MalCare or WordFence? Sucuri or iThemes? Evaluating plugins for WordPress security

MalCare vs WordFence vs Sucuri vs iThemes

Did you know?  WordPress (or WP) releases a major core update every 152 days!

Since its inception, there have been around 53 security updates released by the WordPress team. According to industry statistics, only 22% of the WP-powered sites are running on the latest version of WordPress. It’s an alarming number. All these websites are vulnerable to hack attacks. Updates are extremely important for keeping a WordPress site safe. If you haven’t updated your site yet, it might be exploited by hackers.

Many small-time online businesses think they will be ignored by hackers. Are you one of them? Then you must know, this is not the case. Hackers are only looking to gain unauthorized access through their bot minions and can do it for either money or just a bit of notoriety. With 50-60% of the global CMS market share belonging to WordPress, WP sites have become the number one target for hackers, bots and the rest.

According to a report, WordPress plugins account for 54% of the overall WP vulnerabilities, while WordPress themes account for 14.3% of the overall vulnerabilities. Updating websites can be a time-consuming job which is why many security plugins offer features that track outdated themes, plugins and WP core and enables users to update these from their dashboard.

But a security plugin offers more than just updating your site. WordPress security plugins provide a secure way of protecting WordPress websites from malware and other attacks. Just like any other WP plugin, these security plugins are easy to install and provides a world of features that are easy to implement on your WordPress website.

In this article, we provide you with a comparison of the leading WP security plugins including their features, background, and market pricing.


Along with unlimited clean-ups, the WordPress security plugin uses over 100 intelligent signals to find the exact location of malware so that it can be removed without delay. What stood out in this plugin are Security features such as a powerful scanner, and one-click cleaner, firewall, website hardening, white-labeling, and a lot more.

A Little Background

MalCare is developed by the same team who built BlogVault, a WordPress backup plugin that has been used in over 90,000 websites. While working on the backup solutions, his team observed a typical pattern among security issues faced by their customers, hence decided to develop an effective security plugin.

They analyzed over 240,000 WordPress websites powered by MalCare AI  and developed security algorithms for about three years. It tracks every minute change in the website with 100+ Intelligent signals that enable the security solution to detect even the most complex and unknown malware.

About MalCare

MalCare offers Advanced Deep Scan technology, a result of its security analyzing of over 240,000 websites. By executing the scanning operations on its servers (and not on the client’s web server), it prevents the website from being affected. Additionally, it features a user-friendly one-click malware cleaning process to clean the site.

This security plugin can prevent brute force attacks by using features such as Login protection and its Web application firewall (WAF). Along with easy enabling (and disabling), MalCare provides a visual display of successful and blocked web requests. Other features include changing of security keys, protection of upload folders, security grading, and backup services at the click of a button.

Some of its Features

  • Daily automatic scan
  • Early malware detection
  • Firewall prevents bad traffic and brute force attacks
  • Website hardening measures
  • Website management
  • White-labeling & client reporting


MalCare offers both free and paid version.

Plan Number of websites Pricing
Yearly plans
Personal plan 1 $99 (Security)

$149 (Security+Backup)

Business plan 5 $259 (Security)

$359 (Security+Backup)

Monthly plans
Developer plan 20 $59 (Security)

$79 (Security+Backup)

Agency plan 100 $159 (Security)

$199 (Security+Backup)


  • The Free version does not clean malware, only scans for it.
  • No two-factor authentication but having talked to the support team, I found out that they are working on enabling it soon. 


Developed by Defiant Inc., a Delaware-based company, Wordfence is a WP security plugin that is being used by more than 2 million people. Along with login security, Wordfence provides a web application firewall (WAF), IP blocking, and scanning capabilities.

A Little Background

Since its inception in the year 2011, Wordfence has been used by over 3 million WordPress users. Its parent company, Feedjit was as a real-time analytics company, which later added a WordPress security plugin to its product offering after the website of one of the company’s founders (Mark Maunders’) was hacked.

Following the success of his security plugin, Mark Maunders decided to form Wordfence as a separate company to solve WordPress security issues for global WP users.

About Wordfence

Having evolved from a real-time analytics company, Wordfence’s primary feature is its proprietary Real-Time threat defense, which provides timely alerts about website hacks and security compromises to its users.

Along with prevention of brute force attacks, Wordfence monitors bad IP addresses and prevents hackers from accessing a users’ site. Additionally, it can scan individual sites in an attempt to detect over 44,000 known malware signatures.

The built-in WAF prevents XMLRPC probing and other malicious logins from accessing your websites. You can also run the WAF in learning mode and schedule the firewall.

