Plugin Directory

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall



Security Plugin For WordPress Websites

A WordPress security plugin ensures that your website remains completely safe and secure, always. We created MalCare Security Plugin to help website owners worry less about their site security, achieve peace of mind and focus all their energies on growing their business or website.

Difference Between MalCare Free vs Premium

Why MalCare is best WordPress security plugin?

MalCare in 1 Minute – Overview

Important Links: Security Features | Why Choose MalCare? | Comparisons | Free vs Paid

MalCare is the fastest malware detection and removal plugin loved by thousands of developers and agencies. With an industry-first automatic one-click malware removal, your WordPress website is clean before Google blacklists it or your web host takes it down. MalCare has been developed from the ground up after analyzing over 240,000 websites over 2.5+ years.

Its intelligent scanning methodology will never slow down your WordPress site and accurately identifies the most complex malware that typically goes undetected in other popular WordPress security plugins.

The one-click malware cleaner offers unlimited automated cleanups while the inbuilt powerful cloud-based firewall ensures round-the-clock website protection against spam attacks. Moreover, you can block countries to mitigate hack attacks.

MalCare comes integrated with a complete website management module that ensures better WP security and site management to your websites from a single dashboard.

The WP security plugin notifies you if the WordPress site goes down so that you can handle the situation before you start losing visitors. Performance Check enables WordPress users to keep an eye on their loading speed.

MalCare offers a premium White-Label solution that lets agencies provide better website security to their clients without risking their business. And enables users to generate beautiful reports for their clients.

Why Choose MalCare WordPress Security Plugin?

  • WordPress Malware Scanner

    • Cloud Based Deep malware scanner
    • Doesn’t Slow down your WordPress site
    • Detects malware BEFORE it’s too late
    • NO impact on your website
    • Finds ALL types of malware, even new & complex ones
    • Get Alerts about Security Risks with our WordPress Vulnerability Scanner
  • WordPress Malware Removal

    • View hacked file details
    • Cleans your site INSTANTLY, in less than 60 Secs
    • Removes ALL traces of malware
    • UNLIMITED hack cleanups
  • WordPress Website Protection

    • Blocks hacker BOTS from attacking login page
    • Identifies & blocks MALICIOUS traffic
    • Enables users to HARDEN their WordPress sites
    • Enables users to block ENTIRE countries
  • Easy to Use

    • Set up an account in 60 secs
    • Configure security once & never look at it again
  • Support

    • Agile & responsive customer support

Why Is MalCare Such a Game-Changer?

MalCare offers unparalleled security services. Some services are free and others are paid.

MalCare’s FREE Services –

  1. Cloud-Based Malware Scanning (Free)

    MalCare’s Cloud-based Scanning ensures no impact on your website ever. Moreover, it detects Complex Malware missed by other popular security plugins for WordPress.

  2. Web-Application WordPress Firewall (Free)

    Get Real-Time Protection for your WordPress website against the latest security threats with MalCare’s Smart Firewall. Block hackers & bots before they harm your site.

  3. CAPTCHA-Based Login Page Protection (Free)

    Automatically prevent brute force attacks with MalCare’s Smart Captcha-Based Login Page Protection. Round-the-clock protection against malicious traffic.

MalCare’s PAID Services –

  1. Viewing Hacked Files (Paid)

    View the infected files present on your WordPress website. Learn which themes or plugins or files or folders were infected by hackers.

  2. Industry-First Instant Malware Removal (Paid)

    Clean your hacked site instantly in less than 60 secs with MalCare’s 1-Click Cleaner. Clean your website before Google blacklists it or your web host takes it down.

  3. WordPress Recommended Website Hardening (Paid)

    Easily configure WordPress recommended best security practices with just 1-Click from right within MalCare’s dashboard. No technical knowledge needed.

  4. Geo-blocking (Paid)

    Restrict access to users based on their geographical location. Easily block all visitors from certain countries to mitigate the risk of being hacked.

