WordPress Malware Removal — Product Comparison — Top 5
Testing WordPress malware removal top 5 scanners — we have the receipts.
In today’s digital world, website security is more important than ever. WordPress is one of the most popular content management systems making up over 40% of the web. Keeping your WordPress site secure requires investing in quality tools. Quality tools are even more critical when recovering from a malware hack. In this article, we will compare five leading WordPress security products: WordFence, MalCare, BitFire, and MalCure. We will examine the features and capabilities of each product and provide our verdict on which one provides the most effective security protection for your WordPress site.
During our testing, we selected malware samples from the largest and most popular PHP malware lists hosted on GitHub. This was the most level playing field since the malware samples are open-source and commonly available to everyone; they should be easily recognized. We used the freshest samples we could find, which were all from 2020–2021. Our testing was performed in January 2023.
In addition to the GitHub samples, several small custom malware samples were created custom that ranged from creating backdoor administrator accounts, and uploading files, to executing system commands. These additional samples did not attempt to hide or obfuscate their intent other than using simple variable assignment such as “$g = $_GET[‘g’];”
Malware samples used in testing, along with which scanners detected which files are available at: https://github.com/bitslip6/malware-test
TL;DR — Top 5
1: BitFire - fastest and most malware detected. Responsive UI, medium false positives
2: MalCure - detected the second most malware with low false positives, but did not report why and requires purchase $147 manual removal.
3: WordFence - Not as fast or as much malware detected and the most false positives tested but the free file repair was nice if you can figure out which files to repair.
4: MalCare - detected the least malware during testing but at $99 for malware removal, their paid manual removal process is a bargin
5: All-In-One - After waiting 24 hours for the malware scan, it only returned the google black list check. 0 malware found.Results:
The results were very interesting. Of the 22 malware samples tested, 21 were detected by two or more of the tested plugins. This indicates that the malware sample selection was unbiased toward any of the plugins, as each sample was detected by multiple vendors. Our test website had 13 plugins installed 11 were from the WordPress plugin repository, 2 were third-party (Thrive Leads, ThreadFin Comments)
| Plugin | Detected | False + | False - | RunTime | Found %| Accuracy |
| --------- | -------- |---------|---------| ------- |------- | -------- |
| BitFire | 20 | 13 | 2 | 0:37 | 90% | 60% |
| MalCure | 17 | 2 | 5 | 17:30 | 77% | 89% |
| WordFence | 12 | 27 | 10 | 7:11 | 54% | 30% |
| MalCare | 11 | 0 | 11 | 8:?? | 50% | 100% |
| All In 1 | 0 | 0 | 22 | 24hours | 0% | 0% |
Legend: False +positive: (less is better), False -negative: (less is better)Result Summary:
BitFire and WordFence were the only plugins tested that reported both the malware they found AND the reason it was reported as malware in their free versions. BitFire has a much better accuracy ratio of 62% vs 30% and was over 14x faster at just 37 seconds to scan VS 7 minutes and 11 seconds. MalCure reported infected file names but not why they were flagged, leaving most site administrators to purchase their $147 malware removal service.
MalCure had the best ratio of false positives to detected malware samples and found a good percentage of the malware. This came at a huge expense in time and computing resources. MalCure was 2.5x slower than WordFence and MalCure and an incredible 27x slower than BitFire. Expect to see this take much longer on servers with low or shared resources.
MalCure, MalCare, and All in One Security Plugin had the lowest rate of false positives, but these plugins also did not provide any reason why they detected a particular file as malware. This could leave many site administrators who are not PHP programmers confused as to why a file was identified as malware or not.
None of the plugins tested were able to detect every piece of sample malware, but each piece of malware was detected by at least two of the plugins. The malware with the highest detection ratios were off-the-shelf PHP backdoors and large malware samples with many features. The samples with the lowest detection ratios were small samples that only performed 1 or 2 functions, like executing remote code or allowing remote file uploads. These undetected files could allow an attacker to return via small persisted backdoors that go undetected by most plugins. BitFire was by far the best at detecting this type of malware, with MalCure coming in second.
Recovery:
BitFire, CalCure and MalCare all provided enough functionality in their paid versions to allow a novice administrator to clean malware using their auto-repair features. WordFence provided good functionality in its free version, but with so many false positives, it may be difficult for a non-programmer to know which files to keep and which to repair.
Infected file recovery for plugins and themes in the WordPress official repository was simple and effective for all tested solutions, but MalCare and BitFire provided the simplest and fastest solutions. None of the tested malware scanners were able to repair files from plugins or themes outside of the official WordPress repository requiring administrators to reinstall.
