According to statistics published by WPMUDEV in 2017, malicious hackers attack WordPress websites with over 90,978 attacks per minute. Therefore every WordPress site must have some sort of security hardening and service protecting it. Even if it is small and not popular, your WordPress website is always a target.
Being a geek, when I started working with WordPress I used to do all the security hardening myself, manually. It was fun and I’ve learnt a lot about WordPress while doing so. But as trade off I was spending a few hours every month tweaking things to keep all systems up to date. Also, I could do manual hardening and WordPress security because I have the technical expertise, which many might not have.
As much as it is fun to manually secure a WordPress site, it is much more efficient to automate WordPress security with a plugin or online service. There are quite a few different WordPress security plugins and services available on the market. They all do a good job and have their pros and cons. In most cases it is a question of which one has the features that work best for you. I chose to work with MalCare WordPress Security Solution, and I explain why I took this decision in this post.
Why I chose MalCare for WordPress Security?
MalCare is developed by BlogVault, an online WordPress backup solution we have been using for years.
I have known Akshat Choudhary, BlogVault’s CEO since the first WordCamp Europe in 2013. A few years ago he explained to me how he was planning to build MalCare! I liked his approach and the fact that he was trying something different to tackle the issue of malware infections and WordPress hacks.
A few months ago MalCare was released. I tried it on our websites and I am more than happy with it, so happy to endorse this WordPress security solution.
Malcare WordPress Security Features Highlight
Malcare is a WordPress security plugin and service hybrid that provides:
- WordPress firewall protection with statistics on traffic, blocked attacks and also protection for possible WordPress brute force attacks
- WordPress hardening, such as blocking of PHP execution in untrusted folders, blocking of themes and plugins installations etc
- Malware scanning – we talk in more detail about this in the next section
- WordPress backups and staging website
- Plugins, Themes and users management and notifications
It is a hybrid service because their plugin acts as a connector, so it does not require a lot of resources to run. All the configuration and management is done from their online dashboard and they have server side scanning. This means that all resource intensive operations, such as malware scanning, is not done on your site.
Instead their plugin transfers the data to their servers, which is also used for backup, and all the heavy lifting is done by their servers. So the performance of your WordPress site is not affected by the malware scanning process or security protection.
MalCare’s Heuristic Malware Scanning
MalCare claim their malware and hack detection mechanism is superior than what is available on the market. According to their website, their scanning technology uses over 100 signals to accurately identify the most complex of malware and does not report false positives.
That is quite a bold statement to make. I spoke with Akshat at length about this, and he explained in detail how they are doing it, which obviously is worth a mention.
First it is important to point out that they do not rely on signature based scanning, as the majority of traditional malware and antivirus scanners do. One of the signals they use are the website backups – they can identify file and database changes in between backups. On top of that they use a combination of timestamps, file integrity and other checks. By combining all this information they can accurately spot a hacked website, even if the injected malware payload has never been identified before.
MalCare also does free malware and hack cleanups if you are their customer. The good thing about their cleanup is that they do not just do the cleanup, but they also take the necessary precautions to ensure that the infected website is secure, thus reducing the chances of it being hacked again.They guide the user with the help of the Score Card, which can be accessed in the MalCare dashboard.
Is MalCare a Good Fit for your WordPress Site Security?
MalCare has a very easy to use interface with the least possible settings. It was designed for those site owners who do not have the time or interest to learn about WordPress security.
I myself sometimes find it overwhelming when I install a security plugin and find hundreds of different settings. Nothing against such plugins. I understand where they are coming from. Sometimes it takes us quite a few tries to nail the text of a setting on our WordPress activity log plugin, or to decide if we should have a setting or enforce a default value.
MalCare managed to find that sweet spot – they have built an excellent hybrid WordPress security product that the owners of the corner flower shop can still use to secure their WordPress website.