In this article I’ll be sharing my thoughts and recommendations regarding the MalCare WordPress security product. I’ll offer a basic comparison to Sucuri, which we’re most familiar with because we use it for our support services..
What is MalCare?
MalCare is a WordPress security service. I guess you could call it a plugin, but really the only thing the plugin seems to do is provide a connection from the software to your website.
You may be more familiar with BlogVault, their first product, a very well done backup plugin.
The MalCare product has the same features you’d expect from a WordPress security plugin.
- Daily malware scans
- Malware removal
- Login prevention
- Steps for hardening your site
- Firewall (but more on that later)
You can also get a version of MalCare that includes secure backups. Which is a nice add on and much needed. So few website owners maintain a backup.
Before I jump into my review…
First, in full disclosure. MalCare reached out to me after reading my article, Hacked WordPress Site?.
They wanted to know if I would add MalCare to the article. I am very grateful for the ask, it really means a lot!
However, I informed them that I only recommend products I’d use or have used. As a result, they gave me access to a MalCare plan to test it out.
My review of MalCare WordPress security
I activated MalCare on three sites. Two of which are my own and one a clients site.
I was impressed with how easy it was to get started. From the setup and activation of everything.
In fact it was so simple I couldn’t believe it! And just to be sure I spent some time reading documentation to make sure I had done everything right.
The manegment dashboard is simple and for the most part easy to navigate.
It could use some UI enhancements but they have ensured me that is something they are currently working on.
The objective in using my own site for this test was to ensure that I could get good data in a short period of time.
The graphs shown below depict the difference in stats from Sucuri and MalCare. I did remove Sucuri from the site before adding MalCare.
Looking at the data!
After looking at this data, I was even more confused by the “firewall” that MalCare provides.
With the firewall, Web Application Firewall (WAF), as it’s called, provided by Sucuri, you literally redirect your web traffic through a firewall.
You point your domain to their WAF and the WAF back to your hosting IP. To help offset the additional milliseconds it takes to get to you’re website Sucuri implements a CDN, Content Delivery Network.
Now with MalCare, there is no literal setup of the firewall? I reached out to ask how the firewall works.
The response was that the server works in tandem with the plugin and is monitoring the traffic IPs as they hit the site.
Then reading documentation on their site I found this.
“Every IP request will be evaluated and then only allowed to enter your site. Specific IPs which are known to have malicious intent are blocked from even sending requests.”
I’m assuming once a bad IP is detected it’s blocked, but still not sure how the firewall prevents that visitor / bot from getting to my site in the future. Again there’s no “pass through” to block it.
I am also under the impression that the MalCare firewall is only to prevent Brute Force login attempts.
As the charts show above I had a tremendous amount of traffic blocked by the Sucuri firewall in a month, but only 1 block by MalCare in a couple weeks time.
How do the other features stack up?
As for the scanner and malware clean up, I’m not seeing much difference in what the two offer.
With MalCare you have a 1 click cleanup button and in Sucuri you submit a ticket which has maybe 3 clicks.
Both security products perform an automated cleanup, however every ticket that is submitted for cleanup in Sucuri is passed to an actual human for review before it’s closed.
MalCare does have the added benefit of backups. Which is a huge advantage and major value add!
As a side note, the first time I used their backup feature, BlogVault, was to migrate a site to WP Engine. It was flawless! Best part, first migration failed, but the tool retained the backup so it didn’t have to pull a full backup again, just redo the push to WP Engine server.
Sucuri recently released a backup feature, but I have not personally used it. So no comment at this time.
The login prevention feature of MalCare shows a lot of failed attempts but no blocks?
The documentation says that they limit the number of attempts and “triggers automatic Captcha based protection to protect your site against bots.”
Still would expect some of those failed logins to be considered bots and added to a block list.
Here is a short list taken from 6 pages of actual login tries. This I like looking at to see what usernames are being tired.
I’m not going to bother with a price comparison, no body should compete on price, and your decision should not come down to price.
The Wrap Up
The question I keep asking myself throughout this write up is, will I continue to use MalCare?
Right now the answer is, maybe and no.
For clients who’s sites are processing thousands of dollars in revenue a month it’s a no. I feel more confident in what Sucuri is doing to prevent the bad from getting to the site in the first place.
I plan to leave MalCare on the sites it’s currently setup on to get more data and more insights.
So maybe after more testing and research I’ll be able to shift to a “yes for some sites”.
I will end with this, some security is better then no security!
While I may not be confident that MalCare is providing the same level of service and protection, I’d rather you use it because it fits better with your price range then not have security at all.
As always, please use the comments to offer any feedback or ask your questions.