This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

📣 Join our live AMA on the Future of Page Builders with Brizy's CEO! Register Now →

MalCare Review: The Best Security Plugin for Your WordPress Site

Updated on May 31, 2023

16 Min Read

Are you worried about the security of your WordPress website? Do you lose sleep over the thought of hackers gaining unauthorized access to your valuable data? If so, then I have a solution for you.

Introducing the MalCare Security plugin – a powerful tool in the battle against cyber threats. With its advanced features and powerful scanning capabilities, MalCare is here to safeguard your website from malicious attacks and ensure your peace of mind.

In this blog post, we will explore the key benefits of the MalCare Security plugin and why it is a must-have tool for every WordPress site owner. Let’s dive in!

Overview of MalCare Security

Overview of MalCare Security

MalCare is your only real choice for a WordPress security plugin, whether you have a portfolio site, an ecommerce store, a travel blog, or a site for your local business.

MalCare protects your site with a formidable 7-layer defense system. It has 3 critical security components in one plugin: a malware scanner, one-click malware removal, and an advanced firewall custom-built to block WordPress-specific threats.

One of the key differences between MalCare and other security plugins is that MalCare security will never impact your site’s performance. When installing MalCare, you will see an immediate boost as the firewall kicks into gear.

It also has additional features, vulnerability detection, activity log, backups, staging, managed updates, and uptime monitoring. This help keeps WordPress sites in fine fettle and frees you up to focus on growing your online presence.

In this review of MalCare, you’ll see that the opposite is true. WordPress security can—and should be—hands-free and easy.

MalCare Security vs Other Plugins

MalCare distinguishes itself from heavyweight plugins like Sucuri and Wordfence because it provides comprehensive security without impacting speed and performance.

Sucuri and Wordfence use heavy malware scanners that utilize the site’s resources, visibly impacting its speed. Additionally, the malware scanner uses signature-matching to identify malware, so it often misses malware in the database, premium plugins, and premium themes.

Apart from the scanner, MalCare is the only plugin that has automated malware removal that works. Wordfence has the option to delete or repair hacked files automatically, but there is an ever-present threat of breaking the site. Sucuri has a superb manual removal service, although you cannot rely on their scanner to tell you if your site is hacked.

Jetpack has a suite of maintenance features and a fantastic external dashboard but cannot secure any site adequately. The scanner will not detect most malware; even if it does, there is no assistance in removing it.

iThemes is a mediocre security plugin, at best, with superficial security features. It doesn’t have a scanner, cleaner, or a firewall. The only concession to security is their two-factor authentication feature.

MalCare Security vs Other Plugins

Why Choose MalCare Security?

MalCare is the relatively new kid on the block but has been built to take on the formidable might of more established security plugins.

Although MalCare’s security features stand independently, some key differentiators make it the best choice for any WordPress site:

  • No load on the site server: Everything occurs exclusively on MalCare servers. This starkly contrasts Wordfence or Sucuri, where the malware scans use site resources. There is always a noticeable dip in site performance, so much so that some hosts ban Wordfence for this reason.
  • No false alarms: Alerts and alarms are meant to be startling, but only when there is a legitimate cause for concern. Too many false alarms, and you will start disregarding the real ones.
  • Set-it-and-forget-it: MalCare will send an email alert when something requires attention, but for the most part, you will not be bombarded with emails. Many key actions, like backups and malware scans, happen automatically and daily.
  • Integrated with other high-performance features: Many people realize they need security when their sites get hacked. Once the malware is removed, backups and updates become integral to maintaining a clean site. These features are easily available by upgrading the chosen plan.

Looking for Secure WordPress Hosting?

Don’t wait any longer—experience the peace of mind that comes with secure WordPress hosting.

Key Features of MalCare

MalCare has a full suite of features that lend themselves to maintaining high-performance sites with minimum effort. Many features are automatic and set to a daily cadence for optimized performance.

1. Malware Scanner

Malware Scanner

Malware on your site gets exponentially worse the longer it is left on your site. That’s why, out of all the features in a security plugin, the scanner gets top billing.

A good scanner is critical to your WordPress site’s security puzzle. MalCare scans your site daily for malware and raises an immediate alarm if any is found.

