We are happy to released this guest article from MalCare talking about security and WordPress.
When you go hunting for an ideal All-in-One security plugin for your website, there are certain questions that come to mind. Let’s go through each of them, one by one.
1. What’s a security plugin without a malware scanner?
There’s no such thing as a perfect security plugin. Every day there are new malware threats discovered on the internet. In fact, it is estimated that there are more than 7.5 million spams on WordPress every hour. Just spams, so imagine the rest of the attacks your site has to deal with!
It is safer to assume that hackers are out to get you. Simply scanning our site for vulnerabilities, however, can help us keep those pesky hackers at bay. A strong malware scanner can pick out every needle in the haystack and stay one step ahead of any hacker.
2. Security at the cost of slow website due to server overload?
Put on your thinking caps and tell us: What is the first thing a person who visits your site will see? The content? The design? Honestly, what any visitor notices first is how long it takes your site to load.
Our own servers are already up to their ears (figuratively, of course) with running our precious website. Adding to this load, a security plugin will only add to this load. Slow websites are the bane of sites wanting a higher conversion rate. An ideal security solution is lightweight for you.
3. An Ideal security plugin Does Not Cry Wolf at every “Possible Threat”
We all know the story about the shepherd boy who cried wolf even when there was none around. A security plugin’s trust and reliability suffers when it sends false positives to us. This is dangerous especially if we end up neglecting an actual threat.
For a non-technical person, any alert on their site safety is scary. If it turns out to be an alert for malware which never existed really, it will be a frustrating experience even more so.
4. Malware Detected. Now what? Malware removal, obviously.
The longer malware sits on a website, the more dangerous it gets. Just like a virus, it spreads across your website. When search engines like Google find out, you will be blacklisted.
A security plugin’s journey does not end at detecting malware, but goes beyond to complete and absolute removal of malware so that your site does not get shut down. The website should be restored to fully functioning status, and until that moment, an ideal security plugin gets no rest.
5. How Thorough is your Website Protection?
Security is multi-layered. Imagine that a firewall is your apartment complex’s security gate. Then a security plugin will be your home’s alarm sensor system. Each layer’s role is to make a hacker’s job that much more difficult.
WordPress recommends many security hardening practices to be followed. If our ideal security plugin could bring together all these practices, it would make our life so much more easier!
There are many WordPress security plugins in the current market. MalCare is one such plugin… Read on to know our take on it.
Why consider MalCare?
Security plugins which don’t inspect every nook and corner for malware presence are bound to miss out on a vulnerability or backdoor. Moreover, new and complex malware is coming up everyday. They cannot be detected using outdated signature patterns technology that regular security plugins rely on. They glance right through complex malware present on your website.
What we found interesting is that MalCare actually tracks each and every file to monitor the changes in your website. It leaves no stone unturned to catch and identify malware on your site.
Security plugins that run on your site server end, risk slowing down your page speed load. Since security operations are occuring in tandem with the rest of your website operations, the load on your server is enormous.
MalCare syncs up your site incrementally to its servers. Your site is backed up in small packages after which security scans are run on its MalCare servers. There is no load on our site server. This is an issue with other plugins which tend to clutter our own servers and slow our site down.
Security plugins rely on signature based matching. Any changes found in your website, even when authorized end up being flagged, and these lead to false positives alarms. This causes unnecessary panic, and at worst, creates a distrust for your security plugin.
A security plugin that is unreliable is a watchman who sleeps on his shift. In this manner, we think that MalCare is a hypervigilant bodyguard. MalCare alerts you only when there is an actual malware on your website. This allows you to take the corrective action immediately and does not create any unnecessary panic.
MalCare Ease of Use
MalCare has the same easily accessible dashboard as well as the look and feel of it’s sister product BlogVault.
We didn’t actually have to go through an elaborate setup or configuration process. Just enter your MalCare username and password on the MalCare website and sign in. The automatic process will recognize your website which has MalCare installed on it.
When we logged in, the first page we see is the MalCare site listing page.
You can Add websites under MalCare’s care with the + icon.
MalCare Site Listing will let you see all your sites, group them in different ways and perform bulk actions on them. You can even filter sites based on their status – Active, No Plugin (MalCare plugin not yet installed on your site), Unreachable (if your site shuts down), and most important of all – Hacked.
All these sites can also be filtered according to the tags, users, plugins, themes, or even different versions of the same. Then you can perform bulk actions on these selected sites using the Advanced Search option.
From allowing you to manage your WordPress site’s users to helping you update the plugins and themes on your site, MalCare takes care of the smallest of details. All this for your WordPress site to be secure against all kinds of threats.
Manage WordPress Core, Themes and Plugins
You can see the version you have of each, update or uninstall specific add-ons, or all of them.
You can remotely delete, or change the role or password of those who have access to the site, without even logging in to your WordPress site’s dashboard. We could change the user permissions.
MalCare gives you the complete security maintenance package, including Malware Detection, Firewall, Site Hardening, within this dashboard.
Backup, and Staging by BlogVault backup plugin is also part of this package.
Everything has been arrayed in a logical manner, which we are grateful for. Given the range of features offered it could get rather overwhelming otherwise.
