MalCare
Pros
- Offsite scanning of website reduces server load
- Machine learning helps MalCare get better results
- Effective in removing malware
- Backup service
- Affordable pricing compared to other plugins on the market
Cons
- Does not have database scanning, yet
- Only in a premium version, there is malware scanning and backup
Due to its popularity, many hackers are keen on hacking the WordPress website. That is why good WordPress malware scan plugin is a “must have.” In this MalCare review, you will find out more about this malware cleanup and website protection plugin.
Security is of utmost importance to every website owner. Corrupted websites are blacklisted by Google, and Web Hosts shut down websites infected with malware.
Hackers are continually finding new ways to “infiltrate” and find vulnerabilities. Protecting your website and its data from the hackers is crucial.
Hackers inject various malware into the website to make it slow or to collect private data. MalCare behaves like an antivirus program. It scans through the files on your server to find the malicious ones.
But unlike many other WordPress security plugins, MalCare does not overload your server. MalCare makes a copy of your site and then scans through the copy to find and quarantine the suspected malicious files.
After determining that the files are indeed hacked, MalCare then removes these files. In comparison, many WordPress security plugins and tools run on your server. This increases server load and might even result in false negatives as the server might time out.
An increase in server load would also cause your site to load slower, affecting your SEO results. MalCare is developed from the team of Blogvault which is one of the most trusted WP backup plugins.
This plugin effectively identifies the suspicious files and scans them with the advanced algorithm. MalCare plugin uses 100+ signals to identify the malware and helps you to detect the malware before it attacks your website.
An email notification is sent to you as soon as infected files are detected. MalCare also limits the number of login attempts and untrusted IPs. So that the unauthorized users cannot enter your website.
It is integrated with firewall protection which does not give access to third-party and keeps track in case of any high traffic. MalCare protects your website from various attacks such as MYSQL attack, brute-force attack, malware injection, trojan, etc.
Table of Contents
MalCare Review – How To Set Up?
You don’t have to go through complicated setup or configuration process. Just enter your MalCare username and password on the MalCare website and sign in.
When logged in, the first page you will see is the MalCare site listing page. You can add websites under your MalCare account by clicking green plus icon.
After you add a site, you need to install MalCare plugin to that website. You can do it manually or provide admin login details, and it will be done for you.
They never store your WP Admin credentials. They will be discarded immediately after plugin installation.
You will then see MalCare plugin in your WordPress website admin dashboard. The plugin doesn’t provide any settings nor options as everything is managed from MalCare account dashboard.
Under My Sites, you can see all your sites, group them in different ways and perform bulk actions on them. You can even filter sites based on their status: Active, No Plugin (MalCare plugin not yet installed on your site), Unreachable (if your site shuts down), and Hacked.
All these sites can also be filtered according to the tags, users, plugins, themes, or even different versions of the same. Then you can perform bulk actions on these selected sites using the Advanced Search option.
MalCare starts the automatic scanning of your specified website immediately after the installation. MalCare dashboard is well arranged with different sections such as Security, Backup, Management, and Staging.
You can immediately see the overall score indicating the health of your website, along with the number of scanned and infected files.
MalCare also ranks the overall security grading of your website from D to A, where D is the worst score, and A is for the best defense against security attacks.
It also suggests steps that you can follow to improve the security grading of your website.
You can also add clients or team members to your MalCare account. To do that you go to Account and a drop-down menu will appear. There are Clients and Team option on the menu.
MalCare Review – How Does It Work?
From allowing you to manage your WordPress site users to help you update the plugins and themes on your site, MalCare takes care of the smallest details.
All this so that your WordPress site is secure against all kinds of threats. From MalCare dashboard you can manage WordPress core, themes, and plugins on your added sites.
You can see the version you have of each, update or uninstall specific add-ons, or all of them.
You can remotely delete and manage users, or change the role or password of those who have access to the site, without even logging in to your WordPress site dashboard.
MalCare gives you the complete security maintenance package, including Malware Detection, Firewall, Site Hardening, within this dashboard. Backup and Staging by the BlogVault backup plugin is also part of the pro version package.
MalCare Scanner
MalCare does not rely on just signature matching but uses advanced deep scan technology. More than a hundred signals intelligently collect data across hundreds of sites to find out about new malware.
At the same time, it syncs with its servers and tracks any changes on your website that are not supposed to be there. MalCare backs up your website by syncing data to its servers.
The content, pages, text, users information, configuration forms the Database, while the images, plugins, themes and WordPress Core forms the Files section of your site.
