MalCare Security – Free Malware Scanner, Protection & Security for WordPress



WordPress Security Plugin For WordPress Websites

A WordPress security plugin ensures that your website remains completely safe and secure, always. We created MalCare Security Plugin to help website owners worry less about their site security, achieve peace of mind and focus all their energies on growing their business or website.

Difference Between MalCare Free vs Premium

MalCare in 1 Minute – Overview

Important Links: Features | Why Choose MalCare? | Comparisons | Free vs Paid

MalCare is the fastest malware detection and removal plugin loved by thousands of developers and agencies. With an industry-first automatic one-click malware removal, your website is clean before Google blacklists it or your web host takes it down. MalCare has been developed from the ground up after analyzing over 240,000 websites over 2.5+ years.

Its intelligent scanning methodology will never slow down your website and accurately identifies the most complex malware that typically goes undetected in other popular security plugins.

The one-click malware cleaner offers unlimited automated cleanups while the inbuilt powerful cloud-based firewall ensures round-the-clock website protection. Moreover, you can block countries to mitigate hack attacks.

MalCare comes integrated with a complete website management module that ensures better security and site management to your websites from a single dashboard.

The plugin notifies you if the website goes down so that you can handle the situation before you start losing visitors. Performance Check enables users to keep an eye on their loading speed.

MalCare offers a premium White-Label solution that lets agencies provide better security to their clients without risking their business. And enables users to generate beautiful reports for their clients.

Why Choose MalCare?

  • WordPress Malware Scanner

    • Cloud Based Deep malware scanner
    • Doesn’t Slow down your website
    • Detects malware BEFORE it’s too late
    • NO impact on your website
    • Finds ALL types of malware, even new & complex ones
  • WordPress Malware Removal

    • View hacked file details
    • Cleans your site INSTANTLY, in less than 60 Secs
    • Removes ALL traces of malware
    • UNLIMITED hack cleanups
  • WordPress Website Protection

    • Blocks hacker BOTS from attacking login page
    • Identifies & blocks MALICIOUS traffic
    • Enables users to HARDEN their sites
    • Enables users to block ENTIRE countries
  • Easy to Use

    • Set up an account in 60 secs
    • Configure security once & never look at it again
  • Support

    • Agile & responsive customer support

Why Is MalCare Such a Game-Changer?

MalCare offers unparalleled security services. Some services are free and others are paid.

MalCare’s FREE Services –

  1. Cloud-Based Malware Scanning (Free)

    MalCare’s Cloud-based Scanning ensures no impact on your website ever. Moreover, it detects Complex Malware missed by other popular plugins

  2. Web-Application WordPress Firewall (Free)

    Get Real-Time Protection for your WordPress website against the latest threats with MalCare’s Smart Firewall. Block hackers & bots before they harm your site.

  3. CAPTCHA-Based Login Protection (Free)

    Automatically prevent brute force attacks with MalCare’s Smart Captcha-Based Login Protection. Round-the-clock protection against malicious traffic.

MalCare’s PAID Services –

  1. Viewing Hacked Files (Paid)

    View the infected files present on your WordPress website. Learn which themes or plugins or files or folders were infected by hackers.

  2. Industry-First Instant Malware Removal (Paid)

    Clean your hacked site instantly in less than 60 secs with MalCare’s 1-Click Cleaner. Clean your website before Google blacklists it or your web host takes it down.

  3. WordPress Recommended Website Hardening (Paid)

    Easily configure WordPress recommended best security practices with just 1-Click from right within MalCare’s dashboard. No technical knowledge needed.

  4. Geo-blocking (Paid)

    Restrict access to users based on their geographical location. Easily block all visitors from certain countries to mitigate the risk of being hacked.

  5. Uptime Monitoring (Paid)

    With MalCare’s Uptime Monitoring keep a steady eye on your website. It ensures that you are not oblivious to website downtime.