  5. Uptime Monitoring (Paid)

    With MalCare’s Uptime Monitoring keep a steady eye on your WordPress site. It ensures that you are not oblivious to website downtime.

Common Hack Attacks Prevented By MalCare

MalCare protects websites against all common hack attacks which includes:

MalCare Free vs. MalCare Premium

  1. Cloud Based Malware Scanner (FREE)

    • Cloud-Based Malware Scanning (Free)
    • Deep Malware Scanning – Files & Database (Free)
  2. Website Firewall (FREE)

    • Web Application Firewall (Free)
    • Plugin Based Firewall (Free)
    • Rules update every 7 days (Free)
    • Login Page Protection (Free)
    • Bot Protection (Free)
    • Rules update every 5 mins (Paid)
    • Geo-Blocking (Paid)
    • Website Hardening (Paid)
  3. Instant Malware Removal (PAID)

    • View Malware Insights (Paid)
    • Instant One-Click Clean Ups (Paid)
    • Automatic Clean-Ups (Paid)
    • Unlimited Clean-Ups (Paid)
  4. Personalized Customer Support (Paid)

    • Support on WordPress forum (Free)
    • Support via email and chat (Paid)

Who Can Benefit From MalCare?

MalCare is perfect for:

  • Any WordPress Websites
  • Small Business Websites
  • Developer Websites
  • Web Designing Websites
  • eCommerce Stores
  • Niche Sites
  • Artists & Photographers Sites
  • Amateur & Professional Bloggers
  • Local Business Sites
  • Website for Startups
  • Websites Selling Courses
  • Influencer Sites
  • Web Hosting Companies
  • Website Maintenance Services or Agencies

Detailed Setup Step-by-Step Tutorials

This WordPress security plugin works in tandem with the MalCare servers. MalCare servers do all the heavy processing and will alert you if your site has any security issues.

Hence a MalCare account is needed to use the plugin. This account can also be used by our other products including BlogVault.

MalCare Full Security Features List

  • Cloud Based Malware Scanner

    • Daily Scan Frequency
    • On-demand Site Scans
    • Scan Non-WP Files
    • Does not slow down your website ever
  • Instant Malware Removal

    • View Hacked Files details
    • Instant Automatic Malware Removal
    • Removal of Unknown & New Malware
    • Unlimited Malware Removal
  • Intelligent Malware Protection

    • Web Application Firewall
    • IP Whitelisting
    • CAPTCHA-based Login Page Protection
    • Traffic Logs
    • Login Logs
    • Geo-Blocking
    • Alerts for Suspicious Logins
  • Website Hardening

    • Block PHP Execution in Untrusted Folders
    • Disable Files Editor
    • Block Plugin or Theme Installation
    • Change Security Keys
    • Reset All Passwords
  • Complete Website Management

    • Centralized Dashboard
    • Plugins & Themes Management & Update
    • User Management
    • Team Management
    • Client Management
    • Generate & Schedule Reports
    • White-Labeling Solution
    • Uptime Monitoring
    • Site Speed Monitoring
    • Blacklist Alarm
    • Slack Integration
  • Support

    • Email
    • Chat
    • Social Media

Fans Are Raving About Us

Connect With Our Team of Security Experts

Join MalCare’s Facebook Community – The purpose of the group is to enable Web Creators to gain valuable insights and help from community members which will be valuable to their business. So, if you are a WordPress user & want to keep up with the latest industry news and get help for your business, join us!

Don’t Know Where to Getting Started? Start From Here –

MalCare vs. Others


  • It’s extremely easy to add a website to MalCare’s dashboard. All you need to do is add a URL and install the plugin on your website.
  • MalCare’s Early Detecting Technology uses 100+ intelligent signals to detect even the most complex malware that other WordPress security plugins cannot detect.
  • No more waiting for days or hours to clean your website. Clean your website of malicious code with surgical precision in One-Click.
  • MalCare offers Login Page Protection which limits the number of failed login attempts made by hackers and bots via Captcha protection.
  • MalCare’s Firewall automatically blocks malicious traffic with its intelligent visitor pattern detection technology.
  • MalCare helps implement Advanced Website Security Hardening measures to make your site more secure against hackers and bots.
  • MalCare’s Geoblocking effectively blocks countries from visiting your site with just a click of a button.
  • MalCare’s Uptime Monitoring notifies if a website goes down so that you can handle the situation before starting to lose visitors.


