Hands-On with MalCare: Testing Its WordPress Malware Defense

MalCare

$

149

• Get MalCare
• How we test →

MalCare is a popular WordPress security plugin. Targeted at website owners, agencies, and eStore owners, it automatically scans for malware, provides one-click removal, and offers a real-time firewall to protect your website.

With WordPress (the predominant CMS among users) accounting for 95.5% of all detected infections, MalCare can play a critical role in protecting WordPress websites.

But does MalCare deliver reliable malware defense? How does it stack up against other WordPress security solutions, such as Sucuri, Wordfence, and Solid Security Pro? This is what I’ll explore in this MalCare review.

Unlike other MalCare reviews based on just web research, I’ve actually bought a MalCare paid plan and tested it on my WordPress website for several days. So, everything you’re about to read in this MalCare review is based on my hands-on experience and thorough research. This will help you decide if MalCare is a decent option for your WordPress security needs.

Features

• Malware scanner that scans the entire website, coupled with a one-click malware cleaner.
• Vulnerability scanner to find security issues in WordPress Core, plugins, and themes.
• Firewall to prevent malicious traffic and many OWASP Top 10 attacks.
• WordPress website backup facilities.
• WP activity logs to identify suspicious activities.
• Website uptime monitoring.

Pros

• Guaranteed malware removal.
• Easy to use, even for beginners.
• Lightweight operation that doesn’t impact your website’s performance.
• Annual security audit to assess your website’s security.
• Helpful customer support that responds well within advertised timelines.

Cons

• Comment spam protection could have been better.
• Content monitoring is limited to the homepage only.

How Does MalCare Work?

MalCare works by providing a quick and automated way to detect and remove malware from WordPress websites.

First, you install the MalCare plugin on your site with a simple setup process. Once installed, MalCare scans your website to detect malicious files or other elements, vulnerabilities, and suspicious activities without affecting performance.

If malware is found, you can clean your site instantly with just one click by selecting the “Clean All Malware” button.

MalCare’s real-time firewall blocks malicious traffic, bot attacks, and brute-force login attempts. It also includes automated backups and activity logging.

The process of installing MalCare is straightforward. Once you purchase a subscription, add your website to the MalCare dashboard.

After you add your website to the MalCare dashboard, the next step is to install the MalCare plugin.

You can do this in two ways: auto-install by submitting your WP admin credentials or manual installation via the WP admin panel.

After installing the MalCare plugin on your website, you need to activate it. Post the first sync, the MalCare WordPress plugin dashboard will show data about your website security.

Congratulations, the MalCare setup is completed. Next, I will explain MalCare’s key features in detail.

Top 9 MalCare Features

I purchased a MalCare Pro subscription and tested it on my WordPress website for days to explore how it works, and its and use cases.

MalCare offers layered defense for your WordPress website. Its dashboard shows three defense layers: Ozone, Cortex, and Carbon.

I’ve tested all the features in these layers and will break them down one by one below.

1. Malware Scanner

MalCare comes with a powerful WordPress malware scanner that automatically scans your website multiple times daily, depending on your subscription plan. You can initiate a malware scan in your MalCare dashboard by clicking ” Scan now.”

The malware scanner includes WordPress Core Integrity Scan, Change Detection, Hidden Folder Scan, SEO Spam Scan, Pharma Spam Scan, and Japanese Spam Scan.

After each scan, a backup of your website is created. As shown in the above dashboard screenshot of MalCare malware scanner, you can see the summary of your scan results, other information (like the number of plugins/theme/users scanned, WP version. PHP version, etc.), and recently modified files.

MalCare runs scans on its server, meaning it shouldn’t affect your website speed. During my testing, I noted this claim to be true, as my website speeds weren’t slowed down.

The plugin’s algorithm continuously learns from over 200,000 websites, analyzing 100+ parameters per site. This real-time learning improves malware detection accuracy, minimizes false alarms, and quickly identifies real threats.

Here are two things I especially liked about the MalCare malware scanner:

1. You can run unlimited on-demand scans.
2. It uses its proprietary, intelligent algorithm that constantly learns and improves its accuracy.

As soon as it finds malware, it will alert you so that you can take proactive action.

