Our Firewall Plugin Provides What Malcare Claims Isn’t Available in a WordPress Security Plugin
Malcare is like a lot of providers in the WordPress security space, they make extraordinary claims that don’t really make a lot of sense if you have a basic grasp of security. Either the people behind those providers don’t understand what they are doing (which seems possible) or they are assuming that they can get away with misleading people (which they unfortunately can).
Our most recent instance of running across Malcare came from monitoring we do to keep track of vulnerabilities being exploited in WordPress plugins, which also flags other mentions of security issues.
Two days ago, a negative review was left for their service, with this claim:
After checking some blogs and video over youtube, I thought may be I got some relief by using this software from mail-ware. Sorry to say but after using auto and manual cleaning as well I found mail-ware by self in Twenty-Twenty theme. So don’t think it works, you need to do more work on this software. I am not requesting for payback as I know well that I am going to get it back. But I am quitting my subscription and suggesting all try to take trial first If you think they can fulfil your requirement than only take subscription. Otherwise it’s totally waste of your money.
The response from Malcare isn’t what you should expect:
We had a look at your website and the ticket you raised. I can see that we did clean the website & removed the malware from the site when you had contacted here.
But within 48 hours, the website was infected again with malware and due to this, you noticed malware in the Twenty-Twenty theme of the website. I can also confirm that your website is still infected with malware and contains over 20 Hacked files.
Our team can help you remove all the malware from the website & also help find the source of the malware reinfection as well. Please do let us know or reach out to our team if you would like assistance with your website.
Part of a proper clean up is trying to find the source of the infection, which they don’t appear to have done as part of the cleanup.
If you head to over to their website, their malware removal service is promoted in line with not actually finding and fixing the underlying issue, going so far as to promote doing unlimited cleanups:
Did your site get hacked a second time? Do not worry. With MalCare’s WordPress malware cleanup you can clean your site as many times as you like without paying a dime more.
What is odd about that is their service is also prominently marketed with the claim that it will keep your website secure:
MalCare will keep your site secure without slowing it down.
So things don’t add up.
Part of how they claim they will keep your website secure is a firewall:
The integrated Web Application Firewall(WAF) protects your site from hackers and bots. Our Threat Intelligence Network pushes rules and IPs in real-time to stop new attacks.
They don’t provide any evidence that this firewall is effective and if they are not figuring out how websites are hacked it seems unlikely they would have a good grasp of if they are even doing a good job at that.
Despite not checking out how website are getting hacked, they make this claim:
95% of all WordPress Sites get hacked because of Vulnerable Plugins and Themes
We could go on for a while along those lines, because there is a lot more that doesn’t add up with their claims, but we saw something that directly relates to our new Plugin Vulnerabilities Firewall.
Here is why they claim that WordPress security plugins are a bad idea:
But they are complex, slow down your website and are incredibly complex to setup. They do not really protect your website and offer no solution if the site gets hacked.
Security plugins don’t have to be complex. We have designed our firewall plugin so that you can simply activate it and it provides plenty of protection.
We have a simplified process to enable additional protection.
Configuration is actually needed to provide the most comprehensive protection a plugin can provide, something that Malcare seems to not understand (or assumes others won’t understand). Since some protection can’t be enabled by default since it would cause problems for websites that need to allow things that others don’t.
While Malcare claims their service really protects websites, they don’t offer evidence to back that up. The aforementioned review and how they market the hack clean up portion of their service point against it providing the claimed protection.
By comparison, we publicly release results of testing we do of our plugin and many others, to show what protection they currently provide against vulnerabilities in other plugins, and in the case of our plugin, have allowed us to continue to expand the protection.
As to the claim of slowdown, a firewall is going to cause a slowdown, since additional checking of each request needs to be done, which Malcare should know. Lying about that isn’t a good sign that they are doing the work to provide least slowdown possible.
By comparison, we have done a lot of work to limit the slowdown of our plugin and continue to look for further improvements. We also publicly release results of performance testing against other plugins.