Malware Scanner

As soon as your site is added to the MalCare dashboard, it sets up a site sync. Your entire site—all files and the database—is scanned for malware, backdoors, and vulnerabilities. Once the site has finished syncing, you’ll be able to see the scan results, which take a matter of minutes at the most.

Malware Scanner

The scans take place automatically once a day, but you can scan on demand unlimited times.

As you can imagine, all malware scanners are not built the same. There are 3 key reasons why MalCare is better than other scanners:

Firstly, MalCare deep scans your website for malware, meaning every inch of your site is scanned. Plenty of other scanners will leave out core files, for instance. This practice must be completed because malware can be anywhere on your site.

Secondly, MalCare’s scanner uses a proprietary signal-based algorithm that detects 99% of all malware. Signals are behavioral markers that indicate if the code is malicious or not. For instance, malware may redirect users to a spammy site. The code is analyzed for these intentions and then flagged as malware.

MalCare relies on 100+ signals to determine if the code is malware, and signatures are only 1 of those signals. This means even if the malware is brand new, MalCare will flag it.

Signal-based detection is far superior to signature-matching databases, which is standard with other security plugins. With signature matching, the code on your site is compared to those in a database, and if a match is found, the code is flagged as malware. As you can imagine, signature matching relies heavily on an up-to-date database to be successful.

The problem with this mechanism is that hackers are sneaky and design malware to be hidden from detection for as long as possible. So they hide malware in various ways: obfuscated code, split into multiple places across the site, fake plugins, innocent-looking additions to core files, and so on.

Malware is also hidden in various places: theme files, plugins, core WordPress files, and the site database for good measure. So, even if malware is old hat, hackers have devised a new way to hide it; a signal-based scanner will flag it, but not a signature-based one.

Thirdly, scanning occurs on MalCare servers, so your site server is unaffected. With most other scanners, you will see performance noticeably degrade during a scan—which is why scans are usually on-demand. Not so with MalCare. You have 24/7/365 assurance that you will know immediately if malware is detected on your site.

2. Malware Removal

Malware Removal

Malware removal is a beast in the best of cases, so MalCare’s one-click auto-clean feature is a substantial benefit. Once the scan results are in, you must upgrade your plan to clean the site. Then, in literal minutes, the malware is surgically removed from your site, leaving your site pristine and intact.

Malware Removal

Malware removal requires considerable technical expertise and therefore was well outside the scope of most WordPress site admin. The other alternative is to hire a malware removal service, which is usually exorbitantly priced and often unavailable at short notice.

Manual malware removal takes days, if not weeks, to accomplish. So either the malware remains on the site longer than it should, getting increasingly worse, or you need to shell out a tidy sum to get rid of it. In some scenarios: both.

MalCare’s auto-clean feature is included in the base plans. You can contact their excellent support team even if the hack cleanup doesn’t execute 100%. The support team comprises security experts that will clean up your site as a part of your subscription.

This is a huge deal, considering similar services run into hundreds of dollars, and do not indemnify the cleanup.

3. Advanced Firewall

Advanced Firewall

A good firewall is like a forcefield around your site, blocking threats proactively. It is the best way to protect your site from the most insidious attacks.

Once you install MalCare’s firewall, you’ll see an immediate performance boost. This is because MalCare blocks attacks from ever reaching your site, reducing its load. Even if attacks are unsuccessful, they can drain site resources very quickly if they reach the site.

MalCare’s firewall is custom-built for WordPress and is installed as a part of the security plugin, providing end-point security for your site.

Firewall request summary

A plugin-based firewall is also a cinch to install. With cloud-based ones like Cloudflare or Sucuri, you must be comfortable configuring nameservers and other DNS settings. They also keep out generic threats for the most part and are specially configured to mitigate DDoS attacks.

However, WordPress sites rarely experience DDoS attacks and require other, more specialized protection against attacks, like SQL injection and XSS attacks.

A firewall is only as effective as its rules; this is where MalCare comes into its own. It is installed on a global network of over 100,000 sites and learns from each. The rules are updated in real time so that if 1 site experiences an attack, the firewall intelligently creates a rule to block it, which is applied to all other sites.