Can I Setup my MalCare account myself?

Yes. Take the help of this step-by-step guide.

Why do you need my email?

We require your email address to keep you informed about important updates related to your website, such as malware alerts, vulnerability alerts, and uptime alerts.

Having an account is necessary to use our service, and your email address serves as a unique identifier for your account.

In addition, we may use your email address to notify you about any changes or updates that we make to our service, as well as any new features or services that we may offer to help enhance your user experience.

I am unable to reach the security plugin. What can I do?

You can send an email to the support team at support@malcare.com and notify our team regarding this.

Do you have a free version? How does it work?

MalCare Security Service has a free version and a premium version. We’ll scan and protect your website with a Firewall in the free MalCare version. You can download the security plugin from the WordPress repository.

The paid version includes Cleaning a Hacked Site, Website Hardening, Website Management, White-Labeling, Client Reporting, and taking Regular Backups. Kindly take a look at our security feature pages for more details.

To learn more, please take a look at MalCare free vs premium page.

How do I upgrade from a free to a premium account?

To upgrade from a free trial version to a premium account, please take the help of this guide.

How do I upgrade to a bigger Plan?

To upgrade to a bigger Plan, take the help of this guide.

Do I need to pay for support and help?

Never! We will be with you for any queries at any time. Click here to get in touch with us!

How many times does MalCare auto-scan a website?

MalCare automatic security scans a website once every 24 hours.

How does MalCare detect complex malware?

MalCare Security Service scans all your website WordPress files beyond just signatures and evaluates them automatically using powerful technology with the collective knowledge of 240,000+ sites. It uses 100 + intelligent signals automatically for deep security scanning and combing through all the files. That is how it detects even the most complex and well-hidden malware on your site.

Does MalCare affect my site performance?

No, not at all. MalCare Security Service performs all the heavy lifting of scanning your entire site WordPress files on its own. It does not use your site resources. MalCare Security Service runs its security operations on MalCare servers, thereby ensuring zero loads from its side on your website.

How does the unlimited cleanup policy work?

A situation may occur where your site is being repeatedly infected. In such events, there is no limit to the number of times you can clean up a hacked website.

But if the situation persists, then cleaning up the site, again and again, will not solve the problem. In such cases, you can contact us, and we will help improve your security posture. We’d ask you to take proactive measures based on the recommendation of the Support team. We reserve the right to refuse service until appropriate actions are taken from your end. In cases like this, we also reserve the right to deny refund or cancellation of the MalCare Security account.

What do I need to clean my website?

In order to begin the cleanup process, we need access to your server and its associated files. (Don’t worry, this will not compromise your site’s security).

We get this access in the form of FTP, SFTP, or SSH access to your server. FTP stands for File Transfer Protocol, sFTP for Secure File Transfer Protocol, and SSH for Secure Shell. These are connection protocol mechanisms that allow us to log into servers to edit/add/remove files. These connection protocols allow us to log into your websites, specifically the server, and perform the remediation process. If you for some reason are unfamiliar with these protocols, don’t worry, our team of security analysts is prepared to assist you in the process. To do so, you’ll need to be willing to share access information to your hosting account.

We covered how to clean a website here. Here’s a guide on how to find FTP credentials and another guide on how to locate a folder where WordPress is installed.

How long does it take to clean a site?

It really depends on the size of the website. In average, cleaning up with MalCare Security usually takes 5-10 mins.

How does the Login Page Protection work?

MalCare’s Login Protection feature prevents bots from entering your website stealing your data, spamming, and other malicious activities that threaten the security of your site.

How does the Site Hardening work?