Common Hack Attacks Prevented By MalCare

MalCare protects websites against all common hack attacks which includes:

MalCare Free vs. MalCare Premium

  1. Cloud Based Malware Scanner (FREE)

    • Cloud-Based Malware Scanning (Free)
    • Deep Malware Scanning – Files & Database (Free)
  2. Website Firewall (FREE)

    • Web Application Firewall (Free)
    • Plugin Based Firewall (Free)
    • Rules update every 7 days (Free)
    • Login Protection (Free)
    • Bot Protection (Free)
    • Rules update every 5 mins (Paid)
    • Geo-Blocking (Paid)
    • Website Hardening (Paid)
  3. Instant Malware Removal (PAID)

    • View Malware Insights (Paid)
    • Instant One-Click Clean Ups (Paid)
    • Automatic Clean-Ups (Paid)
    • Unlimited Clean-Ups (Paid)
  4. Personalized Customer Support (Paid)

    • Support on WordPress forum (Free)
    • Support via email and chat (Paid)

Who Can Benefit From MalCare?

MalCare is perfect for:

  • Any WordPress Websites
  • Small Business Websites
  • Developer Websites
  • Web Designing Websites
  • eCommerce Stores
  • Niche Sites
  • Artists & Photographers Sites
  • Amateur & Professional Bloggers
  • Local Business Sites
  • Website for Startups
  • Websites Selling Courses
  • Influencer Sites
  • Web Hosting Companies
  • Website Maintenance Services or Agencies

Detailed Setup Step-by-Step Tutorials

This plugin works in tandem with the MalCare servers. MalCare servers do all the heavy processing and will alert you if your site has any issues.

Hence a MalCare account is needed to use the plugin. This account can also be used by our other products including BlogVault.

MalCare Full Features List

  • Cloud Based Malware Scanner

    • Daily Scan Frequency
    • On-demand Site Scans
    • Scan Non-WP Files
    • Does not slow down your website ever
  • Instant Malware Removal

    • View Hacked Files details
    • Instant Automatic Malware Removal
    • Removal of Unknown & New Malware
    • Unlimited Malware Removal
  • Intelligent Malware Protection

    • Web Application Firewall
    • IP Whitelisting
    • CAPTCHA-based Login Protection
    • Traffic Logs
    • Login Logs
    • Geo-Blocking
    • Alerts for Suspicious Logins
  • Website Hardening

    • Block PHP Execution in Untrusted Folders
    • Disable Files Editor
    • Block Plugin or Theme Installation
    • Change Security Keys
    • Reset All Passwords
  • Complete Website Management

    • Centralized Dashboard
    • Plugins & Themes Management & Update
    • User Management
    • Team Management
    • Client Management
    • Generate & Schedule Reports
    • White-Labeling Solution
    • Uptime Monitoring
    • Site Speed Monitoring
    • Blacklist Alarm
    • Slack Integration
  • Support

    • Email
    • Chat
    • Social Media

Fans Are Raving About Us

Connect With Our Team of Security Experts

Join MalCare’s Facebook Community – The purpose of the group is to enable Web Creators to gain valuable insights and help from community members which will be valuable to their business. So, if you are a WordPress user & want to keep up with the latest industry news and get help for your business, join us!

Don’t Know Where to Getting Started? Start From Here –

MalCare vs. Others

Captures d’écran

  • It’s extremely easy to add a website to MalCare’s dashboard. All you need to do is add a URL and install the plugin on your website.
  • MalCare's Early Detecting Technology uses 100+ intelligent signals to detect even the most complex malware that other WordPress security plugins cannot detect.
  • No more waiting for days or hours to clean your website. Clean your website of malicious code with surgical precision in One-Click.
  • MalCare offers a Login Protection which limits the number of failed login attempts made by hackers and bots via Captcha protection.
  • MalCare's Firewall automatically blocks malicious traffic with its intelligent visitor pattern detection technology.
  • MalCare helps implement Advanced Website Hardening measures to make your site more secure against hackers and bots.
  • MalCare's Geoblocking effectively blocks countries from visiting your site with just a click of a button.
  • MalCare’s Uptime Monitoring notifies if a website goes down so that you can handle the situation before starting to lose visitors.


Can I Setup my MalCare account myself?

Yes. Take the help of this step-by-step guide.

I am unable to reach the security plugin. What can I do?

You can send an email to the support team on and notify our team regarding this.

Do you have a free version? How does it work?