You can view detailed logs and reports about blocked and allowed requests to your site and see the global IP protection feature in action. This is especially useful for understanding incoming traffic and wants to cross-check with an analytics tool.

MalCare’s firewall is hands-free protection for your site, but you can exert fine-grained control if needed. From the dashboard, you can whitelist or blacklist IPs as required. MalCare also has a geoblocking feature in case you want to prevent entire countries from being able to access your site.

4. Bot Protection

Bot Protection

Most Internet traffic isn’t even human. You’ve created your site and its content for humans, but only 1 in 4 visitors is a living, breathing individual. The rest? Bots.

Now, to be fair, there are good and bad bots. Googlebot and other search engine crawlers are examples of the former, as are uptime monitoring bots. So you want those to have full access to your site. Bad bots, on the other hand, are malicious and parasitic. Those are the ones to worry about.

Brute force bots, for example, are used by hackers to force entry into your site. Content scrapers steal copies from your posts and pages, product information from ecommerce sites, and even the usernames of members on a forum.

Spam bots inundate comment forms, contact forms, and registration forms with malicious links to unsavory adult sites, illegal sites, or phishing ones that will steal user information.

MalCare blocks only bad bots from your site while letting the good ones in. This is a key differentiating factor from other bot protection plugins because you will see that aggressive plugins will deplete your traffic.

But the laxer ones will let in all kinds of bots as well. MalCare strikes the right balance by protecting your site and making it discoverable for the human beings you built it for.

5. Activity Logs

 Activity Logs

Knowing what is happening on your site is important as a site admin. Which user published which post or changed which setting and when.

In the case of privilege escalation attacks or user registration spam, keeping a close eye on these actions can alert you to unusual user activity. Once you have identified unusual activity, you can take proactive steps to limit access and contain the damage from hackers.

MalCare’s activity log maintains a detailed record of all user actions on your site. From publishing a post to uninstalling a theme, you can pinpoint exactly who has done what and when. This is an invaluable tool when resolving issues with your site, like site crashes or malfunctioning plugins.

6. Vulnerability Detection

Vulnerability Detection

WordPress security largely focuses on login security: protecting your site from brute force attacks, limiting logins, two-factor authentication, strong passwords, etc. And all of these measures are important, but 95% of hacks occur because of vulnerabilities on your site.

Vulnerabilities are mistakes in code that can be exploited to gain unauthorized access to your site. They exist in plugins, themes, and in WordPress itself. Developers are human, after all, and there is a chance of mistakes slipping through the cracks. However, once these vulnerabilities are discovered, responsible developers quickly release an update to fix the problem.

MalCare’s daily scan keeps track of WordPress and all your installed plugins and themes and indicates which ones have vulnerabilities. You get an email alert and can update right from your dashboard. This is especially useful if you have the same plugin or theme installed on multiple sites, so you can fix all vulnerabilities with a single click.

7. Login Security

Login Security

Although vulnerabilities account for 95% of hacks, that is no reason to neglect login security. With MalCare’s firewall, you can rest assured that no brute-force bots breach your site. However, someone trying out passwords still can.

Login Protection

That’s where limit logins come in. MalCare automatically limits any IP or username from too many attempts. If this mechanism locks out a legitimate user, they can solve a simple captcha to reinstate their access or reach out to an admin with MalCare access.

8. Expert Support

Even if your site is completely secure with MalCare, occasionally speaking to an actual human is always reassuring. MalCare’s support team comprises WordPress security experts who are just an email away.

9. Full-Site Backups

Full-Site Backups

For around 60% more, you can add great backups to your MalCare security subscription. MalCare is built by the same team as BlogVault, an established name in WordPress backups.

MalCare backups are full site backups, meaning that everything on your site is saved in every backup. This includes WordPress files and the database, plugin files, theme files, and all the content in the database.

Site health overview

Backups are taken daily and automatically saved to BlogVault servers. This is an important feature because most backups—those by plugins, hosts, or even manual ones—are often saved on the same server as the site. If anything happens to the server, the backup is gone along with the site—at the moment, it is most needed.

Also, considering these are full site backups, you don’t want 90 backups clogging up your site server, especially on a shared hosting plan. The storage costs can rack up significantly, and pretty soon, you will be looking at an exorbitant bill from your web host.