WordPress has recommended a few extra security measures which will harden the security of your website. We have incorporated those recommendations in our Site Hardening feature. Kindly have a look at our guide on how to implement Site Hardening.

How does the Firewall work?

MalCare Security Service was created after analyzing over 240,000 sites from scratch. The Firewall constantly monitors traffic from all places and automatically blocks IPs that seem malicious in nature. As such, it is automatically enabled and needs minimal overseeing.

MalCare Firewall Security ensures that attacks on your site by even bots are mitigated, without affecting your WordPress site. It monitors bots across a global level without ever overloading your server.

Can I update WordPress core, plugins, and themes directly?

Yes. Updating WordPress add-ons tightens the security of your website. Take a look at this Manage Site help doc to learn how to update WordPress add-ons.

Can I manage my site users and their password directly?

Yes. With MalCare managing WordPress, users have become easier. Take the help of this Manage Site help doc. Remember to delete the passive user account and encourage users to use a strong password for better security.

Can I add Clients and Team Members to my account?

Yes, you can.
Our client feature is for your reference alone. You can assign a client to their site. If you want to give a user, dashboard access, please add them as your team members under the team section. Please see How do I add clients and team members? For the sake of security, give dashboard access to only people you can trust.

Will MalCare Security work if my site is down?

We understand the pains of a website going down. If a site goes down after you have added the website and installed the security plugin from the dashboard, MalCare will clean up your site.
But if you add a website that was down beforehand, i.e. before adding the security plugin, then MalCare Security Service won’t work.

What information does MalCare Security Service store?

We only store data related to your site structure such as plugins/themes with their respective versions. This helps us identify vulnerabilities that may be present on the site. We track the IPs of visitors to your site, to identify malicious actors who might attack your site.

What makes MalCare Security Service better than other WordPress security plugins?

MalCare Security Service was developed after analyzing 240,000+ websites.
1. It uses 100+ internal signals to Scan and identify the most complex malware.
2. It pinpoints the malware’s exact location on your site. It does remote security scanning, to ensure there are Zero loads on your server.
3. MalCare comes with an industry-first One-Click Malware removal service that eliminates any malware in a jiffy.
4. We alert you only when there is a legitimate malicious discovery rather than ‘possible hacks’.

We feel these features set us apart from most other WordPress security plugins. For further information take a look at how MalCare Security Service stands when compared with Top Security Plugins.

I already have a backup solution. Something happens to my site, I can simply restore it. Why do I need a security plugin?

Backups play a very important role in WordPress security, but it has some limitations. We have noticed that in many cases, it is weeks before a site owner realizes that his/her website has been hacked.

During this period multiple backups will be taken, and there will be a high chance that the files that contain the hack or the Malware are also backed up.

In such a case restoring from backup is not sufficient as it will not clean your website. Here is where a Malware solution like MalCare Security Service comes in. It does regular automated security scans of your website and notifies you if there is any sort of Malicious content on your website.

Isn’t WordPress secure enough?

WordPress core is safe, but the CMS does not work in isolation. Security plugins and themes are part of its ecosystem. Several studies on hacked sites show that plugins and themes are responsible for a majority of such compromises. MalCare Security Service is an easy and effective way of securing websites and keeping them safe from hack attempts. Look at this full feature list.

Why will an SSL certificate not suffice?

An SSL certificate is used only to encrypt a connection between the browser and server to safely transmit sensitive information. However, MalCare Security Service goes beyond and actually protects the database where this information is stored, scans your website files using 100+ intelligent signals automatically, and applications protect from data breaches and the spreading of viruses/malware. These functionalities are not provided by an SSL certificate.

How is MalCare Security Service the best for agencies or developers?

We’re the best because of three features:
1. We have developer-friendly plans that are easy on the wallet. If you’re a developer or an agency that hosts about 10 websites, the chances are that enterprise-level security packages would be too expensive for you. If you’ve got anything more than seven sites, take a look at our unlimited plans.
2. Our auto-clean feature makes sure that you can scan, and clean your sites by yourself, so you don’t waste precious time.
3. MalCare’s regular security scans alert you whenever it identifies hacks, so your sites are always secure.

