MalCare review: cloud scanning with one-click malware removal

MalCare is a WordPress security plugin combining cloud-based malware scanning with one-click malware removal. The plugin is developed by Inactiv and offers a unique proposition: not just detection but also automatic cleanup of infected sites. Pricing starts from €99 per year for one website with unlimited malware removal.

What distinguishes MalCare from competitors is the balance between Wordfence's technical power and Sucuri's managed cleanup. MalCare runs as a plugin on your server but does heavy scanning in the cloud. This keeps your server light while still getting deep malware analysis. The one-click cleanup feature makes it accessible for non-technical users.

The plugin is relatively new (launched in 2017) but has quickly gained popularity among WordPress developers and agencies. It's known for accurate malware detection with few false positives. For site owners wanting cleanup assistance without paying Sucuri's prices, MalCare is an attractive middle ground.

What exactly is MalCare?

MalCare is a security service with three core components: cloud-based malware scanning, one-click malware removal, and a basic firewall. The plugin installs on your WordPress site but does heavy analysis on MalCare's servers. This keeps resource usage low while still getting advanced deep scanning.

The big difference from other plugins: automatic cleanup. When MalCare detects malware, you can clean your site with one click. The service removes infected files, cleans backdoors, and repairs modified core files. You don't need to troubleshoot yourself or hire security experts.

The malware scanner runs daily and checks all files for known malware signatures, suspicious patterns, and behavioral anomalies. MalCare claims 99.99% detection accuracy. The scanner also identifies the entry point – how hackers gained access – so you can prevent it from happening again.

Cloud scanning vs local scanning

Traditional security plugins like Wordfence scan locally on your server. Each file is analyzed with PHP code running in your WordPress environment. This is thorough but uses lots of server CPU, RAM, and disk I/O. On shared hosting, this can slow your site or even crash it during scans.

MalCare's cloud scanning moves analysis to external servers. The plugin uploads a list of files and their checksums to MalCare's cloud. There, powerful servers with advanced malware databases run the analysis. Results come back to your WordPress dashboard.

Advantages: zero server impact, faster scans, and access to more computing power for behavioral analysis. Disadvantage: you must trust MalCare with your file metadata. MalCare claims not to upload file content, only checksums and file info. For privacy-critical sites, this is a consideration.

Installation and setup

Signing up for MalCare starts at malcare.com where you create an account and choose a plan. After payment, you receive a license key. You install the MalCare Security plugin via WordPress.org or upload it manually. After activation, you enter your license key.

The plugin asks permission to communicate with MalCare's servers. This is necessary for cloud scanning and updates. Your WordPress site registers in the MalCare dashboard at malcare.com. From there, you manage scans, backups, and security settings for all sites with one license.

Running first scan

After installation, MalCare automatically starts an initial scan to determine your baseline security status. This initial scan takes 5-15 minutes depending on your site size. For very large sites (10,000+ files), this can take longer.

The scan checks WordPress core files, all plugins, themes, uploads, and the database. MalCare searches for known malware families, backdoors, defacements, SEO spam, pharma hacks, and suspicious scripts. It also compares files with official WordPress.org repository versions.

Scan results appear in your MalCare dashboard with a clean/infected status. If your site is clean, you see a green checkmark with "No malware found". If MalCare detects malware, you see detailed information about infected files and infection type.

Dashboard navigation

The MalCare dashboard is clean and clear. The main page shows all your sites with security status, last scan date, and quick actions. Click a site for details: malware scans, firewall settings, and backups.

The Security tab shows scan history with timestamps. You can manually trigger scans or adjust scheduling. Security hardening options like disable file editing and XML-RPC blocking are here too. It's less granular than Wordfence but more beginner-friendly.

The Firewall tab configures MalCare's basic firewall. This is simpler than Wordfence or iThemes Security but blocks common attacks. You can manage IP whitelists and blacklists. Country blocking is available in higher plans.

Malware scanning features

MalCare's scanner is the heart of the service. It uses signature-based detection, behavioral analysis, and machine learning to identify malware. The cloud-based approach provides access to more computing power than local plugins.

Signature database and updates

MalCare maintains a database with signatures of thousands of malware families. This includes backdoors, webshells, database mailers, phishing pages, cryptominers, and SEO spam scripts. The database is updated daily with new threats.

Known malware like c99 shell, WSO shell, r57 shell, and other popular webshells are instantly detected. WordPress-specific threats like plugins with backdoors, nulled themes with malicious code, and compromised plugins are also recognized.

Signature-based detection works well for known malware but misses zero-day exploits. Therefore, MalCare combines this with heuristic analysis that detects suspicious patterns even without exact signature match.