MalCare Scanner’s features are as follows:
- Deep Scan by 100+ Intelligent Signals
- Daily Scan and Manual one-click Scan
- Instantaneous Detection of malware
- Operated on MalCare server
- Scanner does not rely on signatures only
- All Changes are Tracked
- Minimal False Positives
MalCare scans your site daily automatically. To manually scan your site, click on Scan Now.
What happens in this step is, your website is being incrementally synced to the MalCare server. Any changes that were made after the latest sync, will be recorded now.
If any malware are detected, you will get a notification, an email, and a Hacked Site Alert. Then you can clean it using MalCare One-click Cleaner.
MalCare Cleaner’s features are as follows:
- Rest of your Site is Not Affected
- No Technical Knowledge required
- Revert to pre-malware infected site
- No need to wait for third party technicians
- No need to give your credentials to third party technicians
There are various safety practices that can be followed to fortify our websites. Even WordPress recommends these to be the best security practices on their codex. Doing them individually will require valuable time, and for those of us not very technically proficient – It might get a little confusing. You can skip right to the point with MalCare. Read on to find out how.
Before we learn about the Site Hardening features, let us take a look at MalCare Login Protection and MalCare Web Application Firewall.
MalCare Login Protection
Blocking Brute Force Attacks on our sites, is primarily done using Login Protection. Login protection is basically limiting the number of failed login attempts. If a hacker tries to login to your website using multiple IPs and bots, he or she will be obstructed from trying to login for some amount of time. This is especially useful in tracking malicious IPs and blocking them.
MalCare enables us to utilize Captcha based protection to block bots from entering our sites.
You can track all the login requests to your site and even keep track of the Audit Logs. Here we could identify the bad IPs and even the requests they made.
MalCare Firewall Protection
A Web Application Firewall is completely, absolutely necessary for a website. Even if you have a network layer firewall provided by your web host, we advise you to install a firewall for your own website’s security. MalCare makes that easier for us by having an integrated firewall.
MalCare Web Application Firewall features are as follows:
- Rule based Request blocking
- Bypass firewall only for authorized WP-admin users
- Blacklist or whitelist IPs
- Enable or Disable specific rules
- IP blocking on global level
- Real time Firewall Stats
MalCare Firewall has different modes of operation – Protecting, Auditing and Disabled.
The firewall protection is completely under our control. We get to choose certain IPs are allowed to enter our WP-admin site anytime.
Each request is thoroughly checked against information from across 1000+ sites. In case any bot or bad IP is detected, it will immediately be blocked from entering your site.
You can even monitor all the requests (allowed, blocked or bypassed) coming your way. We noticed that MalCare shows the traffic request logs.
MalCare Site Hardening features are as follows:
- Change Security keys
- Protects Upload Folders
- Disallows Plugin Installation
- Disable File Editor
- Change Database Prefix
- Secure File Permissions
The above features are slightly technical in nature.
By changing security keys we are basically providing our site database with an extra layer of security.
You can reset all your passwords, if they are not strong and unique already.
Upload folders may contain PHP security vulnerabilities sometimes, just like the MailPoet plugin vulnerability.
Your website’s backend is protected by disabling file editor.
Hackers try to access a site using backdoors within plugins and themes. If you don’t need any more plugins or themes, it is advisable to not install plugins and themes, especially if they are from unknown or untrusted sources.
- Auto Updates plugins and themes
- Tracks newly added plugins and themes
- Helps remove idle plugins and themes
- Helps update WordPress core
- Auto updates plugins and themes
- Keeps track of website users
Website management is an integral part of website security. A secure site is an updated site and that’s what MalCare aims to help you with.
Plugins that are lying on your site without being used can get infected if not updated, and they are a waste of valuable space. MalCare helps us identify these plugins and themes and takes care of them for us. The same goes for WordPress core. Keeping an eye on the users of a site helps to detect malicious presence as well. Overall, MalCare has thought about the various aspects of website security quite thoroughly.
That said, we would like to see MalCare show us the the specific vulnerable plugins and themes on our site and streamline their deactivation and removal process. They are after all, a plugin under development still.
Based on this our site was graded for its overall security. We got a healthy score, thankfully.
MalCare Plans and Pricing
MalCare Plans vary according to the number of sites you need MalCare to secure. We took the basic plan, which starts at $99 per year. There’s a different plan for those of you wanting backup services as well.
MalCare has a Free plugin which does not help you with Cleaning malware but is good enough for Scanning, Login and Firewall Protection. You’ll have to contact MalCare for a clean up service in case you do get infected with any malware.
MalCare Support and Documentation
MalCare has extensive FAQ and Help Documentation section. If you are short on time, they have a fantastic Support and Response Team who are willing to exchange knowledge on security services in general, and their own, of course.
Take note of their Affiliate program over here.
We wish MalCare even took care of patching up specific attacks. It is great, but there is room for improvement.
An ideal security plugin is hard to come by for a variety of reasons. However, we think MalCare hits the target much closer than we expected. Not only does it provide good security practices within its dashboard, but also handles malware detection and cleaning on its own. That is to say, it exceeded our expectations.
We even get a badge that shows our site is protected by MalCare which is great for increasing our own site credibility.
Try MalCare now, and sleep better at night.
Which security plugins do you love? Let us know in the comments section.