Cannot shut off notifications

I believe it is because Sucuri is not storing its settings in the database, but rather seems to be writing a file to the uploads folder?

That is correct, more specifically in this file [1].

SUCURI: Storage is not writable: /myname/public_html/wp-content/uploads/sucuri/sucuri-settings.php

This is the entire reason of why you are unable to enable/disable the security alerts. If the plugin has no access to write into this file then — technically speaking — it’s impossible to save the changes that you are trying to apply from the settings page.

I didn’t think it was considered proper to put a PHP file into your uploads folder, isn’t that a security risk?

Write permission is different than execution permission.

In Unix-like systems, there are three basic permissions that you can set to a file: read, write, execution. Allow the execution of a random file (no matter the programming language) is a bad idea in itself, but again, the plugin is asking for write permissions rather than execution, since none of the files in the “uploads/sucuri” directory need to be publicly accessible, they just need to be writable inside the server so the plugin can insert/delete data into/from them.

At least from what I have read; a quick search shows that most people recommend locking down the /uploads folder so you’re not executing php code there.

Locking down any directory with content that you don’t want to be publicly accessible from the Internet is a good idea. However, you are seeing this procedure incorrectly; in the context of WordPress websites, “locking down” a directory basically means that you are blocking access to it and/or any of its files from the web, but the server and any internal software still has access to it (unless you change the permissions, which is what is happening in your website).

You can keep your uploads directory locked down and grant write permissions to these files so the plugin can use them, this without affecting the security of the website. In fact, one of the features offered by the plugin — the Hardening — has an option that adds restrictions to the uploads directory to prevent the unwanted execution of publicly accessibly PHP files.

This must be a new thing, because there was no such message when I arrived on the settings page on a site where the plugin has been running for years.

The message is new, but the permission check is old.

The plugin used to fallback to the database to store the settings, that’s why people didn’t experience this problem with the file permissions before. However, this changed when it was decided that relying on WordPress’ would cause more problems than not, so we went full “flat files” and added the error message just in case something unexpected happens.

Sucuri is sort of vague about who gets notified. I would prefer to have an email address that is NOT an admin of the website, but some other address for a person whose job is just to monitor the notices. That person doesn’t need to be a registered user. It seems like maybe I could do this, in that there is a setting

Indeed! This is something that I need to change. I will include this as a feature request into our internal issue tracker. Once a priority is assigned to this task by the project manager, I will work on it and include it among the changes for a future update of the code.

SOLUTION: The solution to the issue mentioned in this thread is fixed by granting write permissions to the file linked below. Feel free to lock down the uploads directory to prevent the execution of PHP files, this lock down will not affect the reads/writes from the plugin. In fact, even if you grant them execution permission nothing bad will happen because these PHP files have no relevant PHP code, they just contain a call to the built-in exit() function and then JSON-formatted data.

[1] /wp-content/uploads/sucuri/sucuri-settings.php