2. Vulnerability Scanner

Hackers often exploit vulnerabilities in plugins and themes to hack into WordPress websites. MalCare provides a powerful vulnerability scanner that scans your themes and plugins daily to find vulnerabilities.

If it identifies any security issues in your installed themes or plugins, it will alert you so you can proactively fix them.

MalCare can also auto-update your old plugins. I like its Visual Regression Test, which makes sure that your site doesn’t break during the process. It’s a useful feature as plugin updates often break WordPress websites.

3. Malware Cleaner

MalCare offers one-click malware removal, which can extract malware from WordPress Core, themes, plugins, databases, and more.

During testing, I observed that it can eliminate all types of malware and malicious code, such as redirect hacks, pharma hacks, backdoors, and more.

Another great aspect of the MalCare malware removal service is that you can remove malware unlimited times. If the auto clean feature can’t remove malware, you can contact MalCare for free manual removal.

I believe manual website malware removal is a valuable feature since security companies charge hundreds of dollars for it. Your paid subscription includes this service, as confirmed by their support team (shown below).

4. Firewall

A malware prevention tool must have a powerful WordPress web application firewall (WAF) to block malicious traffic. I explored MalCare’s WordPress firewall feature, and it worked without issues.

You don’t have to set up anything to use the MalCare firewall. After understanding your website, it will auto-configure itself and start protecting your website from OWASP Top 10 and other attacks.

l like the fact that MalCare leverages threat intelligence from 20000+ sites. If there is any attack on one website, it will update the rule based on that threat to prevent possible future attacks.

MalCare also claims to offer no false positives. In my testing, I didn’t encounter any false positives either.

To review your traffic, you can filter the traffic according to various parameters, such as IP, Path, User Agent, Country, Date, and more.

Some countries generate high levels of cyber threats, like hacking and malware attacks. Blocking traffic from these regions enhances your website’s security and reduces server load. It also helps filter out unrelated visitors, improving your website’s performance.

MalCare’s firewall lets you easily implement geo-blocking to protect your site and optimize traffic management.

5. Bot Protection

Malicious bots pose severe cybersecurity threats to WordPress websites. They can run brute-force attacks, overloading your site with XMLRPC and WP-Login attempts. Bots can also scrape your WordPress website and share findings with your competitors.

MalCare’s Bot Protection feature automatically blocks suspicious bots to protect your website. Plus, it ensures that other “good” bots, like Google, Feedly, and Facebook, work as usual.

However, despite its claim to block all spam bots, my testing showed otherwise. I still received spam comments despite the bot protection being enabled.

6. Login Protection

Your WordPress website tends to have multiple users. MalCare’s Login Protection feature lets you keep tabs on all login attempts, giving you an overview of Total Logins, Successful Logins, Failed Logins, and Blocked Logins.

I like this feature as it gives you valuable insights about all user login activities. You can also access the detailed login report by clicking on “View All“.

The detailed report shows you Time of the login attempt, IP address, Country, User, Message, and Status.

Its “Apply Hardening” feature lets you choose from three options to make your WordPress website harder to hack:

• Essential – Block PHP Execution in Untrusted Folders, Disable File Editor
• Advanced – Block Plugin/Theme Installation
• Paranoid – Change Security Keys, Reset All Passwords

I’d recommend using these website hardening options cautiously, as enabling them can cause unintended issues. For example, these fixes may prevent you from installing or upgrading your site’s plugins/themes or even updating WordPress.

7. Backups

MalCare provides incremental backup of your website, helping you restore your website in one click if anything goes wrong. It can back up WordPress sites of any size. In my research, I noted that it stores encrypted copies of your entire backups across multiple data centers.

The backup service is unavailable in MalCare’s starting plan, and the backup frequency depends on your subscription tier. The highest plan offers automatic backups every hour.

It also allows you to download your website backup to save it locally. If you have a DropBox account, MalCare can upload your backup there as well.

In my hands-on testing, as shown in the screenshot below, I noticed that MalCare also offers Migrate features that allow you to migrate your entire site to another server or hosting provider.

8. Activity Log

During my testing, I was impressed with MalCare’s activity log tracking. It lets you know about all the changes happening to your WordPress website so that you can easily detect suspicious activities.

