MalCare Security Service: One-Stop WordPress Security Solution

MalCare is a complete security solution for WordPress sites and non-techie WP users. With the Malcare plugin installed, you can keep your WordPress site secure and protected with just a few clicks.

MalCare Security Service: One-Stop WordPress Security Solution

MalCare Security Service: One-Stop WordPress Security SolutionWordPress is the world’s leading  platform for building websites and for publishing and managing content online. Over 30% of all websites in the world are powered by WordPress, making the platform a huge target for hackers and malicious users looking for vulnerabilities that they can exploit and use to compromise a website.

According to security experts, 90,978 hack attempts are made on WordPress websites every minute!

Our own security reports and logs confirm this. We run a number of WordPress sites and these are constantly under attack …

WordPress sites are constantly under attack!

(WordPress sites are constantly under attack!)

If you have created a website without proper security planning and the right WordPress security plugins installed, then it’s only a matter of time before you fall prey to hack attempts.

Find Out If Your Website Has Been Hacked

(For more details, visit BlogVault. Source: Slideshare)

If you suspect that your website has been hacked, then check out this tutorial:

How To Prevent Your Website From Being Hacked

To prevent your WordPress website from being hacked, you should have a web security plan in place and choose security plugins that you can trust and that are well-supported.


MalCare: One-Stop WordPress Security Solution

(MalCare: One-Stop WordPress Security Solution)

MalCare is regarded by many WordPress security experts and top WordPress plugin listicles as one of the best security solutions in the market.

MalCare is one of the best security solutions for WordPress!

(MalCare is one of the best security solutions for WordPress!)

What’s MalCare?

MalCare dashboard

(MalCare dashboard)

MalCare was built by the same company that developed BlogVault, a popular WordPress backup plugin with over 200,000 users. While working on BlogVault, they saw the need for a good security plugin and decided to build a comprehensive security solution that can detect, remove, and prevent hacking attempts.

What makes MalCare a better WordPress security plugin? First of all, this is a multidimensional solution created for non-technical users that allows you to keep your WordPress site secure with just a few clicks.

In this post, we are going to cover the following areas of using MalCare:

  • Installation and Setup
  • MalCare Dashboard
  • MalCare Scanner
  • MalCare Cleaner
  • MalCare Firewall
  • Website Hardening
  • Website Management
  • Secure Backups
  • MalCare Support

Installing MalCare

Installing and setting up MalCare requires no external help or technical assistance from experts.

Setting up MalCare and ensuring that your security plugin is running and keeping your site protected is a simple two-step process:

Step 1 – Add Your Site

First, sign up to  create an account, then log in.

After logging into the MalCare dashboard, add your site(s) to the MalCare dashboard by selecting the Add New Site button …

Add new site

(Add new site)

A field will display asking for the address of your website. Enter the URL of your site into the field and select the Next Step button …

Add a site

(Add a site)

Step 2 – Install The Plugin

You will be asked to enter your site’s admin login details. Type in the credentials to your site and MalCare will do the rest for you and begin securing your site.

Exploring The Dashboard

The MalCare dashboard provides a clean and intuitive interface that makes it easy to navigate to the various plugin sections and features.

The left-hand side of the dashboard provides one-click navigation links to help you access all the main features quickly.  The dashboard is neatly divided into five sections: Security, Management, Backup, Reporting, and White-Labelling. Below this, you will find everything you need to keep your site secure.

After performing an initial scan, your site will be marked with a security rating ranging from A to D (A is best and D is worst). The score is determined by an internal algorithm that tells you the health of your site.

Don’t be alarmed if your scan doesn’t result in an “A”. MalCare will tell you what you can do to improve the score.

There are four main features available in MalCare that you need to know about. Let’s take a deeper look at each of these features:

The Scanner

An impressive fact worth knowing is that MalCare was built after collecting data from over 240,000 websites. The scanner uses artificial intelligence to detect hard-to-find malware. MalCare scans sites at a scheduled time every day.

MalCare scanner

(MalCare scanner)

Apart from the scheduled scans, there is also a Scan Now option that lets you instantly run a scan and display the results.

Select the Scan Site option

(Select the ‘Scan Site’ option)

Scanning Technique

MalCare doesn’t just search for strings in the code to find malware. This technique is not sufficient to detect complex malware. It has a sophisticated algorithm along with AI that learns and discovers new and complex malware in your system with ease.

