WordPress.org

Cymraeg

Cael WordPress
WordPress.org

Plugin Directory

MalCare WordPress Security Plugin – Firewall, Malware Scanner & Login Protection

MalCare WordPress Security Plugin – Firewall, Malware Scanner & Login Protection

Gan malcare
Llwytho i lawr

Disgrifiad

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

Complete WordPress Protection, Without Slowing Down Your Site

MalCare protects your website with 5 free layers of security – WordPress Firewall, Malware Scanner, Login Protection, and more.

All the heavy lifting is done by our own servers, so your website never slows down.

Our team of 50+ dedicated security engineers are building industry-first technologies like Instant Malware Removal, Atomic Security etc.

MalCare is trusted by 200,000+ developers and businesses for serious protection – from popular blogs to WordPress agencies and Fortune 500 companies like Intel, eBay, Toshiba and more.

Secure Your Site in 3 steps

Most security plugins expect you to understand rules, logs, and configurations to set up security. MalCare does the opposite. No manual tuning. No confusing setup wizard. Just 3 steps to secure your site:

  1. Install & activate the plugin, like you normally do
  2. Add your email to create an account for security alerts
  3. MalCare automatically sets up 5 layers of security (free)

P.S. Already hacked? Here’s our emergency guide

MalCare’s 5 Layers of Security (Free)

Once you’ve installed the plugin, MalCare automatically sets up 5 layers of security (free) that protect your site without limitations. You can upgrade to the paid version for enhanced protection and malware removal.

  1. WordPress Firewall contains 200+ built-in rules for top-tier protection, and new rules are never delayed – our real-time threat network keeps updating your firewall to block the latest attacks.
  2. Deep Malware Scanner catches hidden malware that other plugins often miss. It runs 100+ checks, including AI heuristic analysis. All this is powered by offsite servers, so your site never slows down.
  3. The Vulnerability Scanner warns you when a plugin or theme puts your site at risk, so you can update or replace it before hackers can target it.
  4. Login Protection protects your site with brute-force defence, login security and two-factor authentication so weak passwords or bot attack attempts do not turn into break-ins.
  5. Atomic Security analyzes your specific site’s vulnerable points and applies customised rules to protect against zero-day attacks.

MalCare Premium

The free version protects & detects common threats without any limitations. Upgrade when you need stronger protection for high-value sites and instant malware removal.

  1. Instant Malware Removal is the fastest and smartest cleanup in WordPress. It surgically removes malware & backdoors without damaging your site, with a money-back guarantee against reinfections.
  2. GeoBlocking blocks traffic from unwanted regions sending attacks, spam or traffic spikes that put extra load on your site.
  3. Bot Protection blocks bad bots while allowing good ones like Google, helping reduce spam, cut unnecessary load, and protect key pages from abuse.
  4. Activity Log shows exactly what changed on your site, when it changed, and who did it, so you can troubleshoot problems in minutes instead of hours.
  5. Personal Support from our dedicated team of 50+ security engineers to help you resolve security issues asap and control any damages.

Security That Adapts to Your Site

Our dedicated team of 50+ engineers continuously release improvements so MalCare can protect the widest range of WordPress sites.

During installation, MalCare analyzes your website and automatically applies one of 100+ custom configurations. It is often the only security plugin relied on by:

  1. Portfolios and Media Sites
  2. Startups and Small Businesses
  3. Ecommerce stores
  4. Developers and Agencies
  5. Fortune 500 Enterprises
  6. Government bodies and NGOs

We’ve built unique features to deliver more personalized protection – like Atomic Security, which analyses each WordPress site and creates custom rules for protection against new vulnerability exploits, called “zero-day protection”.

Why people install MalCare

We believe security is only useful when it helps you focus on real problems: hidden malware, vulnerable plugins and themes, brute-force attempts, dangerous bot traffic, and important site changes. You get clear alerts you can act on instead of a dashboard full of panic-inducing false positives. The 4 main reasons people install MalCare are:

  • They want the best WordPress protection without slowing down their site
  • They want real alerts, not constant noise.
  • They want one dashboard for security, instead of a patchwork of plugins
  • They want a fast and guaranteed recovery path when a site is hacked.