MalCare can track changes to posts, comments, users, pages, files, plugins, themes, and WoCommerce.

With MalCare’s Activity Log, you can track all activities a user completes. You can also easily search for events to discover suspicious activities.

High-performance sites handle millions of events daily, so I appreciate that MalCare offers cloud event storage. It keeps all activity logs in your MalCare account instead of your website.

9. Advanced Monitoring

MalCare’s Advanced Monitoring feature allows you to constantly monitor your website so that you can promptly take action if something goes wrong.

Here is what you get in MalCare Advanced Monitoring:

• Uptime Monitoring: Checks the up-time rate of your website.
• SSL Monitoring: Monitors SSL health, including the expiry date
• Domain Monitoring: Tells domain expiring date
• Page Content Monitoring: Checks homepage for keyphrases/keywords on the homepage
• PHP Error Monitoring: Shows PHP errors
• Visual Monitoring: Tracks visual changes on your pages

Its Visual Monitoring feature is currently in the beta phase and is offered free. After the beta phase is completed, it will be chargeable separately.

However, the availability of these monitoring features depends on your subscription plan. The starting plan doesn’t offer any advanced features for monitoring your website.

4 Main Reasons to Use MalCare on WordPress Sites

If you’re still unsure why you should use MalCare, even after exploring all its key features, I have listed 4 reasons to help you make a confident decision.

1. Website Protection

Hackers constantly target WordPress websites. Reports of data breaches, ransomware, and cyberattacks frequently make headlines.

MalCare’s security features, such as malware scanning and removal, firewall, vulnerability scanner, bot protection, and login protection, fortify your defense against threat actors. As a result, hackers have little to no chance of successfully attacking your website.

2. Site Monitoring

Your website is a key revenue stream for your business. If it goes down or its performance deteriorates, you risk losing revenue and your visitors’ trust.

MalCare offers advanced monitoring, including uptime monitoring, SSL monitoring, domain monitoring, page content monitoring, visual monitoring, and more. 

These monitoring solutions help you keep tabs on your website’s performance and take proactive action if anything hampers it.

3. WordPress Site Management

Running a WordPress website involves regularly updating WordPress Core, plugins, and themes to prevent hackers from exploiting any vulnerability.

With MalCare’s centralized dashboard, you can update these elements quickly as soon as new updates are available.

4. Website Backup

As a cybersecurity writer, I cannot stress enough that you need to back up your website regularly.

With backups, you can restore your website in any adverse event, such as:

• Hacking or malware attacks
• Server crashes
• Accidental deletions
• Failed updates
• Website corruption

MalCare offers encrypted backups for your WordPress website in the cloud and locally. It also provides a staging feature to test any new feature, plugin, or theme without affecting your live website.

Additionally, the migration feature allows you to easily migrate your website to another server or hosting provider.

That said, MalCare is a good option for those who want a reliable backup solution for their WordPress website.

Can MalCare Clean My Hacked Website?

Yes, MalCare can clean your hacked website. In fact, it offers guaranteed malware removal from WordPress websites.

The best thing is you don’t have to pay extra for it. Its premium plans cover a comprehensive cleanup service, including manual cleanup, at no extra cost.

MalCare Pricing

MalCare offers four pricing plans—Plus, Prime, Pro, and Max. The availability of MalCare features depends on your subscription tier, though all plans provide a vulnerability scanner, malware removal, firewall, and bot protection.

Here is a quick comparison table for various MalCare pricing plans and available features.

Feature	Plus	Prime	Pro	Max
Pricing (1 site)	$149/year	$199/year	$299	$499
AI Malware Scan	1/day	2/day	4/day	1/hr
WP Activity Logs	❌	✅	✅	✅
Backup	❌	2/day	4/day	1/hr
Staging	❌	✅	✅	✅
Visual Monitoring	❌	❌	✅	✅
Uptime Monitoring	❌	✅	✅	✅
Annual Security Audit	❌	❌	❌	✅

If you buy any plan for more than one website, MalCare offers a discount. For example, the Plus plan starts at $149 for one website. The same plan costs $499 for 5 sites and $799 for 10 sites.

The MalCare Plus plan provides basic website security, making it ideal for bloggers. Small business owners and growing websites need both security and backup solutions, so the MalCare Prime plan is a better fit for them.

