MalCare vs Wordfence vs Sucuri vs iThemes Security – WordPress Security Plugins Compared

MalCare vs Wordfence vs Sucuri vs iThemes Security – WordPress Security Plugins Compared


When was the last time you updated everything on your site? Overall, there have been around 53 security updates from the WordPress Developer Team. Even though major core updates are released by WordPress every 152 days on the average, not everyone updates immediately, as they should. We know that because only 39% of WordPress websites are running on the latest version of the software. Are your websites one of these?

Then you should be very scared.

Let me tell you a well-known secret.

Hackers tend to attack websites, even if they are small-time businesses, for either money or notoriety. They will find a way to get into websites and delete valuable content, just as long as they put their bot minions to work.

Second well-known secret: WordPress is an extremely popular CMS with over 25% of WordPress users making a full time living off the CMS. 29% sites are hacked due to the security vulnerability in themes and 22% sites are hacked due to plugin vulnerabilities. If over 40% websites are hacked because of our ignorance or negligence, it’s on us.

WordPress is a community. We are all in this together.

We have been given priceless tools in the form of security plugins to help us. We cannot make any more excuses. Especially since they are making it easier than ever before, for us to secure our sites the right way.

Here are a few WordPress security plugins that offer security in the form of malware detection, cleaning as well as protecting us from anything hackers throw at us. Additionally, some of them even reinforce our security with site hardening.

Security Plugin Comparisons


Malcare is smart – It uses 100 signals to pinpoint the exact location of the malware, so you can remove it with a click of a button, without waiting for hours or days. And the best part? It comes with unlimited cleanups. Security experts endorse Defence in Depth and that is what MalCare aims to accomplish with its all-in-one site hardening package.


Akshat Choudhary is the founder of BlogVault, a premium WordPress Backup plugin that has been successful in deployed over 90,000 websites. Since website backup is closely related to website security, his team noticed that there was a pattern in the specific security problems that the customers were facing.

Determined to try and come up with a superior solution, they analyzed data from thousands of sites across servers and built algorithms and tools for over three years. Every step of research and development gave way to more complex malwares being taken care of, effectively.

Now, after analyzing over 240,000 sites from scratch, MalCare can detect even the most complex malwares that other plugins can’t.

The Plugin

MalCare’s Advanced Deep Scan Technology has been developed after analyzing over 240,000 sites. The plugin runs its security operations on its own servers, not your website’s. This ensures that your site never ever slows down. It uses 100 Intelligent Signals to accurately detect malware on your site and cleans it out using a powerful instant one-click malware removal service.

This security plugin takes Brute Force Protection seriously. MalCare tracks servers of malicious IPs throughout the globe. It packs a powerful punch with this information in its Login Protection and Web Application Firewall features. You can enable and disable them at will, and also track requests live in a graphical format that makes it easier to understand. MalCare keeps an eye on all the suspicious bots, botnets and hacker IPs on its Global Server network to block them from accessing your site.

MalCare helps you to change security keys to provide your site database with an extra layer of security. You can also protect upload folders which may contain vulnerable PHP files. It offers a range of options for managing plugins and themes on your site and grades your site security accordingly.

It even provides an integrated backup service for you to take advantage, as a complete security solution.

Features List

  • Daily Automatic Scan
  • One Click malware Scan
  • Syncs to MalCare server so it won’t overload your server and slow site down
  • Uses Advanced Intelligent Signals Technology
  • Tracks Changes to detect Complex malware
  • No False Alarms
  • Detection of malware in the early phases, before Google blacklists or web hosts, shuts down site
  • Rollbacks to clean version of site
  • Careful One click Removal of malware without affecting rest of the site
  • Integrated Web Application Firewall
  • Tracks and blocks bad IPs across Global Server Network
  • Captcha-based Protection
  • Brute Force Attack Protection
  • Limits number of failed login attempts
  • Site Hardening
  • Changes security keys
  • Protects Upload Folders
  • Prevents PHP execution in vulnerable folders
  • Disables File Editor
  • Disallows plugin and theme installation
  • In-built Site Management
  • Helps Reset passwordsHelps Update plugins and themes
  • Tracks newly added plugins and themes
  • Help remove idle plugins and themes helps update WordPress core
  • Offers Protected by MalCare badge


Free (Firewall Site Hardening Security)

Personal Plan (1 Site)

Security: $99 per Year

Security BackUp: $149 per Year

Business Plan (Up to 5 Sites)

Security: $259 per Year

Security BackUp: $359 per Year

Developer Plan (Up to 20 Sites)

Security: $59 per Month

Security BackUp: $79 per Month

Agency Plan (Up to 100 Sites)

Security: $159 per Month

Security BackUp: $199 per Month

All plans include the following:

  1. MalCare Scanner
  2. MalCare Cleaner
  3. Login Protection
  4. Web Application Firewall (WAF) Protection
  5. Blacklisting IPs
  6. Site Hardening
  7. Customized Support


  • Does not offer malware cleaning in Free version
  • Still under development, so the full features list hasn’t been explored yet


Wordfence, incorporated in Defiant Inc. a Delaware company, has garnered more than 2 million active users. It provides login security, web application firewall, security scanning and IP blocking.