Manage security across multiple websites

MalCare helps you avoid scattered logins, fragmented alerts, and plugin-by-plugin chaos. Add sites to your central dashboard, monitor security from one place, and keep protection consistent across client sites, business properties, and growing portfolios.

Government bodies, NGOs and companies managing 5-10 sites can easily add multiple sites to our central dashboard after plugin installation. For any queries, contact here.

Developers and Agencies who need help with bulk-importing sites and additional features like backups, bulk updates etc can contact us here.

When your site is hacked, speed matters

The longer malware stays on your site, the more damage it can do to SEO, ads, uptime, and customer trust. MalCare Premium helps you move fast with instant malware removal, support for blacklist and host suspension issues, and protection against reinfection.

Every day, 10,000+ hacked sites buy MalCare Premium to instantly cleanup, repair and protect their website from the widest range of threats, like:

  • Spammy redirects or strange popups
  • Japanese keyword pages, SEO spam, or sudden traffic drops
  • Login attacks and brute force attempts
  • Malware warnings, host suspensions, or blacklist issues
  • Hidden malware and backdoors that basic scanners miss

However, for your peace of mind, we also provide 100% moneyback-guarantee for any failed cleanups. Here’s a list of attacks MalCare can clean in less than 3 minutes

WordPress Experts Love MalCare!

About The MalCare Team

We are a team of 50+ security engineers committed to providing the most reliable protection for your website. We release improvements every two weeks/month and keep pushing the envelope with new technologies like our real-time firewall, atomic security and more to proactively prevent security issues.

Our company has a proven track record of 12+ years in WordPress and in 2025 alone, we’ve helped 1.5M+ sites and 30,000+ agencies with our flagship products, including MalCare, BlogVault, MigrateGuru, and WPRemote

Contact Us

  1. Emergency guide for hacked sites
  2. Request a feature/report a bug
  3. Find out more about us

Lluniau Sgrin

  • One dashboard to stay ahead of malware, vulnerabilities, firewall activity, and critical security events.
  • Detect hidden malware, clean it in one click, and harden your site against repeat attacks.
  • The firewall blocks malicious traffic in real time, with geoblocking and activity logs adding extra control and visibility.
  • Proactive login protection blocks suspicious access, while 2FA and login logs add extra security and more insight into login activity.

Cwestiynau Cyffredin

Can I Setup my MalCare account myself?

Yes. Take the help of this step-by-step guide.

Why do you need my email?

We require your email address to keep you informed about important updates related to your website, such as malware alerts, vulnerability alerts, and uptime alerts.

Having an account is necessary to use our service, and your email address serves as a unique identifier for your account.

In addition, we may use your email address to notify you about any changes or updates that we make to our service, as well as any new features or services that we may offer to help enhance your user experience.

I am unable to reach the security plugin. What can I do?

You can send an email to the support team at [email protected] and notify our team regarding this.

Do you have a free version? How does it work?

MalCare Security Service has a free version and a premium version. We’ll scan and protect your website with a Firewall in the free MalCare version. You can download the security plugin from the WordPress repository.

The paid version includes Cleaning a Hacked Site, Website Hardening, Website Management, White-Labeling, Client Reporting, and taking Regular Backups. Kindly take a look at our security feature pages for more details.

To learn more, please take a look at MalCare free vs premium page.

How do I upgrade from a free to a premium account?

To upgrade from a free trial version to a premium account, please take the help of this guide.

How do I upgrade to a bigger Plan?

To upgrade to a bigger Plan, take the help of this guide.

Do I need to pay for support and help?

Never! We will be with you for any queries at any time. Click here to get in touch with us!

How many times does MalCare auto-scan a website?

MalCare automatic security scans a website once every 24 hours.

How does MalCare detect complex malware?

MalCare Security Service scans all your website WordPress files beyond just signatures and evaluates them automatically using powerful technology with the collective knowledge of 240,000+ sites. It uses 100 + intelligent signals automatically for deep security scanning and combing through all the files. That is how it detects even the most complex and well-hidden malware on your site.

Does MalCare affect my site performance?

No, not at all. MalCare Security Service performs all the heavy lifting of scanning your entire site WordPress files on its own. It does not use your site resources. MalCare Security Service runs its security operations on MalCare servers, thereby ensuring zero loads from its side on your website.

How does the unlimited cleanup policy work?