This data begins to sync when MalCare is installed and connected to your WordPress site. MalCare Scanner features are as follows:
- Deep scan by 100+ intelligent signals
- Daily scan and manual one-click scan
- Instantaneous detection of malware
- Operated on MalCare server
- The scanner does not rely on signatures only
- All changes are tracked
- Minimal false positives
MalCare auto-scans your websites once every 24 hours. But you can also scan your website whenever you want. Your website is being incrementally synced to the MalCare server. Any changes that were made after the latest sync will be recorded.
If any malware is detected, you will get a notification, an email, and a Hacked Site Alert. Then you can clean it using MalCare One-click Cleaner.
MalCare also gives you the flexibility to schedule your own scan time. By default, MalCare scans WordPress folders. But you can also add non-WP folders.
After scanning MalCare will show you the number of hacked files under Infected Files. Click on the number that appears beside the term Hacked Files; it’ll show you details of the hacked files.
MalCare Cleaner
MalCare can complete the cleaning process thanks to its one-click cleaning option. After MalCare finishes scanning and if it found infected files, you will have an option for Auto Clean. When you click on Auto Clean, you will need to input FTP Credentials.
Once you fill that up and hit Continue, you’ll have to Select Folder with WP Installation. And then click on Continue.
MalCare only cleans the affected files in the hacked part of the website without impacting other data nor the speed or performance of the rest of the site.
MalCare Protection
A Web Application Firewall is necessary for a website even if you have a network layer firewall provided by your web host.
MalCare makes that easier by having an integrated firewall. You can disable the firewall easily by clicking the Disable button. Firewall scans and filters incoming web traffic using the following methods:
- Rule-based request blocking
- Bypass firewall only for authorized WP-admin users
- Blacklist or whitelist IPs
- Enable or disable specific rules
- IP blocking on a global level
- Real-time firewall stats
MalCare Firewall has different modes of operation: Protecting, Auditing and Disabled. The firewall protection is entirely under your control. You get to choose specific IPs that are allowed to enter WP-admin of your site anytime.
Each request is thoroughly checked against information from across 1000+ sites. In case any bot or bad IP is detected, it will immediately be blocked from entering your site.
You can even monitor all the requests (allowed, blocked or bypassed) coming your way. When you add a WordPress site to your MalCare account, the Login Protection is automatically enabled.
If you want to disable Login Protection, you need to disable Firewall. Simple click on the Disable button and the Login Protection will be disabled.
After enabling Firewall, two options will appear: Traffic Requests and Login Requests. Under traffic requests you can see the number of IP Addresses allowed to your site.
And under login requests you can see the number of successful as well as unsuccessful login requests made to your website. To see more details, you can simply click on the Blocked IPs or View Details page.
Most hackers and malware try to gain illegal access to your login landing page by entering the login credentials of your WP admin user.
Along with the malware scanning and cleaning abilities, security plugins need to comply with the best security practices as recommended by WordPress.
Site Hardening
Site Hardening includes all the best industry standard security practices. Those include prevent the execution of PHP files in folders, change the database prefix to help prevent SQL injections, disable the Files-Editor so that they cannot make changes to any of your site’s files.
There are three types of Site Hardening tools available: Essentials, Advance and Paranoid.
Under the option Essentials, you can block PHP execution in untrusted folders and disable file editors. Under the option Advanced, you can block plugin/theme installation.
Under the option Paranoid, you can change security keys and reset all passwords. After you select any of these, the next step is to Enter FTP Credentials of your web host.
Following that, you will need to Select Folder with WP Installation. And then select Apply Fix. Then the feature that you have selected will be applied to harden your site.
Site Management
Site Management section gives complete information about your website. It provides information such as about what version of plugins and themes are used in particular website, which theme is active and how many active plugins are there, etc.
It also shows disabled plugins and themes, the total number of users, and if there is any latest version of plugin or theme. You can access and navigate MalCare dashboard to restore your site, even if your site might be hacked, or down.
Site management options:
- Auto updates plugins and themes
- Tracks newly added plugins and themes
- Helps remove idle plugins and themes
- Helps update WordPress core
- Keeps track of website users
Website management is an integral part of website security. A secure site is an updated site, and that is what MalCare aims to help you with. Plugins that are lying on your site without being used can get infected if not updated.
MalCare helps identify these plugins and themes and takes care of them. The same goes for WordPress core. Keeping an eye on the users of a site helps to detect malicious presence as well.
Backup
Malcare completely backs up your entire WordPress website. You can restore it whenever you need it.
- Real-time backup→ This backup is done in real-time. Whenever any new post or changes are done on your website, it automatically creates a backup.
- Auto restore→ You can directly restore your website back up by clicking Auto Restore.
- Upload to DropBox→ With this option, you can upload a backup of your website files in the DropBox.
- Migrate→ Possibility to migrate your backup files from one location to other.
Stagging
This option is mainly used to create a copy of your website before making changes on site to test theme before applying on a live website. This is often used by developers. They take the copy of the website and test it once they make an update.
