Login
20 Sep 2021

Wordfence Security Performance Penalty Continues to be Much Higher Than Other WordPress Firewall Plugins

As part of developing our upcoming WordPress firewall plugin, we have tested out WordPress security plugins against real vulnerabilities in other plugins to see what, if any, protection they offer. The results so far have been bad, but not surprising based on previous testing we did in 2016, as back then and now we found that most plugins provided no protection. In the testing now, only 2 plugins, in addition to ours, have provided much protection. Those being NinjaFirewall and Wordfence Security.

Having the capability to protect against vulnerabilities is the most important aspect for a firewall plugin, but it isn’t the only one. With one of the other plugins, Wordfence Security, it isn’t hard to find claims that it creates performance problems. We did a previous round of testing about a month ago and found that those claims seemed to be justified as it not only causes considerable slowdown, but much higher slowdown than our plugin and NinjaFirewall.

We have now done four additional performance tests and the results again show that performance penalty. In this round, we tested how much of a performance hit the plugins cause when making a request to WordPress’ AJAX functionality. We also tested how much of performance boost they provided when handling malicious requests blocked by the plugins. Finally, we did testing using two production websites to see the impact of these plugins have in a more practical situation. One of those tests involved requesting a WooCommerce product page.

As detailed below, we again saw that the Wordfence Security plugin incurs a significant performance penalty versus the other two plugins. The consistency of those results doesn’t match with the claims being made by WordFence in response to complaints about it causing a slowdown. Here is the first paragraph of a standard response received when bringing this up on support forum for the plugin:

Whilst we are constantly working on making the plugin faster, perform better, and use less resources, there are not set amounts of RAM, CPU or database queries that we know Wordfence will definitely require in each use-case or hosting environment. The cases of slow-down are small in relation to the quantity of customers using Wordfence, but does crop up from time to time with certain configurations or larger databases/installed plugins.

(Work they are doing should actually being causing more slowdown over time, as they keep adding more rules to their firewall.)

That was part of a discussion where this claim about the performance hit caused by the plugin:

I did notice that WF consistently slowed down the Google PageSpeed load time results by 10 points, taking the site from Google PageSpeed green 90’s to orange 80’s every time.

Another recent claim about the slowdown included this claim:

After installing WordFence, I have noticed massive CPU spikes very frequently, which has absolutely destroyed server initial response time, what is the most CPU intensive action WordFence is performing and how do I disable it?

That led to another standard response from Wordfence:

I generally only see a CPU spike while a site is under a heavy attack.

If look at the results we have been seeing, it doesn’t seem surprising there would be increased CPU usage due to the firewall, other features certainly could add more.

Testing Methodology

Testing performance is easy to do, but doing it well seems much more difficult, as there are many different setups you could test. For the first two tests, we used a fresh install of WordPress, with the only change being adding one of the security plugins (or no change in the control). As that should provide an isolated view of the performance hit of the plugin. For the latter two test, we used a copy of production websites that we had access to for other work we were doing involving them.

For each plugin, we have them in their default state, with two exceptions. For all three, we have it set so the plugins run ahead of WordPress using an auto_prepend_file statement in the website’s .htaccess file (which is the recommend option from NinjaFirewall and Wordfence Security). For Wordfence Security, we also changed it from the “Learning Mode” to “Enabled and Protecting”.

We tested the alpha version of our plugin, version 4.4 of NinjaFirewall, and version 7.5.5 of Wordfence Security.

We did the test from a web server running on a local computer, so there is no network latency involved. We did 10,000 requests each time to try to limit variability in the results, though there is still some.

To test the response time for a request to WordPress ‘AJAX functionality, we sent a request to /wp-admin/admin-ajax.php with the POST “action” set to “heartbeat”.

To test the response time for a blocked request, we set a request to the homepage with a script tag included as a URL like this “?test=<script></script>”.

For the first production website, we sent a request to the homepage and for the second, we sent a request to the URL for a WooCommerce product.

Results

AJAX Request

For the AJAX request, we saw the following percentage of slowdown over the control:

  • Plugin Vulnerabilities Firewall: 3.0%
  • NinjaFirewall: 19.0%
  • Wordfence Security: 130.0%

Block Request

For the block request, we saw the following percentage reduction in the load time versus the control:

  • Plugin Vulnerabilities Firewall: 33.2%
  • NinjaFirewall: 38.6%
  • Wordfence Security: 56.2%

Production Website

For the production website page request, we saw the following percentage of slowdown over the control:

  • Plugin Vulnerabilities Firewall: 8.4%
  • NinjaFirewall: 3.9%
  • Wordfence Security: 28.8%

WooCommerce Product Page

For the WooCommerce product page on a production website request, we saw the following percentage of slowdown over the control:

  • Plugin Vulnerabilities Firewall: 8.0%
  • NinjaFirewall: 4.7%
  • Wordfence Security: 31.1%

For the first two tests our plugin performed better than NinjaFirewall and for the second two the result was flipped. That could be explained by the difference in the setups, a fresh otherwise empty WordPress install versus production websites. It could also be explained by the latter two tests happening later, with our plugin having moved further in development since the first two tests. As we noted with the previous testing, NinjaFirewall is marketed with the claim it is designed with performance in mind and the results back that up.

The performance penalty for Wordfence Security there was again severe. We can’t think of a good reason that there should be such a disparity between NinjaFirewall and Wordfence Security, as they operate in a similar fashion. Making this worse, our recent testing is confirming that NinjaFirewall has a wider breadth of protection, so with Wordfence Security you are getting less protection in exchange for worse performance.

No related posts.

Plugin Security Scorecard Grade for NinjaFirewall

Checked on June 12, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.