MalCare Security Service has a free version and a premium version. We’ll scan and protect your website with a Firewall in the free MalCare version. You can download the security plugin from the WordPress repository.

The paid version includes Cleaning a Hacked Site, Website Hardening, Website Management, White-Labeling, Client Reporting, and taking Regular Backups. Kindly take a look at our security feature pages for more details.

To learn more, please take a look at MalCare free vs premium page.

How do I upgrade from free to a premium account?

To upgrade from free trial version to a premium account, please take the help of this guide.

How do I upgrade to a bigger Plan?

To upgrade to a bigger Plan, take the help of this guide.

Do I need to pay for support and help?

Never! We will be with you for any queries at any time. Click here to get in touch with us!

How many times does MalCare auto-scan a website?

MalCare automatic security scans a website once every 24 hours.

How does MalCare detect complex malware?

MalCare Security Service scans all your website WordPress files beyond just signatures and evaluates it automatically using powerful technology with the collective knowledge of 240,000+ sites. It uses 100 + intelligent signals automatically for deep security scanning and combing through all the files. That is how it detects even the most complex and well-hidden malware on your site.

Does MalCare affect my site performance?

No, not at all. MalCare Security Service performs all the heavy lifting of scanning your entire site WordPress files on its own. It does not use your site resources. MalCare Security Service runs its security operations on MalCare servers, thereby ensuring zero loads from its side on your website.

How does the unlimited cleanup policy work?

A situation may occur where your site is being repeatedly infected. In such events, there is no limit to the number of times you can clean up a hacked website.

But if the situation persists, then cleaning up the site, again and again, will not solve the problem. In such cases, you can contact us, and we will help improve your security posture. We’d ask you to take proactive measures based on the recommendation of the Support team. We reserve the right to refuse service until appropriate actions are taken from your end. In cases like this, we also reserve the right to deny refund or cancellation of the MalCare Security account.

What do I need to clean my website?

In order to begin the cleanup process, we need access to your server and its associated files. (Don’t worry, this will not compromise your site’s security).

We get this access in the form of FTP, SFTP, or SSH access to your server. FTP stands for File Transfer Protocol, sFTP for Secure File Transfer Protocol, and SSH for Secure Shell. These are connection protocol mechanisms that allow us to log into servers to edit/add/remove files. These connection protocols allow us to log into your websites, specifically the server, and perform the remediation process. If you for some reason are unfamiliar with these protocols, don’t worry, our team of security analysts are prepared to assist you in the process. To do so, you’ll need to be willing to share access information to your hosting account.

We covered how to clean a website here. Here’s a guide on how to find FTP credentials and another guide on how to locate a folder where WordPress is installed.

How long does it take to clean a site?

It really depends on the size of the website. In average, cleaning up with MalCare Security usually takes 5-10 mins.

How does the Login Protection work?

MalCare’s Login Protection feature prevents bots from entering your website stealing your data, spamming and other malicious activities that threaten the security of your site.

How does the Site Hardening work?

WordPress has recommended few extra security measures which will harden the security of your website. We have incorporated those recommendations in our Site Hardening feature. Kindly have a look at our guide on how to implement Site Hardening.

How does the Firewall work?

MalCare Security Service was created after analyzing over 240,000 sites from scratch. The Firewall constantly monitors traffic from all places and automatically blocks IP’s that seem malicious in nature. As such, it is automatically enabled and needs minimal overseeing.

MalCare Firewall Security ensures that attacks on your site by even bots are mitigated, without affecting your WordPress site. It monitors bots across a global level without ever overloading your server.

Can I update WordPress core, plugins and themes directly?

Yes. Updating WordPress add-ons tightens the security of your website. Take a look at this Manage Site help doc to learn how to update WordPress add-ons.

Can I manage my site users and their password directly?

Yes. With MalCare managing WordPress, users have become easier. Take the help of this Manage Site help doc. Remember to delete the passive user account and encourage users to use a strong password for better security.

Can I add Clients and Team Members on my account?

Yes, you can.
Our client feature is for your reference alone. You can assign a client to their site. If you want to give a user, the dashboard access, please add them as your team members under the team section. Please see How do I add clients and team members? For the sake of security, give dashboard access to only people you can trust.

Will MalCare Security work if my site is down?