Reduces Load

Another reason why MalCare is impressive is that the scanning does not slow down your site. Instead, MalCare transfers your website data to its own server and runs the scan on the server.

After the scanning is done, if malware is found, the next step is to clean it.

The Cleaner

Cleaning malware is normally a time-consuming task. MalCare, however, makes this easy. The Auto Clean option is present in the Scanner section and the malware clean happens at the click of a button.

MalCare cleaner

(MalCare cleaner)

 If you are informed that your site has been hacked, all you need to do is press the button, and your website will be malware free! You will be informed of this by email and receive a notification alert on the dashboard.

No Technical Expertise Required

You don’t need technical experts to use the MalCare Cleaner. The entire cleaning process is simple and easy to follow and can be done by a non-technical person.

Thorough Malware Removal

The nature of malware programs is that even after being removed, many will try to make a comeback by finding a backdoor. MalCare was built to prevent these kinds of issues. After running the cleaner, most malware issues should be permanently resolved.


The MalCare cleaner works in a way that does not affect any part of your site while removing malware. It takes care of the files that were hacked and leaves your clean files untouched.

Many people will recommend performing a manual clean up after your site has been hacked. This kind of cleanup, however, is considered outdated. MalCare employs the latest technologies to clean a site with the click of a button!

Your site is now clean!

(Your site is now clean!)

While removing existing malware is essential, the next important step is preventing malware from infiltrating your website again.

Website Hardening

WordPress recommends certain website hardening measures to improve website security. To perform those measures, however, requires some technical knowledge. MalCare makes it easy to perform these measures. Based on the level of security required, MalCare offers three types of protection.

MalCare website hardening

(MalCare website hardening)

1. Essentials
  • Block PHP Execution in Untrusted Folders
  • Change Database Prefix
  • Disable Files Editor
2. Advanced
  • Block Plugin/Theme Installation
3. Paranoid
  • Reset all Passwords
  • Change Security Keys

MalCare performs these actions when the above security levels are enabled. Here are a few technical aspects of the website hardening feature.

Security Keys

These are stored by default on the database of the site. However, it can be dangerous as it is an easy target for hackers. With MalCare, these keys can be replaced with a new set of keys that are stronger. They are also placed in a more secure location.

PHP files

Attacks caused due to the execution of PHP files in the uploads folder are frequent, but MalCare efficiently takes care of this too!

Prevents Plugin Installations

Rogue plugins and themes are an easy way for hackers to get into your site. MalCare detects them at the initial scan itself. It will disable these installations and reduce the risk factor.

You can select your preferred security level and choose the actions to take when you navigate to the website hardening feature. The hardening feature is highly recommended even if you have not experienced hacking issues.

MalCare Firewall

MalCare Firewall is a feature enabled to fortify your website and protect it from hackers. This feature is automatically activated when a site is added to MalCare.

MalCare firewall

(MalCare firewall)

However, you can disable if you wish. MalCare filters the traffic coming from the outside world in two ways:

IP Blocking

MalCare scans more than 100,000 websites in search for bad IPs. These are the ones that are known to harm your website when they visit it. So whenever one of these IP addresses try to gain access from your site, the firewall blocks it!

MalCare traffic log

(MalCare traffic log)

Login Protection

Some hackers continuously try to gain access to your site by trying different combinations of passwords. MalCare blocks them after a few unsuccessful attempts by deploying a CAPTCHA.

This feature will make you feel a lot safer, so ensure that the firewall remains enabled all the time.

MalCare login logs

(MalCare login logs)

Integrated Backup

Backups are an essential part of website security. They are your safety net if a hacker gains access to your site and wipes out your files and data. With MalCare’s powerful backup service, your sites will remain protected and you always have access to your backups.

Website Management

MalCare has a website Management section where you can manage your dashboard, update plugins, themes, and a lot more. The site also has a feature that alerts you if your plugins are outdated!

Additionally, you can change passwords, user roles or even delete users who have access to your WordPress site.

MalCare website management

(MalCare website management)

MalCare Support

If you need support or have any questions or concerns about the features or the technology behind MalCare, you will find that the MalCare support team is very responsive and eager to share their knowledge with you.