How does MalCare Security handle WordPress Multisite installs?

We completely understand the concern and complexities surrounding WordPress Multisite installs. We treat each WordPress install as a license. It means that if you have a network of websites on a single WordPress installation, we treat that as a single license.

Will MalCare Security Service slow down my website?

MalCare runs on its own servers. We take great care to ensure that we do not add load to your site. We do all the hard work of security scanning, cleaning, and protecting, on our servers and this is our USP.

Where are my FTP details processed?

FTP details input into MalCare is processed on our servers. We need your FTP credentials to access your website’s files and folders. We feel that FTP transfer is the safest way to transfer data to and from a site. However, they are treated like payment details (i.e. they’re not stored on our servers). Once we’ve processed them, they’re deleted from our servers.

Where can I find the MalCare Terms of Use and Privacy Policy?

These are available on our website: Terms of Service and Privacy Policy


ජූලි 23, 2024
I was alerted to a potential risk to my site due to a needed plug-in update. I was able to update the plug in and emailed asking for confirmation that my site was now secure. A quick response let me know that all was now okay. : )
ජූලි 18, 2024
I have been using Malcare for quite some time now. Its thee best security solution for websites. Robust interface, Easily understandable, 24 x 7 responsible team, Detailed analysis, and the best part – Immediate response and action in case of any query, be it simple or urgent. Maybe i could give a 5 million star rating. Keep rocking Malcare. I highly recommend malcare. It is a 100% MUST HAVE for a successful website.
ජූලි 16, 2024
The team at Malcare provided us with unrelenting support to resolve our malware issue. Going above and beyond to help us scan and rescan our site to resolve an issue where Google Ads had found malicious links on the site. Highly recommend for any organisation who’s website is critical to their business.
ජූලි 2, 2024
The guys at Malcare seem to be available 24/7. A reply is in my inbox within hours no matter what time of the day or night I send it. They go out of their way to fix any issues and talk in layman’s terms. Highly recommended.
ජූනි 27, 2024
I initially used this plugin to remove malware, which it worked very well for. Any issues I’ve had since have been dealt with swiftly by the team. Throughly reccomended.
ජූනි 26, 2024
Truly amazing. We spent 6 hours trying to locate 2 cases of injected code. The Malcare plugin and some extremely prompt customer support had the website virus free in 20 minutes. We will now add this to all our websites. Highly recommend.
Read all 367 reviews

Contributors & Developers

“MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall” is open source software. The following people have contributed to this plugin.




  • New: Introduced Domain Monitoring feature
  • New: Introduced PHP Error Monitoring feature
  • Tweak: Implemented Captcha bypass support for Forminator and Gravity Forms
  • Tweak: Enhanced Firewall


  • Better handling for Activate Redirect


  • Updating classes in PHP Files


  • Adding SVG files.


  • UI Improvements.
  • Enhanced Firewall for greater robustness.
  • Manage Improvements.


  • Bug fix: Fetch Elementor DB details


  • Added Elementor DB Update Support


  • Enhanced Firewall
  • Added Maintenance Mode Support
  • Enhanced Whitelabel Functionality


  • Enhanced Firewall
  • Improved Authentication
  • Improved WooCommerce DB Update Support


  • Added WooCommerce 8.2.1 Real-Time-Backup support.
  • Enhanced Firewall for greater robustness
  • Enhanced WAF


  • Bug fix get_admin_url


  • WooCommerce DB Update Support
  • SHA256 Support
  • Stream Improvements


  • Code Improvements
  • Reduced Memory Footprint


  • Security Improvement: Upgraded Authentication


  • Manage Improvements


  • Code Improvements for PHP 8.2 compatibility
  • Firewall Enhancements
  • Manage Improvements


  • Firewall Improvements
  • Whitelabel improvements


  • Plugin Update Improvements
  • Theme Update Improvements


  • Whitelabel Improvements
  • Activity log Improvements for Core update


  • Bug fix: Handling WooCommerce update order hook


  • Geo-blocking with advanced firewall
  • Activity log improvements and bug fixes
  • Woocommerce custom table support for real-time backups


  • Firewall Improvements
  • Real-time Improvements
  • Improving coding standards
  • Code Improvements
  • Updated bootstrap


  • Improvements in identifying plugin and theme updates.