We understand the pains of a website going down. If a site goes down after you have added the website and installed the security plugin from the dashboard, MalCare will clean up your site.
But if you add a website that was down beforehand, i.e. before adding the security plugin, then MalCare Security Service won’t work.

What information does MalCare Security Service store?

We only store data related to your site structure such as plugins/themes with their respective versions. This helps us identify vulnerabilities that may be present on the site. We track the IPs of visitors to your site, to identify malicious actors who might attack your site.

What makes MalCare Security Service better than other security plugins?

MalCare Security Service was developed after analyzing 240,000+ websites.
* It uses 100+ internal signals to Scan and identifies the most complex malware.
* It pinpoints the malware’s exact location on your site. It does remote security scanning, to ensure there are Zero loads on your server.
* MalCare comes with an industry first One-Click Malware removal service that eliminates any malware in a jiffy.
* We alert you only when there is a legitimate malicious discovery rather than ‘possible hacks’.

We feel these features set us apart from most other WordPress security plugins. For further information take a look at how MalCare Security Service stands when compared with Top Security Plugins.

I already have a backup solution. Something happens to my site, I can simply restore. Why do I need a security plugin?

Backups play a very important role in WordPress security, but it has some limitations. We have noticed that in many cases, it is weeks before a site owner realizes that his/her website has been hacked.

During this period multiple backups will be taken, and there will be a high chance that the files that contain the hack or the Malware are also backed up.

In such a case restoring from backup is not sufficient as it will not clean your website. Here is where a Malware solution like MalCare Security Service comes in. It does regular automated security scans of your website and notifies you if there is any sort of Malicious content on your website.

Isn’t WordPress secure enough?

WordPress core is safe, but the CMS does not work in isolation. Security plugins and themes are part of its ecosystem. Several studies on hacked sites show that plugins and themes are responsible for a majority of such compromise. MalCare Security Service is an easy and effective way of securing websites and keeping them safe from hack attempts. Look at this full feature list.

Why will an SSL certificate not suffice?

An SSL certificate is used only to encrypt a connection between the browser and server to safely transmit sensitive information. However, MalCare Security Service goes beyond and actually protects the database where this information is stored, scans your website files using 100+ intelligent signals automatically, and applications protect from data breaches and spreading of viruses/malware. These functionalities are not provided by an SSL certificate.

How is MalCare Security Service the best for agencies or developers?

We’re the best because of three features:
* We have developer-friendly plans that are easy on the wallet. If you’re a developer or an agency that hosts about 10 websites, the chances are that enterprise-level security packages would be too expensive for you. If you’ve got anything more than seven sites, take a look at our unlimited plans.
* Our auto-clean feature makes sure that you can scan, and clean your sites by yourself, so you don’t waste precious time.
* MalCare’s regular security scans alert you whenever it identifies hacks, so your sites are always secure.

How does MalCare Security handle WordPress Multisite installs?

We completely understand the concern and complexities surrounding WordPress Multisite installs. We treat each WordPress install as a license. It means that if you have a network of websites on a single WordPress installation, we treat that as a single license.

Will MalCare Security Service slow down my website?

MalCare runs on its own servers. We take great care to ensure that we do not add load to your site. We do all the hard work of security scanning, cleaning and protecting, on our servers and this is our USP.

Where are my FTP details processed?

FTP details input into MalCare is processed on our servers. We need your FTP credentials to access your website’s files and folders. We feel that FTP transfer is the safest way to transfer data to and from a site. However, they are treated like payment details (i.e. they’re not stored on our servers). Once we’ve processed them, they’re deleted from our servers.

Where can I find the MalCare Terms of Use and Privacy Policy?