A situation may occur where your site is being repeatedly infected. In such events, there is no limit to the number of times you can clean up a hacked website.

But if the situation persists, then cleaning up the site, again and again, will not solve the problem. In such cases, you can contact us, and we will help improve your security posture. We’d ask you to take proactive measures based on the recommendation of the Support team. We reserve the right to refuse service until appropriate actions are taken from your end. In cases like this, we also reserve the right to deny refund or cancellation of the MalCare Security account.

What do I need to clean my website?

In order to begin the cleanup process, we need access to your server and its associated files. (Don’t worry, this will not compromise your site’s security).

We get this access in the form of FTP, SFTP, or SSH access to your server. FTP stands for File Transfer Protocol, sFTP for Secure File Transfer Protocol, and SSH for Secure Shell. These are connection protocol mechanisms that allow us to log into servers to edit/add/remove files. These connection protocols allow us to log into your websites, specifically the server, and perform the remediation process. If you for some reason are unfamiliar with these protocols, don’t worry, our team of security analysts is prepared to assist you in the process. To do so, you’ll need to be willing to share access information to your hosting account.

We covered how to clean a website here. Here’s a guide on how to find FTP credentials and another guide on how to locate a folder where WordPress is installed.

How long does it take to clean a site?

It really depends on the size of the website. In average, cleaning up with MalCare Security usually takes 5-10 mins.

How does the Login Page Protection work?

MalCare’s Login Protection feature prevents bots from entering your website stealing your data, spamming, and other malicious activities that threaten the security of your site.

How does the Site Hardening work?

WordPress has recommended a few extra security measures which will harden the security of your website. We have incorporated those recommendations in our Site Hardening feature. Kindly have a look at our guide on how to implement Site Hardening.

How does the Firewall work?

MalCare Security Service was created after analyzing over 240,000 sites from scratch. The Firewall constantly monitors traffic from all places and automatically blocks IPs that seem malicious in nature. As such, it is automatically enabled and needs minimal overseeing.

MalCare Firewall Security ensures that attacks on your site by even bots are mitigated, without affecting your WordPress site. It monitors bots across a global level without ever overloading your server.

Can I update WordPress core, plugins, and themes directly?

Yes. Updating WordPress add-ons tightens the security of your website. Take a look at this Manage Site help doc to learn how to update WordPress add-ons.

Can I manage my site users and their password directly?

Yes. With MalCare managing WordPress, users have become easier. Take the help of this Manage Site help doc. Remember to delete the passive user account and encourage users to use a strong password for better security.

Can I add Clients and Team Members to my account?

Yes, you can.
Our client feature is for your reference alone. You can assign a client to their site. If you want to give a user, dashboard access, please add them as your team members under the team section. Please see How do I add clients and team members? For the sake of security, give dashboard access to only people you can trust.

Will MalCare Security work if my site is down?

We understand the pains of a website going down. If a site goes down after you have added the website and installed the security plugin from the dashboard, MalCare will clean up your site.
But if you add a website that was down beforehand, i.e. before adding the security plugin, then MalCare Security Service won’t work.

What information does MalCare Security Service store?

We only store data related to your site structure such as plugins/themes with their respective versions. This helps us identify vulnerabilities that may be present on the site. We track the IPs of visitors to your site, to identify malicious actors who might attack your site.

What makes MalCare Security Service better than other WordPress security plugins?

MalCare Security Service was developed after analyzing 240,000+ websites.
1. It uses 100+ internal signals to Scan and identify the most complex malware.
2. It pinpoints the malware’s exact location on your site. It does remote security scanning, to ensure there are Zero loads on your server.
3. MalCare comes with an industry-first One-Click Malware removal service that eliminates any malware in a jiffy.
4. We alert you only when there is a legitimate malicious discovery rather than ‘possible hacks’.

We feel these features set us apart from most other WordPress security plugins. For further information take a look at how MalCare Security Service stands when compared with Top Security Plugins.

I already have a backup solution. Something happens to my site, I can simply restore it. Why do I need a security plugin?

Backups play a very important role in WordPress security, but it has some limitations. We have noticed that in many cases, it is weeks before a site owner realizes that his/her website has been hacked.

During this period multiple backups will be taken, and there will be a high chance that the files that contain the hack or the Malware are also backed up.

