Share via:

Wordfence or Malcare? Why I Prefer None

Should you use Wordfence or Malcare? And are they even sufficient security tools? Securing a Wordpress site with third party plugins and themes is probably harder than you think.


Edited: 2020-11-24 10:38

When it comes to security software for Wordpress, such as Wordfence and Malcare, my first objection is that such Plugins tend not to be free; or someone might decide to buy the "premium" or "pro" version, which tends to complicate the website implementation and make it harder to maintain for developers. Of course, that is also a problem with many other popular Wordpress plugins, including Advanced Custom Fields Pro, but my point is that it tends to make it more difficult and tedious for developers to work with the website.

For example, when I get a Wordpress job, I often battle with these paid plugins, since I do not have the license keys or necessary access to update them. Extra time is spent e-mailing the client to get the keys; sometimes the client might also have thrown away the "keys", and, more rarely, they might not even know what these plugins are, or why they are installed. Etc. This is a general problem with Wordpress. Often a client will also install something they do not really need, because that is what "was recommended to them", and it can be hard to convince them otherwise.

When I studied Multimedia design at KEA in Copenhagen, students were told to install Wordfence — or at least introduced to it. This is, of course, mostly a front-end orientated education, so it may be justifiable. But, obviously the best approach is to make sure your system is secure; unfortunately, with Wordpress and third party plugin use, that is very difficult to do. You could probably scan the code for certain PHP functions, and then analyze how these are used — but few people do that.

The question is, when you rely on third party plugins and themes, how do you secure your site? The answer is that you typically do not. There is no reasonable way to know if there is some unknown backdoor in a plugin, which allows to either read the entire database and file system, or — often worse — write to the file system and gain full control over the system. I think Wordpress core is more tested and secure, so one way to go about it, is to not use third party plugins/themes.

Should you rely on Wordfence to create an extra layer of security? Well. Wordfence does have a free version, so it probably does little harm if you configure it properly — but, I would not rely on these security plugins as my only security, and preferably I would not install them at all. As a developer, I would do other things to secure a site.

Disable Write Access to certain files and Directories

Just like in an operating system, system files should not be writable by everything. If you disable write-access to certain files and directories, after fully updating the system, you will probably prevent the majority of hacking attempts from succeeding. This will not protect against vulnerabilities that gives a hacker access to database input/output — but those should be more rare, and probably less severe in most cases. The problem is that the site is harder to update, and you might find it easier to update using a terminal tool like WP-CLI.

Generally, it should be safe to disable write-access to the plugins and themes directory, including the contents. But, Wordpress needs to have write access to some directories, including the uploads and backups directory. You should not make it impossible for users to upload files entirely — maintaining some write-access is just fine.

Also, sometimes you might encounter a plugin that writes data to its own directory — even though this is a bit of a bad-practice — so you should carefully test which file permissions work for your system.

Taking regular backups of your website is also a very effective tool in recovering from successful hacks. But you should really not allow it to get to this point. If a hacker has gained access to the database, sensitive data could be compromised, and that is potentially a far worse scenario than having to "just" restore your website after a hack.

According to data protection laws such as GDPR, you might also be required to inform your users, and relevant authorities, that you got hacked. You might want to seek legal advice about this subject as it is fairly complex.

Disabling write access is not enough

Websites that deals with customer data should of course fulfill the relevant privacy laws, but more importantly, it should be secured from the back-end — that means, you should generally avoid front-end security software such as Wordfence and Malcare — they are no substitute for actually securing your site.

What does this mean? In extreme cases, it could mean your developer opts to not use third party plugins from little known authors, and keep sensitive customer data on a separate server — or at least encrypt the data as an extra layer of security. The fact that a hacker has gained access to the database does not necessarily mean they also got access to reading the file system — so if the data is encrypted, it will most likely be completely useless to them.

Realistically, such setups are probably not going to happen for most smaller businesses. But, this just highlights the complexity of the problems Wordpress developers are facing. Security is not easy — it is very hard!

Security plugins for Wordpress are a bit like Antivirus for Windows, they do not guard against everything, and often you will be fine without; but, you do need to have some idea about what you are doing! Wordfence is still fine if that is all you got — but you should also know that it is probably not sufficient to keep you protected.


  1. How to correctly determine file system paths when developing for Wordpress and avoiding inconsistencies.
  2. How to secure your Wordpress website by disabling write access to certain files and directories.
  3. Using HTML forms with the Divi Wordpress theme is not easy, luckily we can just include our own custom HTML, and it will even show in the editor!
  4. How to override shortcodes from a child theme that are defined in a parent theme in Wordpress.

More in: WordPress Tutorials