My site was infected by malware 6 months ago. The Sucuri plugin didn't even detect it; its only contribution was to tell me I was blacklisted (which I knew already because of an email from Google Webmaster Tools.) But Wordfence told me exactly what was going on, and where.
Removed the spyware and was able to get off Google blacklist within 48 hours.
Yet 6 months later, this plugin still shows me on the Google blacklist. (And I promise you: it just ain't on there.)
The same has since held true for several of my sites. Sucuri doesn't detect the attack shell at ALL, and then keeps telling me I'm on a blacklist, long after the fact.
I will say I like the "one-click hardening" (assuming it's doing something), but thanks to plugins like Better WP Security and Wordfence, I haven't gotten hacked since.
Bottom line: This may be a great plugin, and some people seem to love it, but as far as I can tell this is 90% an ad for Sucuri's malware removal service, and otherwise a lackluster plugin at best.
If it can't detect the presence of an attack shell on a WP platform, then uh ... what exactly is it?
(To clarify, it HAS successfully detected them AFTER a Google blacklist, but Wordfence has found the SAME shell BEFORE a blacklist; leading me to believe Sucuri may rely on a blacklist report from Google to generate its "results," which isn't the same as what Wordfence is doing: keeping me off the blacklist in the first place.)
Apologies if I'm wrong.