirmed by users in Thread 3.

3. Temporarily Disable for Troubleshooting

If you are performing a specific task like importing a large XML file (Thread 19) and suspect the plugin might be interfering, the simplest solution is to temporarily deactivate it. This will help you rule out the plugin as the source of the problem. Remember to reactivate it once your task is complete to maintain your site's security.

4. Understand What the Plugin Does Not Control

It's important to distinguish between errors from the free Sucuri WordPress plugin and actions taken by the separate, paid Sucuri Firewall service. For example:

  • Cache Clearing: The "Clear Cache" button in the free plugin only works if you have a paid Sucuri Firewall plan and have connected your API key. The free plugin itself does not cache your site (Thread 7).
  • Firewall Blocks: If you see a block message referencing a specific Block ID (e.g., BAK024 from Thread 11), this is an action performed by the Sucuri Firewall (a WAF). You would need to adjust your block/allow lists within your Sucuri Firewall account settings; uninstalling the WordPress plugin will not resolve this.

When All Else Fails

If none of the above solutions work, the issue might be related to your hosting environment. Contact your hosting provider and ask them to check for:

  • Firewall rules blocking outgoing connections to wordpress.sucuri.net on ports 80 and 443.
  • Any restrictions on the PHP functions fsockopen() or curl_init().
  • General server connectivity issues or DNS problems.

By methodically working through these potential causes and solutions, you can likely resolve the connection errors and restore full functionality to your Sucuri Security plugin.

Related Support Threads Support