Some good features, but frustrating limitations are bad for GDPR/CCPA compliance

This plugin has a variety of useful features, including the core files integrity checker, warnings about being included on major search engine malware blacklists, and the ability to receive administrator notifications of various suspicious actions. While it’s not quite the one-stop security solution it wants to be, these features have definite value, which makes the plugin’s limitations that much more frustrating.

A particular bugbear for people concerned about compliance with the GDPR or other data privacy laws is that the plugin provides you little control over data retention — and makes it cumbersome to find and remove personal information in response to a deletion request. For example, the plugin automatically logs every login by a registered user, including their IP address. While this makes some sense for preventing brute force attacks and investigating possible hacks, the log data is retained indefinitely for all users, and the only way to remove or redact it is to either delete the entire log file from the settings tab or else access the log file via FTP and edit it by hand. The plugin offers no controls at all for managing data retention intervals, which means that if you don’t want or need to retain log information indefinitely, you have to remember to periodically delete it yourself. That’s a hassle even if you’re not on the clock to respond to a legally enforceable deletion request.

A particular area of concern is the audit log API service. If you enable this function, certain log data are stored remotely by Sucuri, which is intended to prevent a hacker from covering their tracks by deleting local log data. However, that also means YOU can’t delete the data either. In theory, it’s supposed to roll over after 90 days, but I haven’t been able to determine any way to delete data sooner than that, nor is it clear what happens to existing remote data if you deactivate the API service or request a new key. Also, since there’s no second authentication factor, anyone who gets your key can access the log data online from any web browser.

I REALLY wish that Sucuri would provide more control over the data retention and deletion parameters, which are a major debit for an otherwise useful plugin.