In such a case restoring from backup is not sufficient as it will not clean your website. Here is where a Malware solution like MalCare Security Service comes in. It does regular automated security scans of your website and notifies you if there is any sort of Malicious content on your website.

Isn’t WordPress secure enough?

WordPress core is safe, but the CMS does not work in isolation. Security plugins and themes are part of its ecosystem. Several studies on hacked sites show that plugins and themes are responsible for a majority of such compromises. MalCare Security Service is an easy and effective way of securing websites and keeping them safe from hack attempts. Look at this full feature list.

Why will an SSL certificate not suffice?

An SSL certificate is used only to encrypt a connection between the browser and server to safely transmit sensitive information. However, MalCare Security Service goes beyond and actually protects the database where this information is stored, scans your website files using 100+ intelligent signals automatically, and applications protect from data breaches and the spreading of viruses/malware. These functionalities are not provided by an SSL certificate.

How is MalCare Security Service the best for agencies or developers?

We’re the best because of three features:
1. We have developer-friendly plans that are easy on the wallet. If you’re a developer or an agency that hosts about 10 websites, the chances are that enterprise-level security packages would be too expensive for you. If you’ve got anything more than seven sites, take a look at our unlimited plans.
2. Our auto-clean feature makes sure that you can scan, and clean your sites by yourself, so you don’t waste precious time.
3. MalCare’s regular security scans alert you whenever it identifies hacks, so your sites are always secure.

How does MalCare Security handle WordPress Multisite installs?

We completely understand the concern and complexities surrounding WordPress Multisite installs. We treat each WordPress install as a license. It means that if you have a network of websites on a single WordPress installation, we treat that as a single license.

Will MalCare Security Service slow down my website?

MalCare runs on its own servers. We take great care to ensure that we do not add load to your site. We do all the hard work of security scanning, cleaning, and protecting, on our servers and this is our USP.

Where are my FTP details processed?

FTP details input into MalCare is processed on our servers. We need your FTP credentials to access your website’s files and folders. We feel that FTP transfer is the safest way to transfer data to and from a site. However, they are treated like payment details (i.e. they’re not stored on our servers). Once we’ve processed them, they’re deleted from our servers.

Where can I find the MalCare Terms of Use and Privacy Policy?

These are available on our website: Terms of Service and Privacy Policy

Adolygiadau

Above and beyond

Mawrth 19, 2026 1 reply
I am over the moon with my experience with Malcare. Not only did their free online tool fine malware where others didn’t, they fixed it immediately and then went on to surprise and delight me by helping me undo the damage. Customer service (Kousik) was empathetic and very responsive. I love their dashboard which gives me a look at how frequently these brute force attacks are happening. It’s scary. If you’re investing at all in your site and exposure, buy their plan so you don’t wake up one day and find malicious code has been messing around with your content for years.

Great plugin and support

Mawrth 18, 2026 1 reply
Great plugin, lightweight and protects the sites. Support is amazing, fast replies and care to help.

HUMAN SUPPORT TOP SECURITY

Mawrth 9, 2026 1 reply
I got a fake recaptcha script on my site , i tried all ways to locate it but all in vain.Then i found malcare, there scanner helped me realised that my site had far more issues than just an enqueued script, It had hidden plugins i couldnt see on the dashboard and over 3000 files were corrupted.The heads up alone was a reliever as it helped me fire fight everything with direction.Next time I will definitely add the security Pricing on my clients quote and will make sure i have the Malcare Premium.With the way they follow up on tickets, I believe the Premium is worth paying for and have a piece of mind

The security plugin I actually trust on client sites

Chwefror 24, 2026 1 reply
Been managing WordPress sites for agencies and clients for years. MalCare is the one security plugin I keep coming back to. The free version delivers real value – automatic daily scans, firewall protection, and brute force prevention without touching your server resources. That alone puts it ahead of most alternatives. What really stands out is the support team. Fast, professional, and they actually solve problems instead of sending you to a documentation article. If you manage multiple WordPress sites, the centralized dashboard is worth it on its own. Clean interface. No false alarms. Does what it promises. 5 stars, no hesitation.

