MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Security & Risk Analysis

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K active installs v6.36 PHP 7.0+ WP 4.0+ Updated Jan 29, 2026

firewallmalware-removalmalware-scannervulnerabilitieswordpress-security

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Safe to Use in 2026?

Generally Safe

Score 100/100

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The MalCare Security plugin, version 6.36, exhibits a mixed security posture. On the positive side, it shows a strong adherence to secure coding practices in several areas. The vast majority of its SQL queries utilize prepared statements, and a high percentage of its output is properly escaped, which significantly reduces the risk of SQL injection and cross-site scripting (XSS) vulnerabilities respectively. Furthermore, the plugin has no recorded history of vulnerabilities, indicating a potentially robust development and patching process over time. However, the plugin does present notable security concerns, primarily related to its attack surface. With two AJAX handlers identified, and critically, both lacking authentication checks, there is a significant risk of unauthorized actions being performed. This direct access to functionality without proper authorization is a common vector for exploitation. The taint analysis showing zero flows is positive, but it's important to note that the lack of auth checks on entry points could allow for exploitation before taint analysis might even detect an issue if the exploit doesn't involve direct data manipulation in a way the tool recognizes.

In conclusion, while MalCare Security demonstrates good practices in areas like SQL and output handling, the unprotected AJAX endpoints represent a significant weakness that should be addressed immediately. The absence of known vulnerabilities is encouraging but does not negate the risks posed by the current code. Addressing the authentication checks on the AJAX handlers would greatly improve the plugin's overall security standing.

Key Concerns

Unprotected AJAX handlers present
Dangerous functions (exec, popen, unserialize) found

Vulnerabilities

None known

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

185 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

exec$execRes = exec('crontab -l', $output, $retval);callback\wings\security.php:19

popen$handle = popen('crontab -l', 'rb');callback\wings\security.php:27

unserialize$assets = @unserialize($serialized_assets);wp_admin.php:276

SQL Query Safety

71% prepared17 total queries

Output Escaping

97% escaped190 total outputs

Attack Surface

2 unprotected

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_bvadmmalcare.php:167

noprivwp_ajax_bvadmmalcare.php:168

WordPress Hooks 230

filterupgrader_clear_destinationcallback\wings\manage.php:345

filterupgrader_source_selectioncallback\wings\manage.php:395

filterupgrader_pre_installcallback\wings\manage.php:507

filterupgrader_post_installcallback\wings\manage.php:508

filterupgrader_clear_destinationcallback\wings\manage.php:509

filterupgrader_source_selectioncallback\wings\manage.php:557

filterupgrader_source_selectioncallback\wings\manage.php:710

filterupgrader_post_installcallback\wings\manage.php:712

actioninitform_testing\form_testing.php:67

filterakismet_get_api_keyform_testing\form_testing.php:74

filterwpcf7_skip_spam_checkform_testing\handlers\contact_form7.php:26

actionwpcf7_before_send_mailform_testing\handlers\contact_form7.php:30

filterfrm_is_field_hiddenform_testing\handlers\formidable_form.php:26

filterfrm_send_emailform_testing\handlers\formidable_form.php:30

filtergform_pre_send_emailform_testing\handlers\gravity_form.php:41

filterninja_forms_pre_validate_field_settingsform_testing\handlers\ninja_form.php:26

filterninja_forms_run_action_type_recaptchaform_testing\handlers\ninja_form.php:33

