Wordfence Security More Than Doubles Peak Memory Usage Over WordPress By Itself
A recent review of the Wordfence Security plugin noted it slowed down server response time. That shouldn’t be a controversial claim, as any WordPress firewall plugin will necessarily slow down server response times due to them causing more code to load and run when a page is not served from caching before WordPress runs. The response from a Wordfence employee didn’t acknowledge that, instead claiming there must be a problem on the reviewer’s end:
You mentioned testing on 3 different servers, but I am curious about what sort of servers they are. If you’re seeing any sort of issues, we would like to take a look at what might be causing the problems in our support forum, which I had provided to you already.
That employee also claimed that the plugin doesn’t cause a performance penalty:
I recently did a test with Wordfence being installed on multiple sites. I used web.dev, GTMetrix, and our own FastorSlow.com site speed tests and found some interesting results.
I found that sites with Wordfence installed were not seeing any difference in Performance, Accessibility, Best Practices, SEO, 1st Contentful Paint, Speed Index, Largest Contentful Paint, Time to Interactive, Total Blocking Time, Cumulative Layout Shift than without Wordfence.
That runs counter to the previous claim from another employee that acknowledged that the plugin does in fact have a performance impact, as he claimed they are working to reduce that:
Whilst we are constantly working on making the plugin faster, perform better, and use less resources, there are not set amounts of RAM, CPU or database queries that we know Wordfence will definitely require in each use-case or hosting environment.
As can be seen with the tests we have done recently, not only does Wordfence Security cause a slowdown, but the slowdown is considerable higher than the other two firewall plugins we have found to provide at least provide a reasonable amount of protection, our Plugin Vulnerabilities Firewall and NinjaFirewall.
What explains that significant difference? One piece of the puzzle is looks to be how much data is being loaded. The entirety of our plugin is currently about a fifth of the size of just the file that stores the rules for Wordfence Security.
One way to measure that is to use the PHP function memory_get_peak_usage(), which “returns the peak of memory allocated by PHP“, to see how much more memory gets allocated when using the plugins versus a WordPress install without them installed.
Peak Memory Usage
Using a stock install of WordPress 5.8.1, with the function placed after the </html> in the default theme, we found the following peak memory usage:
- Control: 2943984 Bytes (2.94 MB)
- Plugin Vulnerabilities Firewall: 2996040 Bytes (3.00 MB)
- NinjaFirewall: 3086728 Bytes (3.09 MB)
- Wordfence Security: 7034240 Bytes (7.03 MB)
Both our Plugin Vulnerabilities Firewall and NinjaFirewall cause peak memory usage to increase slightly higher, but Wordfence Security managed to more than double it.
That seems at odds with the claim they are “constantly working on making the plugin faster, perform better, and use less resources”, as it certainly is possible to use less resources based on the results of the other plugins.
Trading Worse Performance for Worse Security
What makes the performance penalty with Wordfence Security, probably caused in part by that memory usage, over the other plugins more problematic, is that in our testing, Wordfence Security provides less protection. So in exchange for a larger performance penalty, you get less security. That doesn’t seem to be a good tradeoff.
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade