MalCare: Is it worth it?

malcare-is-it-worth-it

We were approached recently by guys from MalCare that were interested in getting a review article for their service.

As for you that do not know MalCare is a new service that protects WordPress sites from malicious attacks and cleans them out in case that they were already infected. It is a sister service of the awesome BlogVault and it is also heavily integrated with existing BlogVault service that includes lots of useful stuff like Backup, Staging, Migration and Collaboration tools.

Going through all MalCare functionalities will require a whole new article about BlogVault and in this one we will only concentrate on the security features and site performance.

All right, let’s do some testing!

We made couple of tests on our server and here is what we came up with.

Is MalCare hard to install and setup?

MalCare is very easy to install and setup. You just need to create new account on malcare.com then on the control panel you are offered with MalCare Security Pro plugin that you have to download and install on your wordpress site, you then activate the plugin and that’s it.

Small note: Plugin pack malcare-security-pro.zip that you’ll get actually have zipped folder in it called ‘blogvault-real-time-backup’ , do not get confused by it, this is still a MalCare Pro plugin.

After successful activation MalCare service will start automatically to sync your site with their server where they will do all scanning so that your site’s performance will not be affected.

As soon as you create MalCare account you will get a lot of email notifications so be ready! There is no option to disable any of those.

If you are using HTTP Auth for your admin access you also have panel to update those.

Just recently MalCare presented a new, more condensed, Control Panel that is more easier to setup then previous one, here is how it looks like with all it’s features enabled:

malcare-control-panel

Does MalCare slows down your site?

Only initial scan will take some time to complete and it will use some bandwidth but that is all.

.git, cache folders and log files are not included in sync which is a nice detail that prevents clutter and also speeds up the syncing and scanning process. It is same for database where plugin’s tables bv_fw_requests and bv_lp_requests are skipped during sync.

MalCare Pro plugin has lots of bloat from BlogVault but it is very well coded and it doesn’t seem to slow down a site.

We have done testing on a frontpage of a clean WordPress site before and after MalCare Pro plugin installation.

Test was done with Query Monitor and here are the results:

After MalCare Pro plugin was installed

  • There were 11 queries more
  • 327kB more of memory is used
  • 3.6 ms (or 0.0036 sec) was slowdown of the site
  • There were no slow queries.

Networking and hardware monitor showed:

  • CPU will have some lite use (maximum peak of 5.7% while syncing for the first time)
  • Bandwidth will be used a lot, especially during initial sync (depending on the site’s size)
  • Disk I/O will also be used a lot but only at the beginning of installation and during first sync.

For more details you can check server monitor graphic below during first 2 hours of testing.

malcare-test-graph

Performance conclusion

MalCare will slow down your site but just a little, you will not be able to notice it.

 

How good is MalCare in detecting and cleaning malware?

This is where it gets tricky.

During our brief testing it had cleaned our dummy PHP infections from a theme file with Auto Clean function. But in some cases it had also removed descriptive comments from a PHP file which could be a pain if you are a developer.

In a Hacked Files tab you can view infected files but there is no option to manually clean them nor you can see parts of injected code.

I guess that you will have to trust Auto Clean that it will do it’s job right, if in doubt you can always clean files manually on your own server and with your own tools.

You will also need to prepare your FTP, SFTP or FTPS login parameters in order to use Auto Clean.

 

How does MalCare protects website?

Site is protected in two ways, by hardening and via firewall.

We haven’t noticed any issues with firewall, it was running smoothly the whole time. If you worry about GDPR be aware that all website access (both public traffic and logins) are logged on app.malcare.com server.

Hardening is divided into Essentials, Advanced and Paranoid mode.

Essentials are having:

1) Block PHP Execution in Untrusted Folders

This one needs improving because it will protect only wp-content/upgrade and wp-content/uploads folders from remote executing PHP, your entire wp-content with all themes and plugins and wp-includes are open for attack.

2) Disable Files Editor

This one is working good, we haven’t noticed any issues with it.

Again, you will have to prepare your FTP, SFTP or FTPS parameters to apply these hardening’s.

Advanced hardening mode that Blocks Plugin/Theme Installation is working good and we haven’t detected any issues with Security Keys Change and Reseting All Passwords on Paranoid mode.

 

Does MalCare offer anything else?

Beside malware protection this service also offers backups with Dropbox and migration support,complete staging on separate server with PhpMyAdmin and merging functionality, custom reports, migration, plugin/themes/user/core management, all of these are powered by BlogVault.

So far we haven’t noticed any issues with any of the standard BlogVault functionalities with our favorite being staging that works especially well and by following best practices unlike some poorly executed solutions out there.

Conclusion

MalCare service is very solid and with lots of stuff beside security. It is good to have it installed just to notify you that your site is infected. However I would be careful about their Auto Clean functionality and if you have some familiarity with coding you’ll be better to do cleaning manually. Hardening is very poorly executed so I would rather use some other lite/non intrusive plugin that does a better hardening job.

Backup, migration and staging functionalities are powered by BlogVault. BlogVault is here for some time and their service just works perfectly so it is an awesome addition to any WordPress site.

MalCare is a promising service and they will probably get better in future so I’ll get back and update this article as soon as they improve hardening and Auto Clean features. MalCare price starts at 99/Year for 1 site and you can cancel your MalCare subscription at any time, so give it a try.

I hope you’ve enjoyed this review and if you have any thoughts feel free to leave them in the comment section below, we would like to hear from you.

Stay secure!

Comments are closed.