Mark Maunder’s Feedjit started off as a Real-Time Analytics company, then the founders branched out to security when one of them was hacked.

This means that the combined 40 years of experience in programming at Fortune 500 companies such as the BBC, Coca-Cola, and Norton Antivirus culminated into Wordfence.

The Plugin

The plugin funnels down it’s resources to Brute Force Attacks prevention mainly.

Wordfence allows mobile sign-ins, but its real star feature is the Real Time threat defence feed, considering that it is an offshoot of an analytics company. It uses this proprietary feed to alert the users to hacks and compromises.

It also utilizes this expansive network to keep an eye on the known IPs of attackers, which is then blocked from entering all websites with Wordfence installed on them. Wordfence even scans your site for more than 44,000 known malicious malware signatures.

There is a built-in firewall to prevent any abnormal attacks on your website. These can be something like XMLRPC probing or any malicious login attempts through the API or any other way. You can run the firewall in a learning mode to familiarize yourself with the system. Meanwhile, Wordfence itself tracks the regular user activities and won’t risk locking out a legitimate user.

You can also choose to schedule the firewall enabling.


  • Scan the public configuration
  • of your site
  • Access WordPress Security Learning Center on official website
  • Real-Time Monitoring using Threat Defense Feed
  • Live traffic with IP, hostname, browser of the users
  • Wordfence Firewall blocks brute force attacks
  • Implements a site-wide firewall to protect you from common threats
  • Blocks individual users and entire networks of known attackers
  • Enforces tough security measures for login pages
  • Scans for known WordPress security threats
  • Supports WordPress Multisite
  • IP Blocking Features
  • Use mobile phones as two-factor authentication tool
  • Monitors unauthorized DNS changes
  • Tracks disk space
  • Enforce strong passwords for all user accounts
  • Hacked File repair
  • Checks for backups
  • Checks for the presence of malware in log files, posts, comments.
  • Checks the strength and complexity of user and admin passwords,
  • Compatible with most of the themes and plugins
  • Micromanage and customize security settings


Free version – Wordfence Security

Premium Wordfence is at one’s disposal in the form of API Keys. These can be bought based on the number of sites you want to protect using Wordfence and the number of years for which you want the license for.

Wordfence Security for One website with 1 Key for 1 Year validity at $99.

Wordfence Security for Two Websites will require 2 Keys for 1 Year costs $149.

Wordfence Security for Three Websites will require 3 Keys for 1 Year costs $200, and so on.


  • If you’re new to WordPress and security plugins in general, you’ll have to consult Wordfence documentation to understand anything. That isn’t necessarily a bad thing, but the learning curve takes that much more time and effort technically.
  • Paid members get customer support priority, while other customers have to wait in line to receive their services.
  • Scans entire website for vulnerabilities each time, taking up a lot of bandwidth and sometimes overloading your server.


Sucuri, Inc. is a Delaware Corporation. It is a cloud-based Internet security company that has distributed to more than 12 countries all over the world. There are 2 main products: Website Firewall and Website Security Platform. The Sucuri Firewall runs on a globally distributed Anycast network whereas the Website Security Platform offers additional malware detection and removal.


Sucuri’s co-founder Daniel Cid named Sucuri after a Brazilian tank destroyer. It was an offshoot of his company OSSEC. Sucuri started off as a network-based integrity monitor. Then it expanded into also looking for compromise indicators. Now it includes web-specific malware cleaning for a complete package.

The Plugin

The Platform Security identifies any Indicator of Compromise (IoC) and alerts website owners in the event of an attack. You will need a free API key in order to start using the malware scanner, however.

Sucuri offers DNS level firewall services that are easy to set up to block attacks like SQL Injections, XSS, RFU, RCE and other such known lists of malwares. It stops attacks like Distributed Denial of Service (DDoS), Brute Force, and other automated attacks looking to exploit software vulnerabilities.

Under the Professional plan, it provides users with an SSL certificate which ticks off another layer of security for your website. Sucuri enhances website performance with four levels of content caching, GZIP Compression of files and pages and data center load balancing.

Features List

  • Detects changes to the DNS, WHOIS, and SSL certificates and alert you to them.
  • Intelligent signatures will enhance the accuracy of malware detection and reduce false alerts
  • Alerts via email, SMS, slack, RSS, or custom post
  • 12 data centers and integrated caching to improve website performance
  • Mitigates DDoS attacks on your site
  • Ensures that you are using the latest versions of WordPress and PHP
  • Removes visible WordPress version
  • Protect the uploads directory
  • Restricts access to the wp-content and wp-includes directories
  • Updates security keysChecks information leakage through the readme file
  • Changes database table prefix
  • Sets default admin account and password
  • Help you deal with SEO spam by cleaning spammy keywords and removing bad backlinks
  • There is an integrated backup solution to help you restore the website quickly
  • Stops suspicious behavior to protect your site from zero-day exploits
  • Sucuri will assist you in removing your website from being listed in the blacklists such as Google Safe Browsing, Bitdefender, Norton, etc.
  • Activity Audit Logging analyzes the changes.
  • File Integrity Monitoring compares the current security state with the ideal security state.