filterninja_forms_action_email_sendform_testing\handlers\ninja_form.php:37

filterwpforms_process_bypass_captchaform_testing\handlers\wp_form.php:26

filterwpforms_entry_emailform_testing\handlers\wp_form.php:30

actionwp_footermalcare.php:65

actionmc_clear_bv_services_configmalcare.php:66

actionadmin_initmalcare.php:81

filterall_pluginsmalcare.php:82

filterplugin_row_metamalcare.php:83

filterdebug_informationmalcare.php:84

actionnetwork_admin_menumalcare.php:86

actionadmin_menumalcare.php:88

filterplugin_action_linksmalcare.php:90

actionadmin_headmalcare.php:91

actionadmin_enqueue_scriptsmalcare.php:94

actionadmin_footermalcare.php:95

actionadmin_noticesmalcare.php:97

actionadmin_enqueue_scriptsmalcare.php:98

actionmc_remove_bv_preload_includemalcare.php:109

actionwp_loadedmalcare.php:165

actionmc_clear_pt_configmalcare.php:185

filterauto_update_coremalcare.php:205

filterauto_update_thememalcare.php:208

filterthemes_auto_update_enabledmalcare.php:209

filterauto_update_pluginmalcare.php:212

filterplugins_auto_update_enabledmalcare.php:213

filterauto_update_translationmalcare.php:216

filtersite_transient_update_pluginsmalcare.php:222

actionmc_clear_wp_2fa_configmalcare.php:238

actionmc_clear_php_error_configphp_error_monitoring\monitoring.php:33

actioninitprotect\fw.php:934

actioninitprotect\fw.php:940

filterauthenticateprotect\lp.php:98

actionwp_loginprotect\lp.php:99

actionwp_login_failedprotect\lp.php:100

actionwp_enqueue_scriptswp_2fa\wp_2fa.php:45

filterauthenticatewp_2fa\wp_2fa.php:46

actionlogin_formwp_2fa\wp_2fa.php:47

actionpre_post_updatewp_actlog.php:478

actionsave_postwp_actlog.php:479

actionpost_stuckwp_actlog.php:480

actionpost_unstuckwp_actlog.php:481

actiondelete_postwp_actlog.php:482

actioncomment_postwp_actlog.php:485

actionedit_commentwp_actlog.php:486

actiontransition_comment_statuswp_actlog.php:487

actioncreate_termwp_actlog.php:490

actionpre_delete_termwp_actlog.php:491

actiondelete_termwp_actlog.php:492

filterwp_update_term_datawp_actlog.php:493

actionuser_registerwp_actlog.php:496

actionwpmu_new_userwp_actlog.php:497

actionprofile_updatewp_actlog.php:498

actiondelete_userwp_actlog.php:499

actionwpmu_delete_userwp_actlog.php:500

actionactivate_pluginwp_actlog.php:503

actiondeactivate_pluginwp_actlog.php:504

actionswitch_themewp_actlog.php:505

actionwp_insert_sitewp_actlog.php:508

actionarchive_blogwp_actlog.php:509

actionunarchive_blogwp_actlog.php:510

actionactivate_blogwp_actlog.php:511

actiondeactivate_blogwp_actlog.php:512

actionwp_delete_sitewp_actlog.php:513

actionwp_loginwp_actlog.php:516

actionwp_logoutwp_actlog.php:517

actionpassword_resetwp_actlog.php:518

actionupgrader_process_completewp_actlog.php:521

action_core_updated_successfullywp_actlog.php:522

actionwoocommerce_attribute_addedwp_actlog.php:525

actionwoocommerce_attribute_updatedwp_actlog.php:526

actionwoocommerce_before_attribute_deletewp_actlog.php:527

actionwoocommerce_attribute_deletedwp_actlog.php:528

actionwoocommerce_tax_rate_addedwp_actlog.php:530

actionwoocommerce_tax_rate_deletedwp_actlog.php:531

actionwoocommerce_tax_rate_updatedwp_actlog.php:532

actionwoocommerce_grant_product_download_accesswp_actlog.php:534

actionwoocommerce_ajax_revoke_access_to_product_downloadwp_actlog.php:535

actionwoocommerce_shipping_zone_method_addedwp_actlog.php:537

actionwoocommerce_shipping_zone_method_status_toggledwp_actlog.php:538

actionwoocommerce_shipping_zone_method_deletedwp_actlog.php:539

actionadmin_enqueue_scriptswp_admin.php:92

actionin_admin_headerwp_admin.php:98

actionall_admin_noticeswp_admin.php:99

actionmc_clear_dynsync_configwp_dynsync.php:23

actiondelete_commentwp_dynsync.php:560

actionwp_set_comment_statuswp_dynsync.php:561

actiontrashed_commentwp_dynsync.php:562

actionuntrashed_commentwp_dynsync.php:563

actionwp_insert_commentwp_dynsync.php:564

actioncomment_postwp_dynsync.php:565

actionedit_commentwp_dynsync.php:566

actionadded_comment_metawp_dynsync.php:569

actionupdated_comment_metawp_dynsync.php:570

actiondeleted_comment_metawp_dynsync.php:571

actionadded_user_metawp_dynsync.php:574

actionupdated_user_metawp_dynsync.php:575

actiondeleted_user_metawp_dynsync.php:576