Only BitFire and MalCare had integrated backup solutions that would allow restore of plugins and themes of third-party products not listed in the WordPress official plugin repository. The MalCare solution integrates with their sister product BlogVault and even installs the BlogVault backup code.
WordFence, BitFire, and MalCure are the only free plugins that will both detect and show found malware. WordFence can repair WordPress core files for free. BitFire and MalCure PRO versions can auto-repair any infected file. MalCare only allows you to see the infected files or repair them in their PRO version.
BitFire — 3.7.2
The first thing you will notice about BitFire is just how fast it is. This thing is quick! 0 Database load and undetectable latency on the firewall. The malware scan was 14x faster than the next fastest scanner, with just 33 seconds to run a new malware scan on 6,855 files. The UI is quick and responsive and does not require opening multiple browser tabs or windows to investigate any potential malware.
The scanner is also incredibly light on resources. In addition to being so fast, BitFire used less than 8Mb memory per scan directory. The stock firewall adds only 58Kb memory overhead and 2ms latency.
The malware scan also detected more malware than any of the other scanners, only missing 2 malware files that did not have any functionality other than webpage defacement. We were not surprised to discover that BitFire is a more sensitive scanner that identifies some legitimate files as malware. However, in our testing, this was half as much as WordFence and only for plugins that can not be found in the official repository.
BitFire also has a unique offering that will refund your purchase if your website is ever hacked while running its “RASP” File & Database protection included with the PRO version.
MalCure — 4.8.6
MalCure is another new entry into the WordPress security space. Its detection accuracy is perfect. Missing just 3 files that BitFire found, and with 29% better accuracy. MalCare had fewer false positives than almost any other scanner we tested. However, this software is slow. It was by far the slowest scanner we tested, taking almost 20 minutes to test with 5,800 files on a 24-core Ryzen 5900X with Samsung 980 PRO NVME disk.
It has great accuracy at finding the larger PHP shells, backdoors, and malware we tested. It also found most of the smaller malware samples that could be used as long-term malware persistence.
WordFence — 7.8.2
Coming in the number 2 spot, to my personal surprise, is WordFence. A little long in the tooth and not the fastest scanner or the lightest weight (we had a hard time getting it to complete with 32MB memory, it really likes 128MB+). WordFence was the only free product that could auto-repair our core files and malware detected in official plugins or themes, which is pretty incredible, even if it didn’t find as much malware as the other products.
The biggest drawback to WordFence is the file inspection process can be tedious, sorting out the false positives from actual infections. Some of the malware was reported only as “file modification,” not malware, which could lead some administrators to dismiss some of the actual findings.
WordFence might be the best choice for someone working without a budget who has a pretty good programming and technical understanding, who doesn’t mind taking the time to sort out the false positives, and who needs to use the auto-repair function.
In our testing, WordFence had a difficult time detecting small malware files that could hide persistent malware leading to reinfection even after the security hole has been plugged. This would then require a reinstall or, hopefully, a restore from a backup. Your malware may vary.
MalCare — 4.8.6
MalCare did not report a single false positive, which is pretty impressive. Unfortunately, it was only about finding 50% of the malware that we checked. It was difficult to determine why some files were detected and not others. MalCare was able to detect many of the small custom persistent backdoors but missed a lot of the large widespread backdoors and shells that were found in malware samples on GitHub that other scanners detected.
No reason was provided for why some files were selected and not others in the MalCare dashboard, so we can only guess. Once the administrator credentials were given to MalCare and they installed their download agent that sent all of our files to their server, they reported hack results in about 7–8 minutes. It’s difficult to know exactly when they started downloading the website and when they started scanning, but it was under 10 minutes.
Some security-conscious site administrators may take issue with providing administrator credentials to third-party websites since the best-case scenario is they must be stored in reversible encryption on MalCare servers. Your mileage may vary.
All-In-One-WordPress-Security — 5.1.4
After waiting almost 24 hours for AIOS to scan the test WordPress site, I reached out to AIOSPlugin premium support. After about 4 hours, the site was “scanned”.
The “scan” was disappointing. Despite claiming “Best-in-class scanning for the latest malware, trojans and spyware 24/7” They never actually “scanned” the domain or the PHP files. Instead, they returned the blacklist status for my domain from several online blacklist sites. These sites may take weeks to update and after the malware is detected, AIOS has no way to tell you which files are infected.
Malware detected: 0 / Malware missed: 22
[30-Jan-2023 02:22:50 UTC] PHP Fatal error: Uncaught Error: Undefined constant "AIOWPSEC_MENU_SLUG_PREFIX" in /var/www/wordpress/wp-content/plugins/all-in-one-wp-security-and-firewall-premium/aiowps-premium-core.php:430