Basic Plan for 1 website: $16.66 per month

Provides the cleaning response, scanner, and monitor brand reputation and blacklist every 12 hours, stops hacking attempts, offers advanced DDoS mitigation, provide a free SSL certificate, and offers ticketed customer support.

Pro Plan: $24.99 per month

Provides the cleaning response, scanner, and monitor brand reputation and blacklist every 6 hours, stops hacking attempts, offers advanced DDoS mitigation, provide a custom SSL certificate, and offers ticketed customer support.

Business Plan: $41.66 per month

Provides the cleaning response, scanner, and monitor brand reputation and blacklist within 30 minutes, stops hacking attempts, offers advanced DDoS mitigation, provide a custom SSL certificate, and offers ticketed customer support. You will also get support from instant chat.


  • Live chat is not included with the Basic and Pro plans.
  • Most expensive security plugin in the market.
  • The Sucuri interface may be complex to the new users

iThemes Security

iThemes Company, which was formerly called Better WP Security is a well-known name around WordPress, and so, it is not surprising to see that they came up with a security plugin of their own. Tackling 40 types of vulnerabilities with iThemes Security can be an overwhelming experience, but it is a good starting point for setting up your website’s security.


Chris Wiegman, the original developer of the Better WP Security plugin, worked with iThemes’ staff and CEO Cory Miller to create iThemes Security.

One of the iThemes servers ironically enough was hacked before this and there was a security breach of 60,000 user information since their passwords were stored in unencrypted clear text format.

The Plugin

Fast forward now, and iThemes Security has 900,000 installations.

It enforces strong password usage and blocks users after one too many login attempts. This is useful to keep malicious bots out of the site. From brute force attack protection to data obfuscation, this plugin holds a wide range of security operations.

Two Factor Authentication is a popular tool used by people who want to double verify the user trying to log in. It sends a passcode to user’s mobile device, which needs to be entered on the login page, apart from the standard password.

As long as only one person has access to the WordPress dashboard, it locks out the dashboard when they know they won’t be online – like when they are asleep or on vacation. This is an out of office functionality.

It can also detect changes in core files. Hacker’s activity like editing core files will be notified to you via email then.

Features List

  • Strong Password Enforcing
  • Security Reports
  • Locks out users with one too many failed login attempts or with 404 errors
  • Makes the admin dashboard inaccessible for an amount of time you set (if you are asleep or go on a vacation)
  • Hides or obfuscates your WordPress, and jQuery versions, and header metadata
  • Hiding or obfuscating login and admin pages
  • Removes update notifications to users
  • Changes WordPress database table prefix from the default “wp_”
  • Changes wp-content folder path where many sensitive files are stored
  • Displays a random WordPress version number to non-admin users
  • Force SSL (Secure Socket Layer) on admin page or front-end pages
  • Detects attacks on your database, files, and attacks by bots
  • Emailed database backup on a customizable schedule
  • Disable PHP execution in uploads
  • File Change Detection
  • Disable user’s author page if post count is zero
  • Brute Force Attack Protection
  • Force users to create a unique nickname when updating profile or registering
  • Limited Comment spam blocking
  • Two-factor authentication for logging in


Free version iThemes Security Lite

Two Sites Licenses: $80 per year

Ten Sites Licenses: $100 per year

Unlimited Sites licenses: $150 per year

Unlimited Sites licenses with access to iThemes 20 add-ons: $247 per year


  • This plugin is useful for preventative measures only and should not be relied on for full protection.
  • Does not offer complete protection of your sites, such as partial spam protection and malware cleaning. Post hack measures are only possibly restoring backups.
  • The plugin can very easily break your site, even for simple things like not enabling SSL
  • Advanced features like database backups, file change detection, changing your database’s prefix and changing your content directory operate on heavy usage of RAM and CPU resources, especially on shared hosting.


For some complete security peace of mind, we would recommend MalCare, especially as it gets fully developed. Wordfence is a good choice for those of us who don’t mind performing some technical operations.

Sucuri is extremely popular and expensive at the same time. iThemes Security has a huge range of features but as you can see, it does not have malware cleaning. Install a security plugin that works for you and your website, specifically so that you can have a worry-free online presence.

Installing a security plugin is only a step towards taking on the mantle of responsibility as a WordPress community member, but it is a great step. There are many other security measures that can be taken but research well before you go about installing a firewall or a Captcha plugin. Your security plugin might just have these features already.

So which security plugin turned out to be your favorite? Let me know in the comments section below.


error: Content is protected !!