I will have to talk with our designers about this because…
The “Sucuri API Key” and the “Sucuri Firewall API Key” are two different things.
Sucuri API Key
This key is the one that you can generate for free using the big “Generate API Key” button at the top of the plugin’ page. It takes your domain name and email address and creates an unique identifier for your installation. This key is used to store the event logs in a secure remote storage system managed by Sucuri Inc. When you click the “Recover” button, this is the key that you get back via email.
Sucuri Firewall API Key
This key is the one that you can generate from the Sucuri Firewall dashboard [1] which you can have access to if you are a paying customer. This key is used to authenticate your website against the firewall API to block malicious attacks, visualize the current settings and monitor the traffic in real time. You can only generate and/or recover this key if you are a Sucuri customer.
I go to Sucuri > Settings where I can copy the API Key (in green) and go back to Sucuri Security > Firewall (WAF) and paste that code
Please don’t do this. It will not work.
You can only use the “Sucuri API Key” to authenticate here [2].
You can only use the “Sucuri Firewall API Key” to authenticate here [3].
Since then I updated to WordPress 4.9.4 and the same thing was still happening. I uninstalled, deleted files when prompted, reinstalled Sucuri and then retrieved the API key via email and the same thing is occurring still.
Yes, this is because you are trying to use the free API key to activate a feature that is only available to paying customers. If you don’t have access to the Sucuri Firewall you will not be able to activate that feature with the key that you are getting via email. The key that you currently have can only be used to activate the audit logs.
I’ve got this message at Sucuri Security > Dashboard: “Core WordPress Files Were Modified”. But the info enderneath of that is out-of-date still shwoing an Outdated WordPress under 4.8
I think there are two things here that are adding more to the confusion.
The message “Core WordPress Files Were Modified” is shown because your installation contains six files in the document root that are not part of a normal WordPress installation. Below is a description of each file, you will have to decide to either delete them or mark them as false/positives using the option “mark as fixed”.
.user.ini: I have no idea what this is.fantversion.php: Fantastico website installer.sitemap.backup.xml.gz: Regular sitemap.xml file (backup).wordfernce-waf.php: Rudimentary firewall script by Wordfence.wp-admin/error_log: Generic PHP error log file.wp-includes/error_log: Generic PHP error log file.
I’m pretty sure I just need to get this API Key issue fixed so that Sucuri can scan again.
The malware scanner is automatically activated without an API key. You just need the key to activate the audit logs, and if you are a paying customer, you will need another API key to activate the firewall. If what you want is to get rid of that “Outdated WordPress” warning, then just delete this file [4] using the tool available in the settings page under the “Data Storage” panel, this will force the plugin to scan the website once again skipping the cache (the cache is alive for 20 minutes in your server, and 48 hours in the Sucuri servers).
[1] https://waf.sucuri.net/
[2] https://wordpress.sucuri.net/api/
[3] https://waf.sucuri.net/api?v2
[4] /wp-content/uploads/sucuri/sucuri-sitecheck.php