Behavioral analysis and anomaly detection

MalCare analyzes file behavior and looks for anomalies. For example: an image file containing executable code, or a JavaScript file doing database queries. These anomalies often indicate obfuscated malware.

The scanner also detects base64 encoded strings, eval() calls, suspicious includes, and other common obfuscation techniques. Not all detections are actually malware – some plugins use these techniques legitimately. MalCare's machine learning reduces false positives by understanding context.

File integrity checking compares WordPress core, plugin, and theme files with official versions. If a file has changed but not from an update, it's suspicious. MalCare shows a diff of what changed so you can assess if it's malicious.

Deep database scanning

Much malware hides in the database. Think of: spam links in posts, rogue admin accounts, malicious scheduled tasks (wp_cron entries), and injected scripts in options. MalCare scans the database for all these patterns.

SEO spam detection finds injected links to pharma sites, casinos, adult content, and other spam. These links are often hidden in post content via conditional display (only visible to search engines). MalCare detects these cloaking techniques.

Admin account hijacks where hackers create rogue administrator accounts are also found. MalCare shows suspicious accounts recently created or having suspicious privileges.

One-click malware removal

MalCare's killer feature is automatic cleanup. When the scanner finds malware, you can clean your site with one click. No manual file editing, no writing database queries. MalCare does it for you.

How does auto-cleanup work?

When malware is detected, MalCare analyzes the infection to determine which files are infected, which database entries are malicious, and where backdoors are. This analysis happens in the cloud with access to extensive malware intelligence.

During auto-cleanup, MalCare replaces infected core files with clean versions from the WordPress repository. For plugins and themes, it fetches clean versions if available. Database malware is removed with surgical precision – only malicious entries, no collateral damage.

Backdoors in obscure locations like uploads, themes, or randomly named directories are also tracked down and removed. MalCare ensures no malware remains that could cause re-infection.

Safety and backups

Before auto-cleanup, MalCare automatically creates a backup. If something goes wrong during cleanup, you can restore to the pre-cleanup state. This caution prevents cleanup from breaking your site if there were false positives.

Cleanup is typically done in minutes. For lightly infected sites, this can be 5-10 minutes. For heavily compromised sites with malware in hundreds of files, it can take 30-60 minutes. You get a notification when cleanup is complete.

After cleanup, MalCare runs a verification scan to confirm all malware is removed. If the site is clean, you get a clean bill of health. If traces remain, you can run a second cleanup cycle.

Unlimited cleanups

All paid MalCare plans have unlimited malware removal. If you get hacked again, you can have your site cleaned again without extra costs. This is similar to Sucuri's Platform plan but at lower price.

This unlimited policy gives peace of mind. Even if you're targeted or a zero-day exploit hits you, you're covered. You don't need to hire a security consultant for €1000+ every time your site gets compromised.

Firewall protection

MalCare contains a basic firewall blocking common web attacks. This is not an advanced WAF like Wordfence or Sucuri but offers reasonable protection for most sites. The firewall runs at your server level.

Firewall capabilities

The MalCare firewall blocks known attack patterns: SQL injection attempts, XSS attacks, remote file inclusion, and directory traversal. It also has IP-based blocking for brute force protection. Rate limiting prevents bots from overloading your site.

The firewall is however basic compared to dedicated solutions. It lacks real-time threat intelligence updates like Wordfence's Threat Defense Feed. It has no advanced features like geographic blocking (except in higher plans) or custom rules.

For most WordPress sites, MalCare's firewall is sufficient. It blocks 80% of automated attacks. For high-security environments or sites seeing many targeted attacks, you may want a more powerful firewall like Wordfence Premium or Sucuri.

Login protection

MalCare offers brute force protection by limiting login attempts. You can set how many wrong attempts are allowed before an IP is blocked. By default, this is 5 attempts in 30 minutes.

Lockout duration is configurable from minutes to permanent ban. You can manually whitelist or blacklist blocked IPs. For IP ranges (for example your office network), you can set whitelists to never get locked out.

MalCare however has no advanced login features like custom login URLs, CAPTCHA, or two-factor authentication. For these features, you must use separate plugins or choose an alternative like iThemes Security Pro.

Free vs paid plans

MalCare has a very limited free version offering only basic security hardening. The real value is in paid plans with malware scanning and cleanup. There are three tiers: Basic, Plus, and Agency with increasing features.

The Basic plan costs €99 per year for one site. This includes daily malware scans, unlimited malware removal, basic firewall, and login protection. This is sufficient for most single sites wanting complete protection.