  • Improved the landing pages.
  • Enhanced future vulnerability protection
  • IP Blocking Improvements
  • Improved firewall configuration for migrations


  • Improvements in fetching file stats


  • Added the MalCare badge image


  • Enhanced handling of plugin services
  • Added functionality for realtime sync
  • Removed deprecated hook
  • Improvements in identifying plugin updates.


  • Sync Improvements


  • Improved network call efficiency for site info callbacks.


  • Removing use of constants for arrays for PHP 5.4 support.


  • Robust firewall-config checks


  • Post type fetch improvement.
  • Handing wing version for ipstore wing.


  • Making Login Protection more configurable.
  • Robust handling of requests params.
  • Callback wing versioning.


  • Updated the logos


  • MultiTable Sync in single callback functionality added.
  • Streamlined overall UI
  • Firewall Logging Improvements
  • Improved host info


  • Firewall Logging Improvements


  • Improved host info
  • Re-enabled plugin deactivation functionality from wp-admin for botprotection sites


  • Better Handling of error message from Server on signup
  • Fixed firewall caching issue
  • Minor bug fixes


  • Fixed services data fetch bug


  • Handling Activity Log corner case error


  • Activity Log for Woocommerce events
  • Minor Improvements in Firewall
  • Minor Improvements


  • Added Support For Multi Table Callbacks
  • Added Firewall Rule Evaluator
  • Added Activity Logs feature
  • Minor Improvements


  • New UI for registration page
  • Bug Fixes


  • Bug Fixes


  • Removed files and db access check
  • On uninstall remove prepend configuration
  • minor bug fixes


  • Disabling deactivate for botprotection accounts
  • Disconnect functionality through wpcli with params account_gid and account_type
  • Removed manual signup logic


  • Hiding bot protection dashboard from wp-admin


  • updating plugin name for cloudways server


  • Fetching Mysql Version
  • Robust data fetch APIs
  • Core plugin changes
  • Sanitizing incoming params
  • changed bvoverride cw name to manualsignup
  • plugin uninstall bug fix


  • Improved CSS
  • Wpcli V2 code
  • account disconnect option
  • plugin deactivate bug fix


  • Override bot protect over protect


  • Sending plugname in request to backend servers


  • Adding default parameter for MCWPAdmin constructor


  • Robust write callbacks
  • Improved and Robust prepend in Firewall Support
  • Without FTP cleanup and restore support


  • Updated MalCare landing page front-end


  • Removing deprecated get_magic_quotes_gpc function
  • Improving Firewall Logging


  • WPCli to server request path updated
  • Authentication header added in wpcli request param


  • Firewall in prepend mode
  • Robust Firewall and Login protection


  • Plugin branding fixes


  • Updating account authentication struture


  • Adding params validation
  • Adding support for custom user tables


  • Restructuring classes


  • Request profling and logging


  • Firewall improvements


  • Callback improvements
  • Adding delete transient callback


  • Checking Whitelisted IP’s first


  • Updating tested upto 5.1


  • Disable form on submit


  • Setting blocked page to be non-cacheable


  • Updating tested upto 5.0


  • Adding Geoblocking functionality


  • Adding function_exists for getmyuid and get_current_user functions


  • Removing create_funtion for PHP 7.2 compatibility


  • Ability to show captcha for all login blocked


  • Adding Misc Callback


  • Adding logout functionality in the plugin


  • Adding support for chunked base64 encoding


  • Updating upload rows


  • Updating TOS and privacy policies


  • Bug fixes for lp and fw


  • SSL support in plugin for API calls
  • Adding support for plugin branding


  • First Release