Some of its Features

  • Real-time monitoring using Real Time threat defense feed
  • Monitoring of website traffic with IP address, hostname, and browser information
  • Prevention of brute force attacks
  • Access to Wordfence security learning center
  • IP blocking and tracking of unauthorized DNS changes


Wordfence is available in both free and premium version.

Premium plans (number of websites and keys) Pricing per annum
One site with one key $99
Two websites with two keys $149
Three websites with three keys $200


  • Requires a longer learning curve due to technical details.
  • Premium plan customers receive higher priority in customer services.
  • Can overload your web server during malware scanning for vulnerabilities.


A cloud-based security company, Sucuri has a client-base from over 12 countries. It offers mainly two products – the Website security solution, and the Website firewall. The firewall is hosted on the global Anycast platform and the website security product is used for malware scanning and removal.

A Little Background

Named after the Brazilian tank destroyer, Sucuri was co-founded by Daniel Cid as an offshoot of his company, OSSEC. Initially developed as a network integrity monitor, Sucuri expanded its product capabilities to include malware detection and cleaning.

About Sucuri

The platform security product alerts website owners of any hack or compromise using the malware scanner. This security plugin also has DNS-level firewall features that can prevent a variety of attacks including SQL injections, brute force attacks, even Distributed Denial of Service (DDoS), XSS, and other known malware attacks.

Under the professional subscription plan, website users are provided with SSL certification as well. Sucuri can also ensure high-speed website performance with multiple levels of content caching, file compression, and data center load balancing.

Some of its Features

  • Detection of DNS and SSL certificate changes
  • Uses intelligent signals for malware detection that helps reduce false alerts
  • Over 12 data centers and caching for improving website performance
  • Mitigation of DDoS attacks
  • Hiding of WordPress version
  • Protection of the uploads folder and restricted access to the wp-content and wp-includes folders


Sucuri offers both free and paid service.

Plan Includes Pricing per month
Basic plan ●     Website cleaning and scanning

●     Advanced DDoS mitigation

●     Free SSL certificate

●     Blacklist monitoring every 12 hours

Pro plan ●     Website cleaning and scanning

●     Advanced DDoS mitigation

●     Free SSL certificate

●     Blacklist monitoring every 6 hours

Business plan ●     Website cleaning and scanning

●     Advanced DDoS mitigation

●     Free SSL certificate

●     Blacklist monitoring every 30 minutes

●     Instant chat support



  • Chat support not included with Basic and Pro plans.
  • Expensive as compared to other security plugins.
  • Complex user interface.

iThemes Security

Formerly known as Better WP Security, iThemes Company is among the more popular WordPress security plugins protecting over 40 types of website vulnerabilities. It has over 90,000 installations across the globe.

A Little Background

iThemes Security was created by Better WP Security plugin developer, Chris Wiegman, in association with iThemes CEO, Cory Miller, and his development team. The idea of developing their security plugin evolved after the hacking of one of the iThemes servers, resulting in the data breach of over 60,000 customer information records.

About iThemes Security

iThemes Security plugin offers a variety of security features for protection from brute force attacks, data obfuscation, and malicious bot attacks. Additionally, the two-factor authentication tool provided by this security plugin is useful to authenticate the identity of the user trying to login to your website.

Another useful feature is the out-of-office functionality, which blocks the offline user from accessing its dashboard. This security plugin detects and alerts website owners of any changes made in the core WordPress files.

Some of its Features

  • Password enforcing and 2-factor authentication
  • Blocking of users after repeated failed login attempts
  • Inaccessibility of dashboard for scheduled time-off (vacation or sleep mode)
  • Obfuscation of WordPress and jQuery versions, along with metadata
  • Changing of database table prefix from the default “wp_.”
  • SSL for admin pages and landing pages


There is no free version available for iThemes Security. Take a look at the premium plans.

Licensed version (number of websites) Pricing per annum
Two sites $80
Ten websites $100
Unlimited websites $150
Unlimited websites with access to iThemes add-ons $247


  • Does not offer complete protection against malware and can be used only for preventive measures.
  • Simple operations such as SSL disabling can break your website.
  • Heavy use of RAM and CPU resources for advanced security operations such as database backups, file change detection, and changing the default content directory.


While no website can be made completely hack-proof, WordPress security plugins do offer some degree of security and protection. Installing a security plugin on your website is a worthwhile investment, particularly if your business depends on the smooth functioning of the site.

We discuss the major security plugins available in the market as per your security needs and budget. Each come with their own set of features and limitations. While MalCare does not require any technical know-how to be implemented, iThemes Security offers the good range of features for your valuable investment. On the other hand, Wordfence provides the excellent technical operations, while the majority of WordPress users uses Sucuri.

For best results, evaluate each security plugin well and see which one is a perfect fit for your website.