MalCare Review: A Hassle-free WordPress Site Security Plugin

By Nimesh Patel 9 min Read

Table of Contents

    WordPress powers around 30% of all the websites in the world. Its distinct features, compatibility, and scalability make it a top choice for obvious reasons. Unfortunately, its popularity and widespread use also make it a top choice for hackers. Every year thousands of WordPress sites get trespassed and compromised, and it happened to me too.

    Having your website hacked is a very harrowing situation. My entire suite of sites got compromised recently, and it was quite a rude awakening. For someone who didn’t take security very seriously, I decided to spend more time researching the best possible options to prevent such nightmare scenarios in the future.

    My needs were simple, I require a security plugin that’s not too complicated to use and cleans as well as protects my site. MalCare seemed like a good option, and the user experience feedback from different forums convinced me to opt for this one.

    About MalCare Security Plugin

    Credit for MalCare would go to the people who built BlogVault, a brand I am familiar with because of their incredibly efficient backup plugin for WordPress.

    It was also one of the reasons I chose MalCare since the company is known for creating easy-to-use dashboards. BlogVault provides backup service to 200,000 sites across the world, a security product like MalCare from the same house seemed almost inevitable.

    The MalCare plugin not only cleans hacked websites but also prevents WordPress websites from being hacked. They spent around three years developing the product – a sign that they wanted to ensure all bases and scenarios were covered.

    Malware detection and removal, prevention measures, white labeling, and client reporting features are a good way to summarise the product. With zero false alerts, MalCare is also a very efficient product. We’ll dig into more details of each of these features, but first, let’s take a look at MalCare’s easy onboarding process.

    WooCommerce Fraud Prevention

    Equip your store with our feature-rich fraud prevention plugin to reduce risk and safeguard your profits.

    WooCommerce Fraud Prevention Banner 1

    How to Start Using MalCare

    You don’t have to spend more than a few minutes setting up the plugin.

    Step 1: Login into your MalCare account, click Add Site and paste your website URL in the given space.


    Step 2: Install the MalCare plugin into your site automatically or manually. Furnish some basic credentials for the website.


    Simple, Straightforward Dashboard

    The dashboard is one of those that need just one glance for everything to fall into place. Well-laid-out sections and their functions are complemented with shortcuts on the left side of the screen. 

    Security, Management, Reporting, Backup, and White-Labeling are the five main sections of the MalCare plugin dashboard.

    Initial Scan

    After you have installed the plugin, use it for an initial website scan. A score will be populated on your dashboard. This score indicates your website’s security health – A shows the best health, and D suggests very low security. Ideally, I would not attend to anything other than an A. One cannot take chances.

    The score is based on many parameters, including an internal algorithm developed by BlogVault. Recommendations on how to get the score up will show on the dashboard.


    MalCare Scanner

    BlogVault built the MalCare Scanner using data accrued from close to 250,000 websites over 30 months. The AI component of MalCare created a system that can detect complex malware from hidden or hard-to-get places. Here are some observations from my scanning session:

    The MalCare Scanner does automatic daily scansYou can schedule itat a convenient time (I scheduled mine at 7 AM, so I can attend to issues before my sites see peak traffic). You can also execute ad-hoc scans, which I do all the time.

    How to use MalCare Scanner?

    • I select the site I am concerned about, and then I click the Scan Now button.

    Scans usually don’t last longer than a minute. MalCare found the hack on my website quite easily and sent me notifications in an email too along with the dashboard message.


    How Does the MalCare Scanner Work?

    The MalCare scanning mechanism identifies anomalous changes in the website files to see if there was a trespass. Site tracking is incremental, and sites are synced to the MalCare servers.In tandem with the core scanning, the plugin’s AI throws in multiple signals to search the website for hidden malware. The two-pronged strategy weeds out even the most stubborn and camouflaged malware.

    MalCare is entirely different from regular malware scanning products as it investigates and looks for malware string in every line of code. The plugin monitors for abnormal and uncharacteristic signs on the website, like a radar.

    Strategic & Light Plugin

    Sometimes the security check itself can add to the nightmare of getting hacked. An entire website can become slow, and this has its repercussions. BlogVault addressed this concern by ensuring the scanner runs on its servers. There is no strain on your site servers, and it is business as usual.

    Also, with MalCare, I have not encountered any false positives so far. These can unnecessarily eat into your productive time. The plugin’s efficiency in this department has impressed me a lot.

    MalCare Cleaner

    Once MalCare has identified malware, it’s cleanup time! This is the part most users will love. All you need isjust one click to clean up your website. When MalCare identified my hacks, I chose the Auto Clean routine. When it is done, MalCare sends an update (via mail and dashboard notification).

    There is an option to investigate the Infected Files in the Scanner section of the panel. I clicked on it to confirm that the malware had been removed.


