MalCare Security Plugin review – Defending Against the Online Dark arts on WordPress

Spread the love
  • 1

There are so many misconceptions in the security field. Every hack is quite technical. Hackers can easily create a nervous atmosphere for everyone with an online presence. We have to simplify website security so that even a WordPress beginner can secure their website. At the very least we have to become aware of website security basics.

Security is of utmost importance to every single website owner out there. Corrupted websites are being blacklisted by Google left, right and center. Web Hosts shut down websites with even a hint of malware presence.

From the other end, hackers are constantly combing through the internet for vulnerabilities. Which is why, small, or new businesses should be fully protected, even more so. To hackers, whose motives is essentially money and exposure, your site is only a means to an end.

It might be virtually impossible to prepare for every contingency, but we have to be on the safer side.

While core WordPress itself is quite secure, there is a strong need for securing the entire site. We like to take a layered approach to security with a good security plugin playing a critical role. Imagine that your website is a King. Then the security provided by WordPress acts as the Castle. Your security plugin is the highly trained and specialized Bodyguard for the King.

You may be wondering about our enthusiasm for a secure website, but we are not alone.

In these times of “War against malware” strategy, it is best to keep on your toes and keep yourself secure. As with all things WordPress, there’s a plugin for even this. A brand new one that is already making waves, in fact.

MalCare is a WordPress Security plugin built with an industry first One-Click Malware removal service. It can scan remotely to ensure ZERO load on your server, and it’s backed by an awesome support. You can wipe out malware with MalCare, and fix your website in a jiffy.

MalCare might just be the Patronus we are all looking for.

We believe our WordPress website needs a reliable security strategy to overcome vulnerabilities. WordPress doesn’t have such a personalized level of security. So we got MalCare to directly tackle all our WordPress security concerns.


Table of Contents

  • MalCare Features
  • Setup and Configuration
  • My Sites
  • Manage your Dashboard
  • Security
    • Scan
    • Clean
    • Protect
      • Website Firewall
      • Hack Prevention
      • Security Fixes Walkthrough
    • Site Management
  • Reporting
  • Pricing
  • Conclusion


MalCare Features

What can MalCare do?

The list of features is breathtaking. Literally. We are delighted that one single security plugin has managed to incorporate so many features!

  1. Malware Scan: Malcare’s proprietary advanced Deep Scan technology makes a thorough sweep through your website to detect and identify malware presence.
  2. Early Malware detection: The faster you find those pesky malware infections, the safer your site is going to be. MalCare sifts through each and every file, tracking all changes within them to find even the most complex, and Hard-to-Find malware possible.
  3. Does Not Overload Your Server: MalCare security services run on its own MalCare server thereby minimizing load on your own site server.
  4. No False Positives: MalCare promises that it won’t send you into a panic-fuelled frenzy with false malware presence alerts.
  5. One-Click Malware Clean: With MalCare, you don’t have to rely on anyone else to clean your site for you. You don’t need to share your credentials either.
  6. Site Hardening: MalCare limits the number of failed login attempts by bots and untrusted IPs.
  7. Integrated Firewall: MalCare’s robust Firewall keeps away the bad guys from entering your site, and you can even track the web traffic requests live.
  8. Site Management: MalCare helps you keep track of plugin, theme, and core updates, or installations.
  9. Integrated Backup: For some additional fee, you get a subscription plan which gives you some of the benefits of BlogVault Backup plugin as well.
READ  Facebook Marketing Strategy and Facebook Ads Cost

Setup and Configuration

  • Install pluginYou can install and activate the Free MalCare plugin like any regular plugin on your WordPress admin dashboard. This is the manual process. Navigate on your WP Admin, to Plugins > Add New and search for MalCare.  


  • Login/Sign upFor the MalCare Pro version, access MalCare website and sign in. This is the automatic process.

My Sites

This is where you can view all your sites under MalCare’s care. You can group them according to tags, themes, plugins and users, while also performing bulk actions on them.
Add more of your websites with MalCare installed on them, using the “+” icon. The status of your website will be measured by:

  1. Active: Your website has the MalCare plugin installed on it.
  2. No Plugin: You have a MalCare account, and you can access the dashboard. But you still have to install the MalCare plugin on your website
  3. Unreachable: You have the MalCare plugin installed on your website, but MalCare servers cannot access that information right now. This could be due to a variety of issues ranging from connectivity, firewall issue or a network setting.
  4. Hacked: Oh no! This means MalCare has detected a site hack.
    The bell icon on the right keeps track of notifications like completed activity on MalCare dashboard.

Manage your Dashboard

You can enable or disable Backups, and Security whenever you want.


Once you enable Security on your MalCare dashboard you will get the option to Secure your site from malware.


Click on Scan Now for an On-Demand Security Scan of your website.


When Malcare detects a hack or malware on your site, it will send you an alert. You can then decide to clean your site with the automatic one-click Clean option. Our testing site didn’t have any malware, so we’re good.


Website Firewall

Access Firewall on MalCare dashboard. Depending on the IP requests sent to your site, the Firewall maps out the Traffic Requests stats for your site.

The number of requests allowed through to your site is indicated in green, the blocked requests appear in blue lines and the bypassed requests are in red. These are the requests which have been whitelisted or locked in by the admin.

The Firewall log shows details of requests, including the IP number, Status of Request, Time elapsed since the attempt, the Method, Path, Response and even the User Agent.

