Malcare Marketing Highlights Common False Claims Made About WordPress Firewall Solutions
Last week we looked at one way a WordPress security named MalCare markets their service with false claims. In that case, it was through made up stats of their service, which led them, when you added things up, to claim that a fifth of their customers are getting hacked every year. That is despite claiming to have a “deeply integrated, real-time WordPress Firewall to block the most sophisticated attacks”. The marketing for that firewall is filled with common false claims you run across over and over from less than honest security providers marketing firewall solutions for WordPress.
Below we do quick breakdowns of why some of those claims are false. Understanding that can help to cut through the BS to find solutions that really work.
No Slowdown Isn’t Possible
High Performance Firewall which will not slow down your site
Our WordPress firewall plugin keeps the malicious traffic out without slowing down your site. MalCare servers do all the heavylifting so your site will only be serving customers.
If requests to your website are having to pass through a third-party server first, then there will be a slowdown.
If you are doing additional processing of each request, then that would create slowdown.
The reality is that a firewall is going to create a performance penalty, since more is being done. If the provider isn’t honest about that, you should avoid them because they are being dishonest. In that situation, it is also likely they won’t have done the work to minimize that penalty. A properly optimized firewall can have a much smaller performance penalty than one that isn’t.
WAFs Are Not Specialized for WordPress
Specialized for WordPress
WAFs such as Cloudflare have generic rules which allow most attacks to pass through. MalCare Firewall only works with WordPress and has specialized rules which block out the worst attacks.
There are multiple serious issues with this claim.
Based on the rest of their marketing, MalCare’s firewall is a WAF, yet they are claiming it isn’t in that quote.
Plenty of WAFs have specialized rules for WordPress. We know that in part because they often cause unnecessary problems.
Generic rules can in fact stop lots of attacks, including many of the worst attacks. More importantly, general rules are the only way to protect against vulnerabilities you don’t yet know about. By the time there is a specific rule written for a vulnerability, there likely is a better option to protect against it.
As we noted in a recent post, WAFs don’t tie in to WordPress as plugin firewalls do, which means they can’t provide a lot of the protection those firewall plugins offer.
Manual Configuration Allows Better Security
Instant Setup with No Manual Configuration
Traditional firewalls need to be manually tuned with rules and more. MalCare understands your site and then auto-configures itself.
Lots of websites have firewall running over them where they don’t even have the ability to manually tune them, much less do they need manual configuration. MalCare is either lying about what is going on or doesn’t even know what the competition they claiming to provide a better option to even do.
Done right, allowing manual configuration allows tighter security, as there are things that can not be automatically determined. For example, how would MalCare know if you allow those not logged in to WordPress to upload files somewhere? They wouldn’t. Without allowing manual configuration, their firewall has to allow them to upload files to avoid blocking legitimate requests, even if that could be stopped to avoid vulnerabilities being exploited.
False Positives Are Possible
No False Positives
False Positives prevent good visitors from accessing your site. Losing potential customers because of a firewall is the last thing you want. MalCare ensures that this does not happen.
If you see a provider of a firewall (or other security product or service, for that matter) claiming that there are no false positives, you should be highly wary. It is possible to limit those, which often isn’t done, but a claim of none is a big red flag.
Beware of Claims of Protection Against the OWASP Top 10
OWASP Top 10
MalCare’s WordPress firewall plugin protects your site from the Top 10 Security threats which are responsible for vast majority of all attacks faced by WordPress site.
It’s really common for shady security providers (which there are lots of) to tout that their firewall provides protection against the Open Web Application Security Project (OWASP) Top 10. It’s a claim that immediately tells that you are dealing with someone dishonest. Why’s that? Well, a firewall can’t protect against some of those things because they don’t involve attack attempts against a website, which a firewall stops. Here’s one of the top 10:
A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity.
Dealing with that has nothing to do with a firewall.
If you see a provider claiming to offer this, you should move on to other options.
What to Look For Instead
When it comes to security products and service, what you want to look for evidence, preferably from independent testing, that shows that what they offer provides effective protection against real threats. MalCare’s marketing for their firewall is completely lacking in that. That seems unsurprising, since the marketing seems to suggest they don’t have much grasp of what providing an effective solution would entail. For WordPress firewall plugins, we do testing to see how much protection the provide against vulnerabilities in other plugins.
While carefully looking at the marketing of a WordPress security product can help to avoid a solution like MalCare’s firewall, you can also ask the developer if their product is certified by Certified WP Security. As that certification indicates that the product is coming from a reputable security provider that is really providing what they claim to offer, instead making fairly obvious false claims like MalCare does with their firewall.