MalCare provides unlimited and secure storage for your backups. For additional security, each backup is encrypted for good measure.

Although you will often see advice to use a backup to recover from a hack, this is poor advice. A backup is an insurance policy for your site and is a godsend when things go wrong. However, it should only be a last resort for a hacked site. Restoring a site in response to a hack could mean reinstalling the malware or the vulnerability that caused it.

10. Managed Updates

Site health overview

The best way to combat hackers from exploiting vulnerabilities on your site is to keep it updated. This means keeping the plugins and themes, not WordPress, always updated.

However, updates are not always straightforward and can cause the site to crash or function strangely. The average WordPress site has 30+ plugins and at least 3 themes installed at anytime.

This considerably increases the complexity of site updates, and site administrators are understandably wary of applying updates to a functioning site.


The best and safest way to apply updates to a site is to do it first on a staging site. With MalCare backups, you can create a staging site from the dashboard in minutes. It is a perfect copy of your site but inaccessible without login credentials. You can test each update thoroughly to ensure nothing on your site breaks and replicate it on your live site.

Add a staging site

11. Visual Regression Testing

Visual Regression Testing

After any update on your site, you need to check the important pages to ensure everything works as expected. With large sites or WooCommerce stores, this becomes a time-consuming activity.

Site settings

From within MalCare’s dashboard, you can designate certain pages as important for visual regression testing. MalCare will check elements on the page before and after updates for discrepancies. You then only need to check pages that fail the regression tests. This is a huge timesaver, especially if you have several important pages and want to check them quickly.

12. Uptime Monitoring

Uptime Monitoring

All MalCare subscriptions include a free uptime monitoring system. The system will ping your site and alert you immediately if the site is down. You will know if your site is experiencing downtime in less than 5 minutes.

13. Site Migration

Site Migration

Fed up with your web host, or want to move to a self-hosted server? MalCare has your back. MalCare is compatible with over 5000 web hosts right out of the box. In fact, it powers many of their migration plugins. You can easily use it with WordPress hosting from Cloudways also.

All this is to say that migrating to a different host is a cinch. Plug in your details, and your entire site will be transferred to another server in a few minutes. This is true for sites that are 10 MB to 500 GB and more in size.

14. Ease-of-Use


Maintaining a high-performance site is no cakewalk. Apart from the constant threat of hackers, there are always updates to be done, things to monitor, and performance to keep up. All of this is on top of the actual work of running the site: content, SEO, customer management, support, etc.

This is where MalCare shines. The security is automatic. The backups are automatic. The updates can be set to automatic. Visual regression is automatic. If at all something needs your attention, you get an email. Only then do you need to look at the MalCare dashboard?

And then the dashboard itself is so intuitive and easy to use. Everything about your site is laid out in neat widgets, so you get a bird’s eye view of your site.

Don’t want to manage your site yourself? Add a collaborator, and adjust their access with account permissions. MalCare is the easiest WordPress security plugin ever.

Pricing and Plans of MalCare

MalCare is reasonably priced at $99 a year per site for the security plan. Backups, migration, staging, and activity logs are an additional $50 a year. All plans come with premium and personalized support.

Pricing and Plans of MalCare

Pros and Cons of MalCare Plugin

While it offers several advantages, it also has some limitations. Here are the pros and cons of the MalCare plugin.


  • Easy to use
  • Effective malware detection
  • Real-time website monitoring
  • Daily automatic backups
  • One-click malware removal
  • Malware scanning scheduling
  • Firewall protection
  • Blacklisting removal
  • Website hardening features
  • Detailed security reports


  • Limited free version features

System Requirements of MalCare

MalCare installation works just like any other plugin. Your site should meet the following basic requirements:

  • WordPress 4.0+
  • PHP version 5.4.0+

Install and Activate MalCare Plugin

Setting up MalCare is very straightforward, and it will be up and ready to go in a few steps.

1. Auto-Installation

  • Visit the MalCare website to get started in a few steps.
  • Click on Sign Up to create an account.

Sign Up to create an account

  • Once on the MalCare dashboard, click on Add Site.

Add Site.

  • Next, add your site URL and click Continue.

add your site URL and click Continue.