If there are any bugs, then the developer will resolve issues and make the updated website live and delete the old website version.
MalCare vs Sucuri vs iThemes vs Hide My WP vs Swift Security
MalCare and Sucuri are the only security software providers that include Malware removal as part of their pricing. iThemes Security (see iThemes Security review) recommends Sucuri if your site is hacked while SecuPress and Wordfence charge you to remove the compromised files.
MalCare, Sucuri, and Wordfence include machine learning and improve their algorithm as they encounter other compromised sites.
This cuts down on false positives and fixes false negatives. However, MalCare goes a step further with constant evaluation of 100+ signals to stand out from the crowd.
For more detailed comparison of MalCare between iThemes, Sucuri, WordFence, SiteLock, and SecurePress you can check comparison table made by MalCare team.
As I have in the past wrote about Hide My WP and Swift Security and reviewed those WordPress security plugins, you can check how MalCare stands in the comparison between those two in the table below. Be sure to also check Wordfence vs iThemes Security comparison.
- Name
- Price
- Free Version
- Export/Import Options
- Trusted User RolesChoose trusted user roles.
- Hide Login PageHide wp-login.php.
- Hide AdminHide wp-admin folder and its files for untrusted users.
- Spy Notify
- Remove MetaRemove auto-generated feeds from header.
- Remove VersionRemove version number (?ver=) from styles and scripts URLs.
- Hide Other FilesHide license.txt, wp-includes, wp-content/debug.log, etc.
- Compress Page
- Hide PHP Files
- Replace in HTMLReplace words in HTML output.
- Replace URLsReplace or rename URLs in HTML output.
- Anti-SpamComment spam block
- Change Theme Paths
- Change Plugin Paths
- Scanner
- Change WordPress queries
- Change upload URL, wp-includes folder, AJAX URL
- Disable WordPress archives, categories, tags, pages, posts, etc
- Firewall
- Anti-Brute Force
- Multisite Compatibility
- Compatibility With Cache Plugins
- Login IP Filter
- Scheduled Code Scans
- Automatically Quarantines Files
- WooCommerce Compatibility
- Child Themes Support
- Nginx Support
- MalCare
- $99
- Intrusion Detection System
- Swift Security
- $36
- Pushover notification
- Scanner Module
- Hide My WP
- $29
- Intrusion Detection System
In below comparison table you can see how MalCare backup service compares to some other popular WordPress backup plugins.
- Name
- Free version
- Paid versionWith additional upgrades and addons
- Full site backupIs it possible to backup entire site with all files
- Database backupsIs it possible to backup only database
- Backups to DropboxIs it possible to save backup files to Dropbox
- Backups to Amazon S3Is it possible to save backup files to Amazon S3
- Backups to Google DriveIs it possible to save backup files to Google Drive
- Backups to FTPIs it possible to save backup files to FTP
- Backups to RackspaceIs it possible to save backup files to Rackspace
- Email notificationEmail notification when backup is created
- Changes only backupsIn order to reduce server resources and save space only new changes are added to backup
- Scheduled Backups
- Realtime backupsBackups files are created whenever you make changes on your site
- Migrate siteCopy site or move it to a new host
- Individual file restoreRestore individual files/file from backup instead of whole thing
- Restore backup from interface
- Security and Malware scanOptions to serach for viruses and other infections
- Database repair and optimizationOptions to optimize wordpress database
- Multisite support
- Price for paid versionWith all addons and features (cheapest plan for 1-2 sites)
- MalCare
- 149$/ year for one site (backup + security)In free version there is only firewall + site hardening security (no backup option)
- BackWPupIt has also premium/paid version with additional addons and upgrades
- Only in paid version
- 75$For standard plan
- BackUpWordPressIt has also premium/paid version with additional addons and upgrades
- Only available with paid addon which price is around 24$
- Only available with paid addon which price is around 24$
- Only available with paid addon which price is around 24$
- Only available with paid addon which price is around 24$
- Only available with paid addon which price is around 24$
- 60$For personal plan
- UpdraftPlusIt has also premium/paid version with additional addons and upgrades
- Only available with paid addon which price is around 15$
- Paid addonOnly available with paid addon which price is around 30$
- Paid addonOnly available with paid addon which price is around 25$
- 99$ (unlimited number of sites)For developer plan with all addons and for unlimited number of sites
NOTE: Information stated in comparison tables may become outdated as plugins get updates and changes. Be sure to contact official support to get most accurate data if you have any questions.
MalCare Pricing – Free vs Paid Version
MalCare is a very reasonably priced product when compared to similar plugins. It includes unlimited site clean-ups with every plan at no extra charge. Every pro plan includes not only Automatic Deep Scans and Login Protection, but also an integrated Firewall, Site Hardening, and Backup.