Plus plan features

The Plus plan is €149 per year for one site. This adds two important features: unlimited website backups with one-click restore, and website staging for testing. You also get priority support with faster response times.

Backups are automatically scheduled (daily, weekly, or monthly). MalCare stores backups on their cloud servers so it uses no disk space on your hosting. Retention is 365 days – one year of backup history.

Staging lets you create a clone of your production site for safely testing updates or changes. If everything works, you can push changes to production with one click. This is handy for developers but overkill for most site owners.

Agency and multi-site plans

The Agency plan starts at €249 per year for 5 sites. This scales to €499 for 20 sites and €999 for 100 sites. Per-site costs drop dramatically with volume. For agencies managing client sites, this is much more affordable than per-site licensing.

Agency features add white-labeling. You can brand MalCare as your own service to sell to clients. Client management features let you give access to specific clients with restricted permissions.

Priority support in Agency plan has guaranteed response times. For business-critical sites where downtime costs a lot, this SLA is valuable.

Pros and cons

Pros:

One-click malware removal: The biggest USP is automatic cleanup. You don't need to troubleshoot yourself or hire experts. MalCare does it for you. This is invaluable for non-technical site owners. Comparable cleanup at Sucuri costs €299/year minimum.

Cloud scanning has zero server impact: Scans run in the cloud and use no CPU or RAM on your hosting. Your site stays fast during scans. This is a major advantage over local scanning plugins like Wordfence that use server resources.

Unlimited cleanup for all plans: If you get hacked again, MalCare cleans your site again without extra costs. This is available from the €99 Basic plan. Sucuri charges €299 for unlimited cleanup. MalCare is therefore more affordable.

Accurate malware detection: MalCare is known for low false positive rates. Cloud-based machine learning identifies real threats without excessive noise. You don't waste time investigating legitimate files that are flagged.

Beginner-friendly dashboard: The MalCare dashboard is clean and easy to navigate. You don't need to be a security expert to use it. Quick actions make management simple. This contrasts with Wordfence's technical interface.

Backup included in Plus plan: For €149/year you get malware protection plus complete site backups. This is more affordable than buying separate backup and security plugins. Cloud storage means no disk space usage on your hosting.

Agency pricing scales well: For agencies, multi-site plans are economical. 20 sites for €499/year is €25 per site. This is much cheaper than Wordfence Premium (€119 per site) or iThemes Security Pro (€99 per site).

Cons:

Basic firewall weak: MalCare's firewall is functional but basic. It lacks real-time threat intelligence, advanced blocking rules, and geographic filtering (except top tiers). For high-security sites, this is insufficient. Wordfence or Sucuri have more powerful firewalls.

No two-factor authentication: MalCare has no built-in 2FA. For login security, you must use a separate plugin. Competitors like iThemes Security Pro and Wordfence have 2FA. This is a significant omission.

Cloud dependency: MalCare requires constant communication with external servers. If MalCare's service is down, you can't scan or clean. You're dependent on a third-party. Fully local plugins like All In One WP Security don't have this dependency.

Privacy considerations: File metadata is sent to MalCare's cloud for analysis. For privacy-sensitive sites, this is a concern. MalCare claims not to upload file content but you must trust them. Fully local scanning keeps everything on your own server.

Free version worthless: The free tier has only basic hardening. No scanning, no firewall, no cleanup. It's essentially a trial to convince you to upgrade. All In One WP Security offers much more free.

No post-hack root cause analysis: MalCare cleans your site but gives limited insight into how the hack happened. Sucuri's incident response team thoroughly analyzes entry points. For learning and prevention, this forensics is valuable.

Relatively new player: MalCare has existed since 2017, relatively young compared to Wordfence (2011) or Sucuri (2010). Less track record means less proven reliability. For enterprise customers, this is a consideration.

Limited configuration options: MalCare is opinionated with few configuration choices. This is good for beginners but frustrating for advanced users wanting control. You can't write custom scan rules or fine-tune firewall policies.

Who is MalCare suitable for?

MalCare is ideal for site owners wanting malware detection and cleanup without needing to be technical. If the idea of manually troubleshooting a hacked site intimidates you, MalCare's one-click cleanup is a blessing. It's security with a safety net.

Small to medium business websites benefit excellently from MalCare Plus (€149/year). You get malware protection, cleanup, and backups in one package. This is cheaper than buying separate security, backup, and monitoring services. ROI is positive from a site generating income.

Agencies managing multiple client sites get excellent value from Agency plans. For €249 (5 sites) to €999 (100 sites), per-site cost is low. White-labeling lets you sell MalCare as your own service. Client management is handy for access control.