  • Add in your wp-admin credentials to auto-install the plugin.

auto-install the plugin

  • Click the Initiate Sync button to start the process.

 Initiate Sync

  • The site will sync to MalCare servers in a few minutes.

Sync in progress

2. Manual Installation

You can also download the plugin for manual installation.

  • On the Install Plugin screen, click Download in the Manual Installation section.

Manual Installation

  • Log into wp-admin, and go to the Plugins menu.

go to the Plugins menu

  • Click on Add New and then on Upload Plugin.

Upload Plugin

  • Drag and drop the downloaded zip file, or use the file selector to upload the file.

Drag and drop the downloaded zip file

  • Click on Install Now.
  • The site will sync to MalCare servers after the installation is complete.

Troubleshooting Common Issues

There’s many a slip ‘twixt the cup and the lip, so occasionally, you might be confronted with an issue when using MalCare.

  1. Your MalCare dashboard shows that your sites have been added but aren’t connected.

Log into your website’s wp-admin, and navigate to MalCare from the left pane. There, add your email address and click on Connect. This will take you to the MalCare dashboard, and your site should be connected to your account.

  1. Can’t use auto-install because the website is password-protected.

You can use the manual installation method described above to install MalCare on a password-protected site.

Alternatively, click on Advanced Options in the AutoInstall Plugin box. You can put in wp-admin credentials here, and the installation will proceed as normal. MalCare doesn’t save these details.

  1. The site shows up as hacked, but you cannot see the files.

Viewing hacked files is a premium feature. Upgrade your MalCare plan to view the hacked files and clean the malware in minutes.

  1. The auto-cleanup couldn’t clean all the malware.

In certain cases, malware is inextricably linked to legitimate code on your site. Removing the malware will then cause your site to crash or behave unexpectedly. In this case, having MalCare’s security experts look at the site code is better. As part of every MalCare subscription, you can access unlimited manual cleanups.

You can contact MalCare’s support team at [email protected] if you encounter any other issues. You can expect a swift response in less than 24 hours.


Finding a plugin to maintain your WordPress site can be a challenging task. But if you’re looking for an all-in-one plugin that checks all the boxes, MalCare is an excellent option.

MalCare is reasonably priced, so you don’t have to break the bank to keep your site secure and running smoothly. Overall, if you want to keep your WordPress site in tip-top shape, MalCare offers a great balance of features and value.

Frequently Asked Questions

Q. How much does the MalCare plugin cost?

A. MalCare premium plans start at $99 per year. The basic plan includes a malware scanner, one-click malware removal, advanced firewall, bot protection, login protection, vulnerability detection, uptime monitoring, and unlimited premium support from WordPress security experts.

Q. What is the difference between MalCare free and pro?

A. MalCare’s free plugin will scan your site for malware daily. If your site has malware, you need a subscription to remove the malware. The free plugin also includes an advanced firewall, vulnerability detection, uptime monitoring, and login protection, but it doesn’t have bot protection and other site maintenance features.

Q. Is the MalCare plugin free?

A. MalCare has a free plugin version with a malware scanner and a real-time firewall. However, you need a premium subscription to view the hacked files and remove the malware.

Q. Is the MalCare plugin safe?

A. MalCare is not only a safe plugin, which receives regular updates, but it also protects WordPress sites from malware and attacks.

Q. Is MalCare better than Wordfence?

A. MalCare is a much better security plugin than Wordfence because of the advanced malware scanner, real-time firewall, and one-click malware removal features. MalCare is performance-sensitive also and doesn’t use the site resources for scanning. Wordfence also blocks admins from accessing their sites and generates many false alerts.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Liza Rajput

Liza Rajput is a Technical Content Producer at Cloudways. Being a software engineer, she loves to play with data and its processes and wishes to grow and excel in Data Science and Big Data Engineering. She has also been an avid reader and exceptional writer, with sufficient experience in technical, research-based, and creative writing.


Get Our Newsletter
Be the first to get the latest updates and tutorials.

Thankyou for Subscribing Us!


Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour


  • 0


  • 0


  • 0


  • 0



For 4 Months &
40 Free Migrations

For 4 Months &
40 Free Migrations

Upgrade Now