READ  How to Solve 403 forbidden NGINX

Hack Prevention

MalCare helps you to follow all the WordPress recommended best security practices. This means building a Military grade fortress around your site against all bots and hackers. Even backdoors and complex malware should be rooted out.

Based on the level of severity of security implementation, MalCare divides Site hardening practices into 3 parts:

  • Essentials
    -> Block PHP Execution in Untrusted Folder
    -> Disable Files Editor
  • Advanced
    ->Block Plugin/Theme Installation
  • Paranoid
    ->Reset all Passwords
    ->Change Security Keys

MalCare helps you perform these actions very easily:

1. Limiting the Number of Failed Login Attempts

Multiple hackers use multiple bots to hammer against your site login page to infiltrate into your WordPress admin page.

This is the initial login stats MalCare gave us.

We mapped out a bot or hacker’s journey into trying to weaken our login protection system, and how MalCare thwarts them.

Below is the regular login page for WordPress.


When they try to log in one too many times, the following message appears.

That leads them down the Captcha based protection rabbit hole.

And we get our stats for our site back on the Login Protection stats page.


Now you can see that the successful login attempts are indicated in green, while blocked requests are in blue. The total failed login attempts are shown in red.

The Login Protection log shows details of all these login attempts, including the IP number, Protection Status, Time elapsed since the attempt, the Message cited, and even the user.

2. Changing Security Keys

Security keys make it harder for hackers to crack your password. MalCare helps you easily create a new set of powerful security keys to store them in wpconfig.php file.

3. Protects Upload Folders
Remember the MailPoet vulnerability hack? It was caused by execution of PHP files in the uploads folder. MalCare can help you block such executions.

4. Disallows Plugin Installation
Hackers can easily get into your site through backdoors in rogue plugins and themes. Disallow installations to reduce such risks.

5. Disable File Editor
Protect your site backend by disabling access to your backend files.

These Site Hardening walkthrough is explained in the next section.

Step by Step Security Fixes Walkthrough



Site Management

Update your site to be a responsible part of the WordPress community. Unused plugins are the biggest reason for potential threats becoming real threats through backdoors or infected scripts.
MalCare helps you avoid this pitfall in the following manner:

  1. Auto-updates plugins and themes:
    -> You can enable auto-update of plugins and themes
    -> Keep track of new plugins and themes added
    -> Remove unused or deactivated plugins and themes
  2. WordPress Core
    -> Updates Core modifications
    -> Upgrades core WordPress updates
    -> Gives details on PHP version being used


Reports are a great way to instill confidence in a client, especially on the security end of their website. You can provide valuable proof that their sites are secure for everyone’s peace of mind.

READ  How to Create Full Width Page for Elementor Page Builder

Select a specific timeline within which you want to receive the complete Security Scan reports, with a general overview, details on updates to be made, backups created and security scans. You can even create a custom Report Title, Introduction, and Description.

Generate a Report by entering the specific time duration you are concerned with. Check off all the required elements – Overview, Updates, Backups and Security related details. Add custom messages and notes for your clients.

You can set a schedule to receive Security Scan reports, with a general overview, details on updates to be made, backups created and security scans via email as well.

You can find a repository of all your reports generated up till that point under Reports History.

Report Generation


  • You will get to take a look at the report and the same link will be sent to you on your email address as well. It will cover details on the following.
  • Backups created
  • Security scans made
  • Themes
  • Posts
  • Pages
  • Total files and databases
  • Plugins status
  • Themes status
  • Updates

You can Enable WordPress Backups on your MalCare dashboard and start using the full features package of the Security+Backup plan. On your dashboard, there are quick links for Backup operations like Download Backup, Migrate, and Auto Restore operations. They offer access to whatever it is you want to be doing at the moment, at the bat of any eyelid! A brisk overview of your resources is also available below Quick Links.

The MalCare Security Badge:

With a Protected by MalCare badge, you can assure your customers of your website trustworthiness and credibility.


Depending on your requirements, you can pick the right plan for your website(s). For example, if you have just 1 site, the Personal plan is all right. The Business plan is for those of us with around 5 sites. Developers would probably go for the plan securing their 20 or so sites and agencies can safeguard up to a 100 sites.

The Premium plans start at $99/Year.

They all include the Daily Automatic Scan, On-Demand Scan, One Click Malware Cleanup, Login Protection, Security Hardening, Website Firewall and Customized Support.

The plan we are using and have reviewed for you is Security+Backup.

MalCare also provides a free but limited security service. The Free MalCare plugin lets you use MalCare Deep Scan Technology, Strong Login Protection, and a Robust Web Application Firewall to protect yourself from the malware menace.

There is a great Affiliate program available for those of us who are looking for some extra goodies (apart from a secure website, that is) on the side. Check out the MalCare Affiliate program.


We believe security is something that should not be compromised. It is vital for running a successful website. We are grateful that MalCare is one of those rare plugins that fulfills all the requirements in one package and that too, at a reasonable rate. Give it a try, especially if you want to experience complete website security.

Do you use any security plugins you would love to talk about? Let us know what you think in the comments section.

(Visited 126 times, 1 visits today)
  • 1

Mahamad Sayed

WordPress enthusiast. Love to learn and share everything about WordPress.

Praesent amet, Donec risus justo dapibus tempus Praesent

Pin It on Pinterest

Do you find this interesting?

Share it with your friends!