Nothing But Solid Service

Chwefror 18, 2026 1 reply
Seems to be a lot of strong opinions on here but my experience has been nothing but top notch. Yes, you have to pay for it. Anything good is worth paying for. Each time I’ve had an issue, the software has assisted me with recovery. It’s made restoring simple when needed, and their customer service has always been great to me; especially when it comes to a few things over my head. Appreciate the assistance, Malcare. Thank you!
Read all 521 reviews

Contributors & Developers

“MalCare WordPress Security Plugin – Firewall, Malware Scanner & Login Protection” is open source software. The following people have contributed to this plugin.

Cyfranwyr

Translate “MalCare WordPress Security Plugin – Firewall, Malware Scanner & Login Protection” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Cofnod Newid

6.44

  • Tweak: Improved the WP core updates flow.
  • Tweak: Improved the plugin auto-install flow.

6.39

  • Tweak: Code Restructuring
  • New: Added Connection key support

6.36

  • New: Added deactivation feedback form to collect user feedback when deactivating the plugin
  • Tweak: Improvements in Auto-login and File System
  • Tweak: Code Restructuring

6.02

  • Tweak: Improved Authentication

5.93

  • Tweak: Improvements in bulk upgrade

5.92

  • Tweak: Improvements in fetching File Stats

5.91

  • Tweak: Code Restructuring

5.88

  • Fix: Resolved compatibility issues with WordPress versions below 6.2.
  • Tweak: Added support for PHP 8.4

5.85

  • New: Added Gravity Forms support in Form Testing.
  • Tweak: Code Restructuring

5.81

  • Tweak: Enhanced Form Monitoring
  • Tweak: Improved Error Handling

5.77

  • New: Introduced WP Login Whitelabel
  • Tweak: Enhanced Two-Factor Authentication

5.73

  • Tweak: Improved handling for Two-Factor Authentication

5.72

  • New: Introduced Two-Factor Authentication
  • Tweak: Enhanced PHP Error Monitoring feature

5.68

  • Tweak: DB Version Update

5.67

  • Fix: Firewall uninstallation issue when using WP-CLI

5.65

  • New: Introduced Domain Monitoring feature
  • New: Introduced PHP Error Monitoring feature
  • Tweak: Implemented Captcha bypass support for Forminator and Gravity Forms
  • Tweak: Enhanced Firewall

5.56

  • Better handling for Activate Redirect

5.55

  • Updating classes in PHP Files

5.54

  • Adding SVG files.

5.53

  • UI Improvements.
  • Enhanced Firewall for greater robustness.
  • Manage Improvements.

5.47

  • Bug fix: Fetch Elementor DB details

5.45

  • Added Elementor DB Update Support

5.42

  • Enhanced Firewall
  • Added Maintenance Mode Support
  • Enhanced Whitelabel Functionality

5.41

  • Enhanced Firewall
  • Improved Authentication
  • Improved WooCommerce DB Update Support

5.38

  • Added WooCommerce 8.2.1 Real-Time-Backup support.
  • Enhanced Firewall for greater robustness
  • Enhanced WAF

5.25

  • Bug fix get_admin_url

5.24

  • WooCommerce DB Update Support
  • SHA256 Support
  • Stream Improvements

5.22

  • Code Improvements
  • Reduced Memory Footprint

5.16

  • Security Improvement: Upgraded Authentication

5.09

  • Manage Improvements

5.05

  • Code Improvements for PHP 8.2 compatibility
  • Firewall Enhancements
  • Manage Improvements

4.97

  • Firewall Improvements
  • Whitelabel improvements

4.87

  • Plugin Update Improvements
  • Theme Update Improvements

4.86

  • Whitelabel Improvements
  • Activity log Improvements for Core update

4.84

  • Bug fix: Handling WooCommerce update order hook

4.83

  • Geo-blocking with advanced firewall
  • Activity log improvements and bug fixes
  • Woocommerce custom table support for real-time backups

4.82

  • Firewall Improvements
  • Real-time Improvements
  • Improving coding standards
  • Code Improvements
  • Updated bootstrap

4.78

  • Improvements in identifying plugin and theme updates.

4.77

  • Improved the landing pages.
  • Enhanced future vulnerability protection
  • IP Blocking Improvements
  • Improved firewall configuration for migrations

4.76

  • Improvements in fetching file stats

4.75

  • Added the MalCare badge image

4.74

  • Enhanced handling of plugin services
  • Added functionality for realtime sync
  • Removed deprecated hook
  • Improvements in identifying plugin updates.