Recommendation: Install The MalCare Plugin

The features in MalCare are simple and easy-to-use. If you own or manage multiple WordPress sites, adding these to the dashboard is just a simple ‘rinse and repeat’ process. MalCare is a robust WordPress security solution backed by a solid support team and extensive help documentation.

With MalCare’s Scanner actively looking after your WordPress sites on a daily basis, you will have peace of mind knowing that your sites will be safer.

Using the Cleaner is easy and the procedure takes only a few minutes. Use the Website Hardening feature to lock down the backend of your site(s). Malcare also provides two additional useful features for agencies, web developers, or anyone managing client websites: White-Labelling and Client Reporting.

MalCare is very reasonably priced and offers a range of options to suit your needs, depending on how many sites you need to protect and manage.

If you are a WordPress site owner, we recommend installing the MalCare security plugin and using the service as part of your regular website management and security maintenance process.

For more details, go here: MalCare – Complete WordPress Security Solution

WordPress Security Checklist

Use this free WordPress Security Checklist to ensure that your WordPress site remains protected and secure at all times.

WordPress Security ChecklistThis tutorial is part of our tutorial series on WordPress Security. In this tutorial, we provide a WordPress Security Checklist that will help ensure your WordPress site is protected and secure.


WordPress Security Checklist

Important Info

*** Important – Read Me ***

Many of the tasks listed in the checklist below can be completed by non-technical users simply by following the tutorials in our WordPress Security training module. Some of these tasks, however, should only be carroed out by more technically advanced users. If you don’t understand what to do or don’t feel confident performing one or more tasks, please ask a professional and experienced WordPress service provider for assistance.


Always backup your WordPress site (database and files) before making any changes to files. Even small mistakes can have disastrous consequences if you are not careful.

Please note that we have no control over the software and services mentioned in this checklist and that under no circumstances will we be held responsible for any losses or damages incurred either directly or indirectly as a result of following the recommendations below.

We also provide a printable version of this checklist at the end of this tutorial. We recommend printing out this checklist and using it as a reference to ensure the continued security of your WordPress site.

Basic Website Security Checklist

WordPress Security Setup Checklist

  • Protect your site against spam (Install an antispam plugin, e.g. Akismet or Bad Behavior)
  • Perform a full security scan of your WordPress files (Install a security scan plugin, e.g. Acunetix WP Security).
  • Secure your WP database (change database table prefix).
  • Option 1: Install a brute-force attack prevention plugin (e.g. Login Lockdown, Limit Login Attempts), or
  • Option 2: Install a comprehensive security plugin (e.g. BulletProof Security, SecureScanPro, etc.)
  • Secure your wp-admin folder.
  • Protect your uploads folder.
  • Secure your wp-config.php file.
  • Delete redundant WordPress core files (e.g. readme.html, install.php, etc.)
  • Set secure permissions for files and folders.
  • Protect server directories (e.g. add empty index.php files to directories)
  • Add a secure admin user.
  • Set correct permissions for users (User Roles and Capabilities)
  • Remove user registration capabilities (if not required)
  • Set up an Intrusion Detection System (Install a file monitoring plugin, e.g. File Monitor Plus)
  • Add Antivirus protection (Install an antivirus plugin, e.g. Antivirus for WordPress)
  • Add Firewall protection (Install a firewall plugin like WordPress Firewall 2, Block Bad Queries, etc …)
  • Enable data logging and archiving.
  • Secure PHP.
  • Set up hosting monitoring (e.g. Sucuri, etc…)

WordPress Security Maintenance Checklist

Schedule the tasks below to be performed on a regular basis:

Critical Website Information Checklist

Have this information handy and keep it in a safe place!

Download a printable copy of this free WordPress Security checklist below.

Hopefully, you have gone through the above checklist and implemented measures that will help ensure your WordPress site is protected and secure.

WordPress Security Checklist


"If you're new to WordPress, this can stand on its own as a training course and will stay with you as you progress from beginner to advanced and even guru status." - Bruce (Columbus, Ohio)


WordPress Security Plugins

In this tutorial, we explore different types of WordPress security plugins that help to protect and keep your digital presence secure.

WordPress Security PluginsThis tutorial is part of our tutorial series on WordPress Security. Please also review our WordPress Security Guide For Beginners and our free WordPress Security Checklist.