actionadded_usermetawp_dynsync.php:577

actionupdate_usermetawp_dynsync.php:578

actiondelete_usermetawp_dynsync.php:579

actionuser_registerwp_dynsync.php:582

actionpassword_resetwp_dynsync.php:583

actionprofile_updatewp_dynsync.php:584

actiondeleted_userwp_dynsync.php:585

actiondelete_postwp_dynsync.php:588

actiontrash_postwp_dynsync.php:589

actionuntrash_postwp_dynsync.php:590

actionedit_postwp_dynsync.php:591

actionsave_postwp_dynsync.php:592

actionwp_insert_postwp_dynsync.php:593

actionedit_attachmentwp_dynsync.php:594

actionadd_attachmentwp_dynsync.php:595

actiondelete_attachmentwp_dynsync.php:596

actionprivate_to_publishwp_dynsync.php:597

actionwp_restore_post_revisionwp_dynsync.php:598

actionadded_post_metawp_dynsync.php:602

actionupdate_post_metawp_dynsync.php:603

actionupdated_post_metawp_dynsync.php:604

actiondelete_post_metawp_dynsync.php:605

actiondeleted_post_metawp_dynsync.php:606

actionadded_postmetawp_dynsync.php:607

actionupdate_postmetawp_dynsync.php:608

actiondelete_postmetawp_dynsync.php:609

actionedit_linkwp_dynsync.php:612

actionadd_linkwp_dynsync.php:613

actiondelete_linkwp_dynsync.php:614

actioncreated_termwp_dynsync.php:617

actionedited_termwp_dynsync.php:618

actionedited_termswp_dynsync.php:619

actiondelete_termwp_dynsync.php:620

actionedit_term_taxonomywp_dynsync.php:621

actiondelete_term_taxonomywp_dynsync.php:622

actionedit_term_taxonomieswp_dynsync.php:623

actionadd_term_relationshipwp_dynsync.php:624

actiondelete_term_relationshipswp_dynsync.php:625

actionset_object_termswp_dynsync.php:626

actionswitch_themewp_dynsync.php:628

actionactivate_pluginwp_dynsync.php:629

actiondeactivate_pluginwp_dynsync.php:630

actiondeleted_optionwp_dynsync.php:633

actionupdated_optionwp_dynsync.php:634

actionadded_optionwp_dynsync.php:635

actionwp_handle_uploadwp_dynsync.php:638

actionwp_update_attachment_metadatawp_dynsync.php:639

actionwpmu_new_blogwp_dynsync.php:643

actiondelete_site_optionwp_dynsync.php:644

actionadd_site_optionwp_dynsync.php:645

actionupdate_site_optionwp_dynsync.php:646

actionwoocommerce_remove_order_itemswp_dynsync.php:649

actionwoocommerce_update_orderwp_dynsync.php:650

actionwoocommerce_delete_orderwp_dynsync.php:651

actionwoocommerce_trash_orderwp_dynsync.php:652

actionwoocommerce_resume_orderwp_dynsync.php:653

actionwoocommerce_new_order_itemwp_dynsync.php:654

actionwoocommerce_update_order_itemwp_dynsync.php:655

actionwoocommerce_delete_order_itemwp_dynsync.php:656

actionwoocommerce_delete_order_itemswp_dynsync.php:657

actionadded_order_item_metawp_dynsync.php:658

actionupdated_order_item_metawp_dynsync.php:659

actiondeleted_order_item_metawp_dynsync.php:660

actionwoocommerce_attribute_addedwp_dynsync.php:662

actionwoocommerce_attribute_updatedwp_dynsync.php:663

actionwoocommerce_attribute_deletedwp_dynsync.php:664

actionwoocommerce_tax_rate_addedwp_dynsync.php:666

actionwoocommerce_tax_rate_deletedwp_dynsync.php:667

actionwoocommerce_tax_rate_updatedwp_dynsync.php:668

actionwoocommerce_new_webhookwp_dynsync.php:670

actionwoocommerce_webhook_updatedwp_dynsync.php:671

actionwoocommerce_webhook_deletedwp_dynsync.php:672

actionwoocommerce_download_productwp_dynsync.php:674

actionwoocommerce_grant_product_download_accesswp_dynsync.php:675

actionwoocommerce_ajax_revoke_access_to_product_downloadwp_dynsync.php:676

actionwoocommerce_deleted_order_downloadable_permissionswp_dynsync.php:677

actionwoocommerce_new_payment_tokenwp_dynsync.php:679

actionwoocommerce_payment_token_createdwp_dynsync.php:680

actionwoocommerce_payment_token_updatedwp_dynsync.php:681

actionwoocommerce_payment_token_deletedwp_dynsync.php:682

actionadded_payment_token_metawp_dynsync.php:683

actionupdated_payment_token_metawp_dynsync.php:684

actiondeleted_payment_token_metawp_dynsync.php:685

actionwoocommerce_shipping_zone_method_addedwp_dynsync.php:687

actionwoocommerce_shipping_zone_method_status_toggledwp_dynsync.php:688

actionwoocommerce_shipping_zone_method_deletedwp_dynsync.php:689

actionwoocommerce_delete_shipping_zonewp_dynsync.php:691

actionwoocommerce_delete_shipping_zone_methodwp_dynsync.php:692

actionwoocommerce_api_create_product_attributewp_dynsync.php:694

