Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself
In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection than it. Those two plugins also had a significantly smaller performance penalty than Wordfence Security. It obviously is a bad tradeoff to get less protection for more memory usage and a higher performance penalty.
In discussing that memory usage, we quoted a Wordfence employee that had claimed that they are “constantly working on making the plugin” “use less resources”. That certainly sounds impressive, but Wordfence has a long track record of impressive claims that turn out to not be true. It also doesn’t make sense. You can’t constantly do that. You should hit a point where you can’t do anymore. The changelog for the plugin doesn’t have entries that suggest that is true either.
A top Wordfence employee, who pretended to not be one when posting on Reddit, responded there to our findings that the plugin more than doubled memory usage by writing:
7mb? SEVEN MEGABYTES!!!!! OMG STOP THE PRESSES!!! THIS IS A TRAVESTY!!11!!!1!1
Dude shut up. You’re now making yourself sound worse.
They then followed that up with:
7mb! I am agog. I am aghast!
That obviously doesn’t suggest they are really focused on continual improvement. Instead, it suggests they are focused on making impressive claims when speaking on behalf of the company. But they have a very different view when they think people don’t know it is them saying it.
To get a better idea of if there really is continual improvement, we ran the same test again.
Peak Memory Usage
Using a stock install of WordPress 6.4.2, with the function placed after the </html> in the default theme, we found the following peak memory usage:
- Control: 3857184 Bytes (3.86 MB)
- Plugin Vulnerabilities Firewall: 3906760 Bytes (3.91 MB)
- NinjaFirewall: 4006472 Bytes (4.01 MB)
- Wordfence Security: 9104240 Bytes (9.10 MB)
Both our Plugin Vulnerabilities Firewall and NinjaFirewall cause peak memory usage to increase slightly higher, but Wordfence Security managed to more than double it again.
Last time the memory usage increased by 239%. This time it was 236%. While the percentage increase is nearly identical, the increase in peak memory used over WordPress alone increased from 4.09 MB to 5.29 MB. While the other two plugins had a nearly an identical increase as last time. So, contrary to the claim to be constantly improving, there hasn’t been a measurable improvement in two years. If anything, the situation has gotten worse.
Trading Worse Performance for Worse Security
It isn’t if the protection Wordfence Security has gotten better, it sill offers significantly less protection than the other two plugins. Why would someone trade a bigger performance hit for worse protection? They probably wouldn’t, but they would need to know what is really going on, which is difficult with a lack of useful coverage of what is really going on with Wordfence Security and the company behind it.
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade