MalCare is generally straightforward to set up, but a handful of issues come up regularly. Here is what causes them and how to fix each one.
MalCare Cannot Connect to Your Site
After installing the plugin, MalCare needs to connect from its servers to your WordPress site to transfer scan data. Connection failures usually have one of these causes:
- Server firewall blocking MalCare’s IPs — some hosts block outbound or inbound connections from unknown IP ranges. Contact your host and ask them to allowlist MalCare’s server IPs (listed in MalCare’s documentation).
- ModSecurity rules — some hosting configurations run ModSecurity with strict rules that block MalCare’s data transfer requests. Ask your host to add a ModSecurity exception for MalCare.
- The plugin is not activated — confirm the MalCare plugin is active in WordPress → Plugins, not just installed.
- Conflicting security plugin — Wordfence or another security plugin may be blocking MalCare’s connection attempts. Temporarily deactivate other security plugins, reconnect MalCare, then reactivate.
MalCare Scan Is Stuck or Not Completing
Scans that start but never finish are usually a timeout issue. MalCare’s off-server scanning requires sustained communication with your server. If the connection drops mid-scan, the scan stalls.
Fixes: check that your server’s PHP execution time is not causing issues (MalCare’s data transfer scripts have their own timeout handling, but extremely low PHP max_execution_time can interfere). Try initiating the scan manually from the MalCare dashboard rather than waiting for the scheduled scan. If scans consistently fail, contact MalCare support — they can often diagnose server-side issues from their connection logs.
MalCare Firewall Is Blocking Legitimate Traffic
Go to your MalCare dashboard → Firewall → Traffic Log. Look for blocked requests and identify the IP address or user agent being blocked. If it is a legitimate visitor or service:
- Add the IP to MalCare’s allowlist in Firewall → IP Allowlist
- If a specific bot is being blocked (monitoring service, SEO crawler), add its user agent to the allowed bots list
- If your own IP is being blocked, add it to the allowlist first to regain access
One-Click Malware Removal Failed
Automated malware removal occasionally fails when the malware has modified file permissions, is in a location MalCare cannot write to, or has corrupted core WordPress files. When automated removal fails:
- Note exactly which files MalCare flagged
- Download those files via SFTP
- For WordPress core files, replace them with fresh downloads from wordpress.org
- For plugin or theme files, reinstall the plugin/theme from its source
- For custom files, manually review and remove malicious code
Contact MalCare support for complex cases — their paid plans include assisted cleanup.
MalCare Dashboard Showing Stale Data
If the MalCare dashboard shows outdated scan results or connection status, the most common cause is a cached dashboard. Hard refresh your browser (Ctrl+Shift+R). If that does not help, disconnect and reconnect the site in MalCare settings — this resets the connection and triggers a fresh data sync.
Frequently Asked Questions
MalCare says my site is hacked but it looks fine to me. Could this be a false positive?
Malware often hides from logged-in administrators — it may redirect non-logged-in visitors while showing the normal site to you. To check: open your site in an incognito window while not logged in. Check Google Search Console → Security Issues. Use an external malware checker like Google’s Safe Browsing status checker (transparencyreport.google.com/safe-browsing/search). If external checks confirm the site is clean and MalCare is the only one flagging it, contact MalCare support with the specific files flagged to verify whether it is a false positive.
Can MalCare detect zero-day vulnerabilities?
MalCare uses signature-based detection and behavioural analysis. Zero-day vulnerabilities (newly discovered, no patch yet) may not be in MalCare’s signature database immediately. MalCare’s firewall provides some protection by blocking common attack patterns even for unknown vulnerabilities, but no tool guarantees 100% detection of zero-days. Keeping plugins and themes updated remains the most effective defence — most “zero-days” are quickly patched once discovered.
Does MalCare slow down my WordPress site?
The firewall adds minimal overhead to each page request — this is unavoidable for any application-level firewall. The scanner does not impact performance because it runs off-server. Compared to Wordfence, which scans on your server, MalCare has a smaller performance footprint. If you notice performance issues after installing MalCare, check whether the firewall’s bot protection is causing any caching conflicts with your caching plugin.