WordPress Security Plugins

WordPress security plugins can perform a range of functions, including:

  • Preventing malicious and unauthorized users from gaining access to your site,
  • Scanning your files for signs of hacking and injections of malicious code,
  • Keeping your site protected and free from potentially harmful content,
  • Content theft protection,
  • and more.

In this tutorial, we explore different types of WordPress security plugins that help to protect and keep your digital presence secure.


Note: Security plugins alone do not provide a complete website security solution. See the tutorials in the WordPress Security training module to gain a better understanding of how security plugins fit into your overall website security plan.

WordPress Security Solutions

Some plugins provide comprehensive WordPress security and protection against a range of malicious and potentially harmful activities. The plugins listed below fall into this category:

iThemes Security Pro

iThemes Security Pro

(iThemes Security Pro)

iThemes Security Pro is a comprehensive WordPress security plugin that prevents WordPress hacks, WordPress security breaches, WordPress malware and more.

Some of the main features of this plugin include:

  • WordPress Brute Force Protection
  • WordPress Security Grade Report
  • File Change Detection
  • 404 Detection
  • Strong Password Enforcement
  • Lock Out Bad Users (locks users out if they have too many failed login attempts or generate too many 404 errors)
  • Away Mode (makes the WordPress dashboard inaccessible during specific hours so no one else can sneak in and attempt to make changes).
  • Hide Login & Admin (changes the default URL of your WordPress login area so attackers won’t know where to look.)
  • Schedule Database Backups
  • Email Notifications
  • WordPress two-factor authentication
  • WordPress Malware Scanning
  • And more!

For more details on the comprehensive suite of security features provided by this plugin, go here: iThemes Security Pro

WP Site Guardian

WP Site Guardian - WordPress security plugin

(WP Site Guardian – WordPress security plugin)

WP Site Guardian is a ‘must-have’ security plugin for all WordPress users. It is a proactive anti-exploit plugin that monitors & blocks hackers based on behavior.

When any suspicious activity is detected the visitor IP is instantly blocked and the hacker is banned. This prevents the exploit from executing and also shuts down all further hacking attempts. By eliminating the exploit and the bad user, the risk of your site getting hacked is greatly reduced.

The plugin records and keeps a log of all attacks …

WP Site Guardian - Attack History

(WP Site Guardian – Attack History)

And emails you notifications about suspicious activities …

WP Site Guardian - Email Alerts

(WP Site Guardian – Email Alerts)

This is the only plugin on the market that offers active protection against current and future exploits as it looks at visitor behavior rather than the attack code and the only security tool for WordPress that provides real time intrusion detection, live exploit attack blocking and intruder attempt notifications.

WP Site Guardian blocks the 4 biggest attack vectors

(WP Site Guardian blocks the four biggest attack vectors)

This plugin blocks the four biggest attack vectors (Header injection, XSS injection, SQL injection, and Directory Traversal) and protects against most common hack types like:

  • EXPLOITS (92% of direct hack attacks) – Badly written plugins/themes allow a hacker to execute a command/script that gives them control of your site. Most popular security plugins & services don’t offer any protection against this.
  • BRUTE FORCE ATTACKS (8% of direct hack attacks) – Multiple attempts to guess your username/password & take control of your site. Most popular security plugins & services are good at blocking this attack but can’t deal with new amplified XMLRPC attacks.
  • DDOS – (Distributed Denial Of Service i.e. “break the site” hack attacks) – This is where hackers attempt to flood your site with too many requests so your server falls over. Plugins can’t deal with this attack … you would need to use a third party service like Cloudflare or bespoke hardware protection.

Michael Thomas & Chris Hitman, specialists in IT/security and the plugin developers found that some of the best security plugins were completely ineffective against exploits. In fact, they even managed to hack sites with Cloudflare & cache running and have posted a video on their website that shows this.

WP Site Guardian protects your site against most security exploits and attacks

(WP Site Guardian protects your site against most security exploits and attacks)

We highly recommend installing this security plugin on your WordPress site.