WordPress developers regularly building sites appreciate the staging feature in Plus/Agency plans. Test updates and changes safely on a clone before touching production. This prevents broken sites from updates.

Less suitable for

Very technical users wanting full control may find MalCare too basic. You can't write custom scan rules or configure advanced firewall policies. Wordfence or dedicated WAFs give more granularity.

Budget-conscious hobbyists with personal blogs may find €99/year too much. For a blog without revenue, this is an investment. Free alternatives like All In One WP Security offer basic protection without costs.

High-security environments like e-commerce sites with PCI compliance may find MalCare's basic firewall insufficient. Sites processing payments may want Sucuri's cloud WAF with DDoS protection. MalCare's firewall is reasonable but not enterprise-grade.

Privacy-critical sites not wanting to send file metadata to external servers are better off with fully local solutions. MalCare requires cloud communication. Plugins like Wordfence running fully local (though with external threat feed) give more control.

Sites needing extensive analytics and logging miss this in MalCare. There's no live traffic monitoring or detailed user activity logs. Wordfence's transparency in real-time traffic is much more thorough.

Alternatives to MalCare

MalCare combines malware scanning with cleanup, making it unique. Alternatives either miss cleanup (Wordfence), are more expensive for cleanup (Sucuri), or have basic scanning (iThemes/All In One).

Sucuri

Sucuri is the premium option with cloud-based WAF, DDoS protection, CDN, and unlimited cleanup. Sucuri Platform (€299/year) is more expensive than MalCare but offers more: enterprise firewall, post-hack forensics, and blacklist removal assistance.

Sucuri's biggest advantage is managed service. Their security team does hands-on cleanup and incident response. MalCare is self-service automated cleanup. For non-technical users wanting human support, Sucuri is better.

Choose Sucuri if: You want post-hack human support, need DDoS protection, require enterprise firewall, or prefer fully managed security over self-service automation.

Wordfence

Wordfence has the most powerful firewall with real-time threat intelligence. Malware scanning is free (with 30-day delay) or Premium (€119/year for real-time). The big miss: no cleanup. You must repair infected files yourself.

For technical users who can do cleanup themselves, Wordfence is cheaper than MalCare. You pay €119 vs €99 but get superior firewall and scanning. Trade-off is effort for cleanup.

Choose Wordfence if: You're technical, want the best firewall, can do cleanup yourself, or real-time threat updates are essential.

iThemes Security

iThemes Security Pro (€99/year) has 2FA, file monitoring, password management, and scheduled scanning. It however lacks automated cleanup. iThemes is beginner-friendly with modern UI but you must troubleshoot yourself after hacks.

iThemes is comparable price to MalCare Basic but without cleanup. MalCare's cleanup is its differentiator. If you want cleanup, MalCare wins. If 2FA is priority, iThemes wins.

Choose iThemes Security if: You want 2FA, beginner-friendly UI is priority, don't need cleanup services, or password management is important.

Frequently asked questions

What does MalCare cost per month?

MalCare charges annually, no monthly plans. Basic is €99/year (€8.25/month), Plus is €149/year (€12.40/month). For agencies, there are multi-site plans from €249/year for 5 sites. There's no free trial but there is a 14-day money-back guarantee.

Does MalCare automatically clean infected files or do I need to trigger it?

Auto-cleanup is not fully automatic. When MalCare detects malware, you see a warning in your dashboard with a "Clean Site" button. You must click this button to start cleanup. This gives control – cleanup doesn't run without your permission. This prevents accidental data loss with false positives.

Does MalCare work with all hosting providers?

Yes, MalCare works on any hosting supporting WordPress. The plugin installs as a normal WordPress plugin. Only requirement is that your hosting allows outgoing connections to MalCare's servers for cloud scanning. Very restrictive hosting can block this but this is rare.

Can I combine MalCare with Wordfence for extra protection?

Technically possible but not optimal. Both plugins have firewalls that can conflict. MalCare's cloud scanning and Wordfence's local scanning are redundant. Choose one solution. If you want MalCare's cleanup and Wordfence's firewall, consider Wordfence for firewall with MalCare as backup for emergencies.

How long does it take for a hacked site to be clean with MalCare?

MalCare's auto-cleanup is typically done in 10-30 minutes for lightly infected sites. For heavily compromised sites with malware in hundreds of files, it can take 1-2 hours. After cleanup, MalCare runs a verification scan. If everything is clean, you're done. In rare cases where malware is persistent, a second cleanup cycle may be needed. For emergency situations, you can contact support for expedited cleanup.