WordPress Managed Hosting - 40% Off For 4 Months - Coupon Code: BFCM2021 Avail Now

MalCare – A WordPress Security Plugin by BlogVault [Honest Review]

Moeez — March 9, 2018 7 Minutes Read
MalCare WordPress security plugin

I know many people who juggle between multiple products. One plugin for Firewall, another for malware scanning, yet another for CAPTCHA based protection, and so on… Not only is this an absolute hassle for WordPress site owners who are always short of time and always need to spend money on paid security focused plugins.

Security plugins for WordPress rarely provide a truly all-in-one solution for the range of security threats that regularly target WordPress. This is why I was skeptical about MalCare, a new WordPress security plugin, which claimed to be a comprehensive security solution. If it really worked, this could very well mean great things for WordPress security.

But let’s not make any assumptions before checking out MalCare. Read on to find out more about the plugin.

Is it Good Value for Money?

Let’s get this out of the way. MalCare is a very reasonably priced product, when compared to similar plugins. It includes unlimited site clean-ups with every plan at no extra charge. Every plan includes not only Automatic Deep Scans and Login Protection, but also an integrated Firewall, Site Hardening and personalized Customer Support. The basic plan starts at $99 per year.

Personally, I like the complete package Security + Backup for my site that means that I don’t have to spend on a separate backup service. And at $149 per month, it seems a good bargain for securing my WordPress website.

What Does MalCare Offers?

The good thing about the plugin is that it offers a host of functionalities right out of the box that are not usually not available in paid plugins. In particular, MalCare offers:

Website Security Scans

Normally, people find out they have a malware inside their site only after it activates. These “invisible” threats are an important cause of websites getting blacklisted by Google or being shut down by the host providers.

Only regular check ups can protect the websites from such embarrassing situations. While security plugins technically do scan websites, the problem persists in the case of more complicated malwares.

Hackers are very clever with coming up with new kinds of malwares. Each malware is unique, and this means that not all attacks can be found via signature matching, a common technique used by security plugins for detecting malware threats.

Website security scans

MalCare does not rely on just signature matching but uses advanced deep scan technology. More than a hundred signals intelligently collect data across hundreds of sites to find out about new malwares. At the same time, it syncs with its servers and tracks any changes on my website that are not supposed to be there.

This is a lot like killing two birds with one stone. MalCare even detects previously unknown and dormant malwares almost immediately. Since it doesn’t run on my hosting server, the over all resource requirement for scanning the website is very low.

MalCare scans my site every 24 hours and provides option for custom scans. So far, it hasn’t sent me any false positives.

Malware Cleanup

When my website is under attack, my first instinct is to push the panic button. Hard. I have worked hard on building my digital territories, and I just don’t want to see all my efforts going down the drain. I am careful about keeping backups but I just don’t like my site experiencing any downtime whatsoever.

So, the faster the malwares are off my property, the better I feel.

That’s exactly what MalCare does. All I have to do is look up the affected files that the plugin lists down, and clean them out in a few clicks. Automated malware cleaning gets a bad reputation because of misconception that the process is not thorough enough to deal with all the threats that could affect the website.

Website malware clean

So, just for this review, I went through the harrowing experience of infecting my test site with malware, and cleaning it up using MalCare, and boy, am I glad to have a completely clean site now.

Web Application Firewall Security

You can keep track of all the bad IPs through the server level firewall and manually add IPs to be blocked. Or the MalCare firewall can do all the work for you.

What makes MalCare’s Web Application Firewall stand out for me was its global monitoring system. It recognizes bad IPs across 100,000 websites and simply blocks them.

Web application firewall security

I could even monitor all the requests (allowed, blocked or bypassed) coming to my website. MalCare shows the traffic request logs in a graph supported by Firewall logs for each request.

traffic requests


CAPTCHA Protection

CAPTCHA is a set of visual and/or audio challenges that prevent bots and automated scripts from accessing the site. It prevents bots (particularly ad bots) from corrupting websites.

Captcha protection

MalCare offers CAPTCHA based login protection that limits the number of failed login attempts to make sure that bots have no chance of accessing website resources.

Login protection

As with the MalCare Firewall, I could track the login requests in a graph and audit the requests in a log file.

MalCare Firewall

Website Hardening

WordPress website hardening techniques require a more than average technical knowledge and lots of time. The focus of these techniques is on protecting vulnerable files, database, and backend access.

MalCare’s strength lies in bringing all these techniques to a single platform, ensuring that the website is hardened against all possible threats.

Here is a popular hardening technique. Typically, when I want to change my security keys for protecting the backend, I have to find the code in wp-config.php and alter it.

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

Similarly, for protecting the upload folders, I have to add the following lines to .htaccess file:

<FilesMatch “\.(php|php\.)$”>

Order Allow,Deny

Deny from all


Disabling file editing will seriously deter a hacker intent on exploiting and modifying website content. To disable file editor, I would have to add the following line to wp-config.php:


This can get very technical for someone new to WordPress ecosystem. For such users, MalCare handles all the hardening techniques in a few clicks.

MalCare hardening techniques

Site Management

Website security does not stop at scanning and hardening. I am also responsible for maintaining my website as a safe space. The same goes for every other WordPress user out there.
In general, this means that I have to carry out the following actions:

  • Use strong login credentials and change it periodically
  • Remove inactive or unwanted plugins and themes
  • Avoid untrusted code
  • Update themes, plugins and core ASAP
  • Monitor all users on the site

site management

Thankfully, MalCare helps in all these tasks. The plugin offers complete information on the PHP version of WordPress core, auto updates plugins and themes (subject to user permission) and keeps track of newly added plugins and themes.

Report Generation

Reports inspire confidence about the security of a website. In many cases, all you have to do is to scan the reports for possible issues.

report generation

Generate Reports

Security Scan reports offer a general site-wide overview, details on the updates, backups created and security scans. MalCare allows for custom report title, introduction and description. Similarly, the reports can be scheduled to be generated and emailed to your address at preset intervals.

report progress

Protected by MalCare Badge

A security badge indicates that the site is clean and secure.

secured by MalCare

Can I have some assistance please?

Why yes you can. MalCare has a highly responsive and expert support team that is available to help you out in all problem scenarios. In addition, a comprehensive FAQ section covers all possible issues

Is MalCare Right for You?

Initially, I was honestly skeptical about MalCare pulling off the All-in-One Security Solution title. Having used the seamless and smooth MalCare dashboard, I am inclined to agree to this now. The question is not “Whether MalCare is right for you”, but “How much do you care for your security?”

Given that our sites are always at risk on the Internet, the best we can do is pack as much security reinforcements around our site, as possible. That’s exactly what MalCare does, and I couldn’t be happier about it.

I would actually like to see MalCare improving my site performance as well. Even though technically, performance is not really related to security, it would be a impactful feature addition to this already powerful plugin.

Check MalCare out for better peace of mind.

Create Faster WordPress Websites!

Free eBook on WordPress Performance right in your inbox.

    Create Faster WordPress Websites!

    Free eBook on WordPress Performance right in your inbox.

      Moeez is ‘The’ blogger in charge of WPblog. He loves to interact and learn about WordPress with people in the WordPress community. Outside his work life, Moeez spends time hanging out with his friends, playing Xbox and watching football on the weekends. You can get in touch with him at moeez[at]wpblog.com.



        WordPress Help Zone - Ultimate WordPress Pit-Stop

        Learning WordPress? Or are you expert enough to help others? Join our WP Facebook group!