To learn more about this plugin, visit the site below:

WP Shields-Up

WP Shields Up - Stealth WordPress Security Plugin

(WP Shields-Up – Stealth WordPress Security Plugin)

Many newbie hackers use low sophisticated methods like scanning websites for vulnerabilities and deploying basic exploits to take control. many of these methods can be deployed as easily as looking through your site code to see what themes or plugins your website is running and downloading free scripts that can take advantage of known vulnerabilities and help them break into your site.

By default, this information about WordPress is available for anyone to see ...

(By default, this information about WordPress is available for anyone to see …)

WP Shields-Up is a ‘stealth’ security plugin that hides your WordPress site from hackers and bots by disguising information about WordPress that is normally visible to users, such as what WordPress themes and plugins are installed on your site, what version of WordPress you are using, etc.

WP Shields-Up hides WordPress information from online scanning tools!

(WP Shields-Up hides WordPress information from online scanning tools!)

Once installed, WP Shields-Up performs a number of security fixes on your site, including:

  • Blocks direct access to PHP Files
  • Disables Directory Browsing
  • Removes “Tell Tale” elements of WordPress
  • Moves and hides login areas
  • Hides information about WordPress plugins and themes
  • and more.

WP Shields-Up automatically performs a number of security fixes on your site

(WP Shields-Up automatically performs a number of security fixes on your site)

WP-Shields-Up performs one-click security fixes automatically and can be easily installed and enabled on your WordPress site.

To learn more about this plugin, visit the site below:

BulletProof Security

BulletProof Security WP Plugin

(BulletProof Security)

BulletProof Security is designed to be a fast, simple and one-click security plugin that adds comprehensive website security protection for your WordPress site.

To learn how to install and use the BulletProof Security plugin, see the tutorial below:


SecureScanPro - WordPress Security Software

(SecureScanPro WordPress Plugin)

Many WordPress plugins address some but not all areas of WordPress security. One WordPress security plugin that seems to do a comprehensive job of scanning, fixing and preventing issues that could lead to hackers accessing your site files and damaging your site is SecureScanPro.

SecureScanPro is easy to install and easy to use and does a great job of addressing most of the security areas and fixing the issues that WordPress users need to address.

To learn more about this plugin, go here:

Ultimate Security Checker

Ultimate Security Checker WordPress Plugin

(Ultimate Security Checker Plugin)

The Ultimate Security Checker plugin identifies security problems with your WordPress Installation. It scans your blog for hundreds of known threats, then gives you a security “grade” based on how well you have protected yourself.

To learn more about this plugin, see this tutorial:

Acunetix WP Security

Acunetix WP Security

(Acunetix WP Security)

The Acunetix WordPress Security plugin is a free and comprehensive security tool that scans your WordPress installation for vulnerabilities and suggests corrective measures for weak passwords, secure file permissions, database security, version hiding, WordPress admin protection and more.

To learn more about this plugin, go here:

WordPress Brute-Force Attack Protection Plugins

Brute-force attacks on your site attempt to guess your login information by simply trying to log in over and over again. Since this is usually done by automated software, the attack can be very persistent and cause widespread damage …

WordPress Brute-Force Attack Protection

Protecting your WordPress site from brute-force attacks is one of the most important security precautions you can take.

We have created a separate tutorial on plugins that prevent brute-force attacks and unauthorized users accessing your WordPress administration area. To learn how to protect your WordPress site from brute-force attacks using plugins, see the tutorial below:

WordPress File Protection Logins

The plugins listed below will alert and notify you if any of your site’s files have been modified without permission or authorization:

WordPress File Monitor Plus

WordPress File Monitor Plus WP Plugin

(WordPress File Monitor Plus WP Plugin)

This plugin monitors your WordPress installation for added, deleted, or changed files. When a change is detected an email alert can be sent to the email address you specify.

To learn more about this plugin, go here:

Exploit Scanner

Exploit Scanner

(Exploit Scanner WP Plugin)

Exploit Scanner can help detect damage done to your site so that it can be cleaned up. This plugin searches the files on your website and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

Exploit Scanner does not remove anything from your site. It only presents the results so you can decide what action to take.

To learn more about this plugin, visit the site below:

Antivirus For WordPress


(Antivirus WP Plugin)

Antivirus protects your WordPress site against exploits and spam injections. It will scan your theme templates for malicious injections automatically, every day.