    MalCare is a hassle-free product because it keeps descriptions and its actions simple. I do not need to have any technical knowledge. There have been cases when I started using WordPress plugins where I needed to reach out to a security expert to solve problems.


    In my experience, MalCare is an excellent preventive security product. So far, my site has not been hacked again, which has happened quite often before I started using this plugin. The clean-up process is efficient, and non-infected website files are left alone.

    MalCare Website Hardening

    MalCare is tailor-made for the website hardening best practices recommended by none other than WordPress. These features are divided into a three-part set-up.

    Essentials whose features include:

    • Change Database Prefix
    • Block PHP Execution in Untrusted Folders
    • Disable Files Editor

    The Advanced website hardening section includes a Block Plugin/Theme Installation feature.

    And with the Paranoid mode, you can reset all your passwords and replace the old security keys.

    WooCommerce Fraud Prevention

    Equip your store with our feature-rich fraud prevention plugin to reduce risk and safeguard your profits.

    WooCommerce Fraud Prevention Banner 1

    Security Features


    Security Keys – Many unscrupulous hackers access security keys by digging into the live website files. Use the MalCare plugin to create robust security keys. Store these keys in a wpconfig.php file.

    Protect Upload Folders – You may have heard about the MailPoet plugin hack which affected thousands of websites in 2014. It was executed using PHP files in the infected website’s ‘uploads folders’. MalCare prevents this by protecting the vulnerable points – the upload folders.

    Disallow Plugin Installation – Use MalCare’s exclusive feature to disallow the installation of themes and plugins. They can be used to infiltrate sites.

    Disable File Editor – Disabling the file editor using MalCare prevents access to the site backend files.

    The Security Fixes section on the MalCare dashboard is very simple to use. MalCare’s one-click execution means you do not have to negotiate any technical stuff. This cements the fact that with MalCare, you don’t need to be an expert to protect your domains fully.

    MalCare Firewall

    MalCare’s powerful firewall switched on automatically when I started using the plugin. There is a Disable option for those who do not want it. The website firewall filters the traffic very well and includes Login Protection and IP-blocking features.

    IP Blocking: MalCare scans the web for bad traffic and prevents that traffic from accessing your site.


    Login Protection: Login protection is useful against brute-force attacks. When MalCare identifies repeated failed login attempts, it enables CAPTCHA protection, which bots cannot read.


    If you want to view details of the traffic requests blocked or the unsuccessful login attempts made on your website, simply click on the buttons Blocked IPs or View Details. You can also scan through your traffic for data like the country of origin and browser details.

    Website & User Management


    Since I have multiple websites, I am always looking for a single interface solution rather than bouncing from one site to another to perform simple management tasks. MalCare does just that. It’s Website and User management features consolidate my multiple-site management duties on one single dashboard. Some functions I can perform quickly include role and password changes, theme-related updates and changes, plugin updates, plugin removals, and permission updates.

    A Product with Great Support


    While using MalCare, I had a few questions regarding the product. The support team responded to my email in less than a day and resolved my query. This minor experience was very encouraging as it shows that MalCare is backing up its product with a good support setup.

    Fair Pricing

    At $8.25 a month, the MalCare price seems pretty justified for its convenience to a website owner. In fact, they have a free version too, allowing users access to the scanner and the firewall. You’ll have to buy a premium plan for cleanups and site management.

    Summing It Up

    MalCare is the type of security product that you will stick with. It promises continuous adaptation because of its AI-based research, and BlogVault seems to understand the nuances of website security quite well. It helps that the dashboard is very easy to understand while featuring many useful features.

    The Scanner is surgical in its effectiveness and does not hinder website performance. The Cleaner is easy to use and requires absolutely zero technical knowledge to use.

    The verdict is out. MalCare is an excellent website security recommendation.

    Additionally, I enjoyed the plugin’s White-Labelling feature as it allows me to use my brand and keep my website theme immaculate. And the Client Reporting is ideal for people who manage other people’s websites.

    For a security product with so many features, 2FA security will be a great addition, and apparently, MalCare is working on introducing this soon.

    WooCommerce Fraud Prevention

    Equip your store with our feature-rich fraud prevention plugin to reduce risk and safeguard your profits.

    WooCommerce Fraud Prevention Banner 1
    Author Image

    Nimesh Patel

    Nimesh Patel is the Product Manager and Growth Hacker at Dotstore. For the past 10 years, Nimesh has been a prolific marketer and product builder in the WordPress and e-commerce industry.

    Premium Quality WooCommerce Plugins

    Optimize shipping, boost revenue, and elevate the customer experience with our premium WooCommerce plugins.

    0 Shares facebook twitter linkedin
    Author Pic

    Written by Nimesh Patel

    I am a Product Marketer and Growth hacker with expertise in Digital marketing, Search engine optimization (SEO), Email Marketing, Paid Campaigns on Facebook and Twitter, Content development strategies, and Competitive Research & Analysis. Nimesh is Product Manager at