Getting Started

The Sucuri Firewall (WAF) is very easy to activate and takes less than 5 minutes! It runs in the cloud and doesn’t require any hardware or software installation on your end. All you need to do is a quick DNS change to re-route your traffic through our Anycast CDN Network.

How to set up the Sucuri Firewall (WAF)

1) Click here and add your site by clicking on Add Site in the top right hand corner.

2) Enter your site URL such as and then click on Add this Site.

Add Site to Website Firewall

If your site is under a DDoS attack, you can select the first box. To restrict access to the admin pages to only whitelisted IP addresses, you can check the second box.

3) We offer a few different options to change your DNS in order to activate the firewall:

a) Automatic Integration with cPanel/Plesk

To activate the WAF using cPanel or Plesk:

  1. Click “I use cPanel” or “I use Plesk” button under Automatic Integration.
    WAF Setup - Automatic Integration
  2. Enter your domain, username, and password.
  3. Click the “Login to Plesk” or “Login to cPanel” buttons.

b) Use Sucuri DNS Manager

To use Sucuri DNS servers:

  1. Navigate to Settings -> DNS.
  2. Click Activate to go to our DNS Manager.
  3. Review your DNS records that were pulled from your current DNS provider. Our system will try to collect all of your existing records, but if you see anything missing, you can manually add a new record.
  4. Log in to your host or registrar and change your name servers to match the Expected Name Servers in the Sucuri DNS Manager.
    Sucuri DNS Manager

c) Manually Change DNS Records

To manually change your DNS records:

  1. Navigate to the main page of the WAF dashboard.
  2. Copy the the Firewall IP address, the one starting with “192.124.249.X”.
    Locate WAF IP Address
  3. Log into your host or registrar to access the DNS records for your domain.

    We have instructions for several popular hosts in our Docs articles.

  4. Change the A Record as instructed in the grey box.

That’s it. It can up to 48 hours for DNS propagation. Until all DNS servers worldwide recognize that your website is pointing to the WAF IP address, you will not be fully protected.

SSL Certificates

If your site uses an SSL certificate (https), Sucuri Firewall will automatically issue a Let’s Encrypt SSL certificate within a few minutes of the site being live on our end. If you are on our Professional or Business plans, you can use your own custom SSL certificates and upload them on our dashboard.

And that’s it. Once the DNS change is done, your site will be protected by our Sucuri Firewall. If you do not feel comfortable changing your DNS settings, just open a ticket in our system and we will gladly do it for you!


  • It is recommend that you upload the certificate and private key into the WAF before changing the DNS to avoid any SSL error messages while the Let’s Encrypt SSL issue process is running if you’re on the Professional or Business plan and already have a valid SSL certificate installed on your server.
  • If your domain is blacklisted by Google Safe Browsing, the Let’s Encrypt SSL issue process may not work, thus you will need to upload your current SSL certificate into the WAF or wait until the domain is removed from Google Safe Browsing blacklist to activate the WAF.
Was this article helpful?