These are available on our website: Terms of Service and Privacy Policy


24 novembre 2021
After issues on our GoDaddy hosted WordPress website following a security breach, I installed this plugin. It takes you by the hand every step of the way and securely removes any malware. You can set various security levels from their Dashboard - depending on your situation and preference and it is super easy to apply hardening levels. A comfortable feeling knowing our websites are now serviced with the highest security level. I would advice anyone using this, their support is also quick and top notch. Kudos on this value for money plugin!
17 novembre 2021
I own an agency and we have been bombarded recently. Malcare 100% belongs in your security stack. They have an actual Auto-Clean button and it worked for me on two sites today. Great ticket support as well, straight from your inbox to the system. Very knowledgeable staff provided great information on dealing with faux URLs leftover from a hack as well. The dashboard is VERY robust, similar to Manage WP or other website managers, just tons of information. I had to ask for the monthly program, they do have one and it is very reasonable - especially because remediation is included. Really its twice what's provided for half the cost compared to the other industry leader (who shall remain nameless lol)... anyway don't be afraid to jump in.
30 octobre 2021
I've been working on WordPress sites for many years and this is by the far the best plugin I have found for quickly finding and fixing a hacked website. Yes, it costs some money but you get what you pay for and the other tools it provides makes $99 a year well worth it. On a recent site hack a database had been injected with a complex code the plugin couldn't fix automatically, but within 20 minutes the team at Malcare had gone in and manually fixed it, again you get what you pay for so for me this is well worth it.
26 octobre 2021
The free version is advertising. Doesn't do anything really useful. You have to pay in order to use it.
Lire les 221 avis

Contributeurs & développeurs

« MalCare Security – Free Malware Scanner, Protection & Security for WordPress » est un logiciel libre. Les personnes suivantes ont contribué à cette extension.




  • Updated the logos


  • MultiTable Sync in single callback functionality added.
  • Streamlined overall UI
  • Firewall Logging Improvements
  • Improved host info


  • Firewall Logging Improvements


  • Improved host info
  • Re-enabled plugin deactivation functionality from wp-admin for botprotection sites


  • Better Handling of error message from Server on signup
  • Fixed firewall caching issue
  • Minor bug fixes


  • Fixed services data fetch bug


  • Handling Activity Log corner case error


  • Activity Log for Woocommerce events
  • Minor Improvements in Firewall
  • Minor Improvements


  • Added Support For Multi Table Callbacks
  • Added Firewall Rule Evaluator
  • Added Activity Logs feature
  • Minor Improvements


  • New UI for registration page
  • Bug Fixes


  • Bug Fixes


  • Removed files and db access check
  • On uninstall remove prepend configuration
  • minor bug fixes


  • Disabling deactivate for botprotection accounts
  • Disconnect functionality through wpcli with params account_gid and account_type
  • Removed manual signup logic


  • Hiding bot protection dashboard from wp-admin


  • updating plugin name for cloudways server


  • Fetching Mysql Version
  • Robust data fetch APIs
  • Core plugin changes
  • Sanitizing incoming params
  • changed bvoverride cw name to manualsignup
  • plugin uninstall bug fix


  • Improved CSS
  • Wpcli V2 code
  • account disconnect option
  • plugin deactivate bug fix


  • Override bot protect over protect


  • Sending plugname in request to backend servers


  • Adding default parameter for MCWPAdmin constructor


  • Robust write callbacks
  • Improved and Robust prepend in Firewall Support
  • Without FTP cleanup and restore support


  • Updated MalCare landing page front-end


  • Removing deprecated get_magic_quotes_gpc function
  • Improving Firewall Logging


  • WPCli to server request path updated
  • Authentication header added in wpcli request param


  • Firewall in prepend mode
  • Robust Firewall and Login protection


  • Plugin branding fixes


  • Updating account authentication struture


  • Adding params validation
  • Adding support for custom user tables


  • Restructuring classes


  • Request profling and logging


*Firewall improvements


  • Callback improvements
  • Adding delete transient callback


  • Checking Whitelisted IP’s first


  • Updating tested upto 5.1


  • Disable form on submit


  • Setting blocked page to be non-cacheable


  • Updating tested upto 5.0


  • Adding Geoblocking functionality


  • Adding function_exists for getmyuid and get_current_user functions


  • Removing create_funtion for PHP 7.2 compatibility


  • Ability to show captcha for all login blocked


  • Adding Misc Callback


  • Adding logout functionality in the plugin


  • Adding support for chunked base64 encoding


  • Updating upload rows


  • Updating TOS and privacy policies


  • Bug fixes for lp and fw


  • SSL support in plugin for API calls
  • Adding support for plugin branding


  • First Release