The basic plan starts at $99 per year for one site. If you want security + backup, then it will cost you $149. MalCare Plans vary according to the number of sites you need MalCare to secure. There’s a different plan for those who want backup service as well.
MalCare has a free plugin which does not help you with cleaning malware but is good enough for scanning, login and firewall protection. You’ll have to contact MalCare for a cleanup service in case you do get infected with any malware.
Malcare has four plans such as Personal (one site), Business (up to 5 sites), Developer (up to 20 sites), and Agency (up to 100 sites). There is also 30 days money back guarantee. If you are not satisfied, you can get your money back.
MalCare further offers you a full-featured, free seven day trial in case you want to make sure if their services are worth your time and money.
Why Consider MalCare?
Security plugins which don’t inspect every corner for malware presence are bound to miss out on a vulnerability or backdoor. Moreover, new and sophisticated malware shows up every day. They cannot be detected using old signature patterns that regular security plugins rely on.
MalCare tracks every file to monitor the changes in your website and identify malware on your site. Security plugins that run on your site server risk slowing down your website.
Since security operations are occurring in tandem with the rest of your website operations, the load on your server is enormous.
MalCare syncs up your site incrementally to its servers. Your site is backed up in small packages after which security scans are run on MalCare servers.
There is no load on your site server. This is an issue with other plugins which tend to cluster servers and slow site down.
Security plugins rely on signature-based matching. Any changes found on your website, even when authorized end up being flagged, and these lead to false positives alarms. This causes unnecessary panic, and at worst, creates distrust for your security plugin.
MalCare alerts you only when there is an actual malware on your website. This allows you to take the corrective action immediately and does not create any unnecessary panic.
MalCare Pros
- Offsite scanning of website reduces server load
- Machine learning helps MalCare get better results
- Effective in removing malware
- Backup service
- Affordable pricing compared to other plugins on the market
MalCare Cons
- Does not have database scanning, yet
- Only in a premium version, there is malware scanning and backup
MalCare FAQ
Here are some most asked questions regarding MalCare:
1. Will MalCare work if my site is down?
If a site goes down after you have added the website and installed the plugin from the dashboard, MalCare will clean up your site. But if you add a website that was down beforehand, i.e., before adding the plugin, then MalCare won’t work.
2. What is the difference between MalCare free and paid version?
In the free version, you can use firewall and login protection and scan the site. In the paid version you can clean your site if it gets hacked.
3. Does MalCare work with all hosting providers?
MalCare works with all web hosts. Whether it’s on a host like GoDaddy, BlueHost, HostGator, 1 & 1, DreamHost, WPEngine, etc.
4. If I install MalCare, will I get free access to BlogVault too?
To use the backup service that BlogVault offers, you will need to upgrade to a Security + Backup plan.
5. Do I need to install MalCare plugin on my site?
Yes, MalCare plugin needs to be installed and activated on your website. The plugin is a necessity because it works in tandem with MalCare server.
6. Can I exclude particular tables or files or directories from the scanning?
Unfortunately, you can’t exclude WordPress files from being scanned. It is better to scan every file in your WordPress directories to find malware on your site.
MalCare Review Final Words
Good WoordPress security plugin and WooCommerce fraud prevention plugin can come very useful. But there’s no such thing as a perfect security plugin. Every day there are new malware threats discovered. Simply scanning site for vulnerabilities can help us keep hackers at bay.
Most security solutions use manual inspection and removal of bad code to solve complex hacks. This isn’t a useless way, but it can take anything between a few hours to a few days to complete.
MalCare in comparison to them removes every simple or even complex hack with a single click. MalCare security plugin is worth using. It gives you numerous features at affordable price.
It completely scans and backup your entire website. You can automatically scan and remove malware from your website.
MalCare is comprehensive deep scanning, cleanup, and protection WordPress security service. It promises to keep your website safe from hackers. If you care about keeping your WordPress website safe, then you need a security solution like MalCare.
Be sure to also check best WordPress two factor authentication plugins if you want to add more security to your site accounts.
DISCLOSURE: Posts may contain affiliate links. If you buy something through one of those links, I might get a small commission, without any extra cost to you. Read more about it here.
After reading a number of reviews to try to determine the best security plugin to use for my new site this review helped me to make a final decision. I will be using Malcare WITH Hide My WP! My host has manual and daily automatic backups so I don’t need a backup service, which is fortunate because the comparison chart of the different services is a lot less straightforward than the other chart (Updraft Plus lurks forward but Malcare is much cheaper…).
Anyways, thanks a lot!
Glad to see this post helped you decide which WordPress security plugin to choose.
Thank you for sharing this amazing information keep posting more.