To learn more about this plugin, go here:

WordPress Content Protection Plugins

The plugins listed below will help to prevent and protect your web content from being stolen:


Copyfeed WordPress Plugin

(Copyfeed – WordPress Plugin)

This plugin helps to identify content theft from your site. It works by extending your content feed with unique identifiable content that automatically gets added to every post in your copyright notice. Additionally, you can add an identifiable “digital fingerprint” and the IP of the feed reader.

The plugin can then be configured to scan search engines in order to find possible content theft. The feed can be also be supplemented with comments and topic-relevant content.

To learn more about this plugin, go here:

WordPress Data Backup Plugins

Backing up your database and files on a regular basis is an important part of the process of keeping your WordPress site content protected.

We have created a separate tutorial on WordPress plugins that automate WordPress data backups. To learn how to automate WordPress data backups, see the tutorial below:

WordPress Spam Protection Plugins

Spam has traditionally been viewed as more of an inconvenience than a security risk.

It can be argued, however, that spam does indeed pose a security risk for online users. For example, spam comments left on WordPress sites can send visitors to sites infected with malware. These sites can then use sophisticated ‘phishing’ methods to deceive users into downloading files containing viruses, worms and other malicious code that can turn their computers into ‘slave devices’ for hacker bots, which then multiply and increase the frequency of attacks and security exploits worldwide on websites.

Spam can thus be considered to be a security threat, and for this reason, we are including the anti-spam plugins below:


Akismet Plugin For WordPress

(Akismet Plugin For WordPress)

Akismet is the anti-spam program that comes pre-installed with WordPress. All it requires is activation. To activate Akismet, you will need to get an API key, which is an access code you can download for free from

Once activated, Akismet will filter out your spam comments and send them directly to the trash. This plugin is extremely effective at dealing with spam.

Note: Akismet is free for most users (sites that make less than $500/mo are considered “personal” use), but there’s a charge for high traffic profitable blogs (“business” use).

To learn more about using Akismet to prevent spam in WordPress, see the tutorial below:

Bad Behavior

Bad Behavior

(Bad Behavior Plugin For WordPress)

Bad Behavior blocks link spam and the robots which deliver it.

Thousands of sites both large and small use Bad Behavior to help reduce incoming link spam and malicious activity.

Bad Behavior complements other link spam solutions by acting as a gatekeeper. Not only does it prevent spammers from delivering junk,  in many cases it even prevents them from ever reading your site, delivering instead an error message like the one shown below …

Bad Behavior - WordPress Security Plugin

(source: Bad Behavior plugin site)

In addition to offering the basic spam-blocking features, the Bad Behavior plugin also helps to improve your site’s load time, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Bad Behavior also works differently than other link spam solutions. Instead of merely looking at the content of potential spam, Bad Behavior analyzes the delivery method as well as the software the spammer is using. In this way, Bad Behavior can stop many spam attacks coming from new spamming methods …

Bad Behavior

(source: Bad Behavior plugin site)

Bad Behavior is designed to work alongside existing spam prevention services to increase their effectiveness and efficiency. Whenever possible, you should run it in combination with a more traditional spam prevention service.

Installing and configuring Bad Behavior is very simple and takes only a few minutes. In most cases, no configuration at all is needed. You can simply install and activate the plugin, and you’re done. Bad Behavior will then automatically protect your posts, pages, and feeds from spam.

Plugin installation and usage documentation can be found here.

To download this plugin, visit the site below:


Note: Because Bad Behavior blocks anything it suspects to be spam, the plugin has been known to create conflicts and issues with other plugins, and to block other sites that need to access your site (e.g. Google search engine spiders). Use this plugin with caution, and if you suspect it is causing issues for you, disable it and contact the plugin software developer.

Additional WordPress Security Plugins

You can search for more WordPress security plugins inside your WordPress dashboard (Plugins > Add New), or the WordPress Plugin Directory …

WordPress Plugins - Security

(WordPress Plugins – Security)

Search the WordPress Plugin Repository for security plugins below:

We hope that you have found this tutorial on WordPress security plugins useful. We suggest going through the individual plugin tutorials in this section and installing one or more plugins to keep your WordPress site secure and protected from a host of potentially harmful and malicious activities.

WordPress Security Plugins



"I was absolutely amazed at the scope and breadth of these tutorials! The most in-depth training I have ever received on any subject!" - Myke O'Neill,