4.72

  • Sync Improvements

4.69

  • Improved network call efficiency for site info callbacks.

4.68

  • Removing use of constants for arrays for PHP 5.4 support.

4.67

  • Robust firewall-config checks

4.66

  • Post type fetch improvement.
  • Handing wing version for ipstore wing.

4.65

  • Making Login Protection more configurable.
  • Robust handling of requests params.
  • Callback wing versioning.

4.63

  • Updated the logos

4.62

  • MultiTable Sync in single callback functionality added.
  • Streamlined overall UI
  • Firewall Logging Improvements
  • Improved host info

4.61

  • Firewall Logging Improvements

4.59

  • Improved host info
  • Re-enabled plugin deactivation functionality from wp-admin for botprotection sites

4.58

  • Better Handling of error message from Server on signup
  • Fixed firewall caching issue
  • Minor bug fixes

4.57

  • Fixed services data fetch bug

4.56

  • Handling Activity Log corner case error

4.55

  • Activity Log for Woocommerce events
  • Minor Improvements in Firewall
  • Minor Improvements

4.54

  • Added Support For Multi Table Callbacks
  • Added Firewall Rule Evaluator
  • Added Activity Logs feature
  • Minor Improvements

4.53

  • New UI for registration page
  • Bug Fixes

4.52

  • Bug Fixes

4.51

  • Removed files and db access check
  • On uninstall remove prepend configuration
  • minor bug fixes

4.4

  • Disabling deactivate for botprotection accounts
  • Disconnect functionality through wpcli with params account_gid and account_type
  • Removed manual signup logic

4.33

  • Hiding bot protection dashboard from wp-admin

4.32

  • updating plugin name for cloudways server

4.31

  • Fetching Mysql Version
  • Robust data fetch APIs
  • Core plugin changes
  • Sanitizing incoming params
  • changed bvoverride cw name to manualsignup
  • plugin uninstall bug fix

4.27

  • Improved CSS
  • Wpcli V2 code
  • account disconnect option
  • plugin deactivate bug fix

4.23

  • Override bot protect over protect

4.22

  • Sending plugname in request to backend servers

4.21

  • Adding default parameter for MCWPAdmin constructor

4.2

  • Robust write callbacks
  • Improved and Robust prepend in Firewall Support
  • Without FTP cleanup and restore support

3.8

  • Updated MalCare landing page front-end

3.7

  • Removing deprecated get_magic_quotes_gpc function
  • Improving Firewall Logging

3.6

  • WPCli to server request path updated
  • Authentication header added in wpcli request param

3.5

  • Firewall in prepend mode
  • Robust Firewall and Login protection

3.4

  • Plugin branding fixes

3.2

  • Updating account authentication struture

3.1

  • Adding params validation
  • Adding support for custom user tables

2.1

  • Restructuring classes

1.91

  • Request profling and logging

1.89

  • Firewall improvements

1.88

  • Callback improvements
  • Adding delete transient callback

1.87

  • Checking Whitelisted IP’s first

1.86

  • Updating tested upto 5.1

1.84

  • Disable form on submit

1.83

  • Setting blocked page to be non-cacheable

1.82

  • Updating tested upto 5.0

1.81

  • Adding Geoblocking functionality

1.77

  • Adding function_exists for getmyuid and get_current_user functions

1.76

  • Removing create_funtion for PHP 7.2 compatibility

1.73

  • Ability to show captcha for all login blocked

1.72

  • Adding Misc Callback

1.71

  • Adding logout functionality in the plugin

1.69

  • Adding support for chunked base64 encoding

1.68

  • Updating upload rows

1.66

  • Updating TOS and privacy policies

1.64

  • Bug fixes for lp and fw

1.62

  • SSL support in plugin for API calls
  • Adding support for plugin branding

1.51

  • First Release

Meta

Graddau

4.3 out of 5 stars.

Your review

See all reviews

Cefnogaeth

Issues resolved in last two months:

2 out of 2

Gweld y fforwm cefnogi

Donate

Would you like to support the advancement of this plugin?

Donate to this plugin