Login
16 Aug 2021

Wordfence Security Performance Penalty Much Higher Than Other WordPress Firewall Plugins

As part of developing our upcoming WordPress firewall plugin, we have tested out WordPress security plugins against real vulnerabilities in other plugins to see what, if any, protection they offer. The results so far have been bad, but not surprising based on previous testing we did in 2016, as back then and now we found that most plugins provided no protection. In the testing now, only 2 plugins, in addition to ours, have provided much protection. Those being NinjaFirewall and Wordfence Security.

Having the capability to protect against vulnerabilities is the most important aspect for a firewall plugin, but it isn’t the only one. With one of the other plugins, Wordfence Security, it isn’t hard to find claims that it creates performance problems. Take this recent topic in the plugins’ support forum on wordpress.org:

We are in process of speeding up our website in the next few days and I’ve noticed that when wordfence is enabled, google page speed scores are low. However, When the plugin is disabled than we are getting very good results. 100% on desktop and over 80% on mobile.

The marketing for NinjaFirewall indicates that it has been designed with performance in mind, as under heading Speed Matters, there are these bullet points

  • High Performance Firewall
  • Low CPU/RAM usage
  • Fast & compact
  • Lightweight
  • Highly optimized

We have taken a different design approach from the other two plugins, as we don’t think rules for specific instances of vulnerabilities in plugins are a good idea. Among the issues with that approach is the performance penalty versus regularly checking if plugins in use are known to be insecure (another issue is those types of rules don’t always actually work).

To get a better idea of what is really going on with the other plugins and how our plugin is doing in comparison, we have started doing our own performance testing.

Testing Methodology

Testing performance is easy to do, but doing it well seems much more difficult, as there are many different setups you could test. To begin, we have decided to work with the most basic setup, fresh installs of WordPress, with the only change being adding one of the security plugins (or no change in the control). As that should provide an isolated view of the performance hit of the plugin.

For each plugin, we have them in their default state, with two exceptions. For all three, we have it set so the plugins run ahead of WordPress using an auto_prepend_file statement in the website’s .htaccess file (which is the recommend option from NinjaFirewall and Wordfence Security). For Wordfence Security, we also changed it from the “Learning Mode” to “Enabled and Protecting”.

We tested the alpha version of our plugin, version 4.4 of NinjaFirewall, and version 7.5.4 of Wordfence Security.

We did the test from a web server running on a local computer, so there is no network latency involved. We did 10,000 requests each time to try to limit variability in the results, though there is still some.

For the first round of testing, we did a request for the homepage of the website and another request for the homepage with 10 URL parameters added to the URL (which should be checked by each plugin).

Results

Homepage Request

For the homepage request, we saw the following percentage of slowdown over the control:

  • Plugin Vulnerabilities Firewall: 1.7%
  • NinjaFirewall: 13.5%
  • Wordfence Security: 81.5%

10 Parameters

For the homepage request with 10 parameters added to the URL, we saw the following percentage of slowdown over the control:

  • Plugin Vulnerabilities Firewall: 1.6%
  • NinjaFirewall: 18.4%
  • Wordfence Security: 87.7%

While the performance penalty was lower for our plugin than NinjaFirewall, considering that our plugin isn’t fully feature complete and the variability in the results, we wouldn’t read much in to that difference at this time. The way NinjaFirewall is marketed seems reasonable based on that result in comparison to Wordfence Security.

The performance penalty for Wordfence Security there was severe. We can’t think of a good reason that there should be such a disparity between NinjaFirewall and Wordfence Security, as they operate in a similar fashion. The plugin requires a significant portion of the time that WordPress itself takes there. Making this worse, our recent testing is confirming that NinjaFirewall has a wider breadth of protection, so with Wordfence Security you are getting less protection in exchange for worse performance.

Wordfence CEO Claims Wordfence Security is “Crazy Fast and Highly Optimized”

While doing some research as part of preparing to do our testing, we ran across the CEO of Wordfence, Mark Maunder, doing what he does, making impressive claims, which seem to be far from the truth. Responding to someone mention the performance hit they experience from the plugin, he in part had written this in January:

Wordfence in general is crazy fast and highly optimized.

That was in response to someone providing real world results that didn’t match with that:

Yesterday, I installed Wordfence on my site, and I immedietly noticed that my site was slower. I tested it using Google PageSpeed, and it doubled my desktop loading speed to 3-4 seconds and brought my mobile loading speed to a whopping 11 seconds.

Our test also indicates that it isn’t fast or optimized in comparison with other firewall plugins, which seems like it what you want to compare it against.

No related posts.

Plugin Security Scorecard Grade for NinjaFirewall

Checked on June 12, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.