actionwoocommerce_api_edit_product_attributewp_dynsync.php:695

actionwoocommerce_note_createdwp_dynsync.php:697

actionwoocommerce_note_updatedwp_dynsync.php:698

actionwoocommerce_note_deletedwp_dynsync.php:699

actionwoocommerce_analytics_update_order_statswp_dynsync.php:701

actionwoocommerce_analytics_delete_order_statswp_dynsync.php:702

actionwoocommerce_analytics_update_productwp_dynsync.php:704

actionwoocommerce_analytics_delete_productwp_dynsync.php:705

actionwoocommerce_analytics_new_customerwp_dynsync.php:707

actionwoocommerce_analytics_update_customerwp_dynsync.php:708

actionwoocommerce_analytics_delete_customerwp_dynsync.php:709

actionwoocommerce_analytics_update_couponwp_dynsync.php:711

actionwoocommerce_analytics_delete_couponwp_dynsync.php:712

actionwoocommerce_analytics_update_taxwp_dynsync.php:714

actionwoocommerce_analytics_delete_taxwp_dynsync.php:715

actionwoocommerce_updated_product_stockwp_dynsync.php:717

actionwoocommerce_updated_product_saleswp_dynsync.php:718

actionwoocommerce_updated_product_pricewp_dynsync.php:719

actionwp_trash_postwp_dynsync.php:721

actionuntrashed_postwp_dynsync.php:722

actionwoocommerce_after_single_product_orderingwp_dynsync.php:724

actionwoocommerce_update_productwp_dynsync.php:725

actionwoocommerce_update_product_variationwp_dynsync.php:726

actionwoocommerce_payment_token_set_defaultwp_dynsync.php:728

actionwoocommerce_grant_product_download_permissionswp_dynsync.php:729

actionlogin_headwp_login_whitelabel.php:24

filterlogin_messagewp_login_whitelabel.php:25

Maintenance & Trust

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 29, 2026

PHP min version7.0

Downloads17.4M

Community Trust

Rating86/100

Number of ratings519

Active installs200K

Alternatives

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Alternatives

Quttera ThreatSign – Web Malware Scanner for WordPress

quttera-web-malware-scanner

WordPress multi-level security scanner detecting malware, 0-day threats, brute-force attacks, bot attacks, and unauthorized admin changes.

10K 3 CVEs

Security Optimizer – The All-In-One Protection Plugin

sg-security

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs

Defender Security – Malware Scanner, Login Security & Firewall

defender-security

WordPress security plugin with malware scanner, IP blocking, audit logs, antivirus scans, firewall, 2FA, brute force login security, and more.

90K 7 CVEs

Patchstack – WordPress & Plugins Security

patchstack

100

Patchstack automatically identifies and mitigates security vulnerabilities in WordPress plugins, themes, and core.

40K No CVEs

BulletProof Security

bulletproof-security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam...

30K 12 CVEs

Developer Profile

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall Developer Profile

malcare

1 plugin · 200K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/malcare-security/css/malcare-main.css/wp-content/plugins/malcare-security/js/malcare-script.js/wp-content/plugins/malcare-security/css/malcare-admin.css/wp-content/plugins/malcare-security/js/malcare-admin.js/wp-content/plugins/malcare-security/wp_2fa/css/wp_2fa-style.css/wp-content/plugins/malcare-security/wp_2fa/js/wp_2fa-script.js/wp-content/plugins/malcare-security/form_testing/css/form_testing.css/wp-content/plugins/malcare-security/form_testing/js/form_testing.js+2 more

Script Paths

/wp-content/plugins/malcare-security/js/malcare-script.js/wp-content/plugins/malcare-security/wp_2fa/js/wp_2fa-script.js/wp-content/plugins/malcare-security/form_testing/js/form_testing.js/wp-content/plugins/malcare-security/php_error_monitoring/js/monitoring.js

Version Parameters

malcare-security/style.css?ver=malcare-security/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

malcare-premium-noticemalcare-header-logomalcare-dashboard-widgetmalcare-settings-sectionmalcare-security-tabmcwps-admin-wrappermcwps-plugin-list-item

HTML Comments

MalCare WordPress Security PluginMalCare Security FirewallMalCare Malware Scanner

Data Attributes

data-malcare-scan-iddata-malcare-actiondata-malcare-nonce

JS Globals

malcare_settingsmalcare_ajax_urlmalcare_noncemalcare_admin_data

REST Endpoints

/wp-json/malcare/v1/scan/wp-json/malcare/v1/settings

FAQ