Agencies and high-traffic websites require frequent malware scans and backups, making the Pro plan their best choice. The Max plan, which offers the highest level of security, is well-suited for eCommerce websites that need premium features like real-time protection and advanced monitoring.

There is no free trial, but MalCare offers a 14-day money-back guarantee.

A forever-free plan is also available, which provides a malware scanner, vulnerability detection, login protection, and a WordPress firewall. However, this version only detects the malware and doesn’t have the capability to remove them.

MalCare Support

MalCare offers email-based support. Expert response time depends on your subscription tier, as mentioned below:

• Plus: 24 hours
• Prime: 18 hours
• Pro: 12 hours
• Max: 6 hours

I purchased the MalCare Pro plan for testing and writing this review. Staying true to their service claims, the MalCare support team responded within 12 hours both times I contacted them.

In the mail shown in the above screenshot, I contacted them via my main account. MalCare also creates your Support account, which lets you access valuable resources and raise/track your tickets. For reference, BlogVault is MalCare’s parent company.

MalCare Alternatives

MalCare provides reliable malware defense for your WordPress website. But how does it compare to leading security solutions like Sucuri, Wordfence, or Solid Security Pro?

I’ve created a quick comparison table of MalCare alternatives, focusing on key website security features such as malware detection and removal, integrated firewall availability, brute force protection, uptime monitoring, and more.

Check the comparison of MalCare alternatives below. 👇🏼

Who Should Use MalCare?

Anyone with a WordPress site can use MalCare, but I believe it is best suited for the following audiences.

• Businesses & agencies: Businesses and agencies managing several clients’ websites need a centralized security solution. With MalCare’s single dashboard, they can manage the security of multiple websites without juggling multiple dashboards.
• E-commerce store owners: E-commerce store owners process tons of confidential customer data, such as card details and personal information. So, they require strong malware protection even when using reliable services like managed WooCommerce hosting. MalCare helps e-commerce owners protect their websites from malware and other potential threats. It also provides reliable backups to restore their stores if anything goes wrong.
• High-traffic websites: The more traffic your website has, the more attractive it is for hackers to carry out cyberattacks. MalCare’s firewall can block suspicious activities, and automated malware scanning and removal ensures fast recovery. With backup, you can also quickly restore your website. So, in my opinion, MalCare is an indispensable WordPress security solution for high-traffic websites.
• Developers & IT professionals: MalCare automates malware detection, removal, and backups, freeing professionals to focus on development instead of security fixes. It also offers staging support, allowing safe testing of changes before going live.

With the availability of multiple subscription tiers, you can easily pick the right plan based on your requirements.

Who Shouldn’t Use MalCare?

While MalCare offers powerful malware defense for WordPress websites, it may not be the best fit for everyone.

Here are some scenarios where users might consider other options:

• Users with basic security needs: A free security plugin might be enough if you run a small blog or personal website with minimal security risks. MalCare offers advanced malware protection. So, those with a basic need for a WordPress vulnerability scanner may prefer simpler, cost-effective alternatives like WPScan.
• Non-WordPress users: MalCare is designed specifically for WordPress websites. If you use other platforms like Joomla, you’ll need a security solution tailored to those systems.
• Highly budget-conscious projects: While MalCare offers strong malware protection, it may not be the best fit for those on a tight budget. A more affordable WordPress security plugin, like Solid Security Pro, could be a better option for such users.

MalCare Verdict

MalCare is a powerful WordPress security solution that offers automated malware detection, real-time firewall protection, backup, and one-click malware removal.

Its AI-driven scanner detects threats with high accuracy, while the firewall blocks brute force attempts, malicious bots, and other OWASP Top 10 attacks. Plus, the plugin runs scans on its own servers, which has zero impact on your website speed.

However, its free plan only detects malware, not removes it, and comment spam protection is limited. Along with this, content monitoring is restricted to your website’s homepage, which means that you’ll have to use other tools for monitoring the rest of the pages.

Based on my evaluation and hands-on testing, MalCare receives the Geekflare Editorial’s Choice Award. It’s an excellent choice for businesses, agencies, and e-commerce stores, owing to its robust and scalable real-time protection features that work without compromising your website’s performance.