Do security plugins slow down WordPress?

Reading Time: 4 minutes

While studying site security and speed, we tested the iThemes Security plugin. It’s claimed to prevent malware injection. We’re sure it works but the plugin is major overkill. We duplicate it’s core features with lightweight, fast-loading, standalone free plugins. Beneath the surface, this large, 3.1M plugin contains a lurking, greedy speed bite. Chomp!

B
ut iThemes Security plugin only adds a mere 36 milliseconds. Measured with GoDaddy’s P3 Plugin Performance Profiler (100,000 active installs). Using Pingdom.com, there’s no detectable difference in load time. With this security plugin onboard there’s not even an extra call (HTTP Request). The plugin appears pretty safe and benign for speed. And it’s popular! (800,000 active installs) What could go wrong?

Nowadays, there’s a herd-panic or paranoia about WordPress security and getting hacked. It’s easy to get caught up in the frenzy – and go plugin crazy. All that’s required are a few simple things. First, change your login from the default “admin.” Duh? Use something a little more challenging for bots. Don’t use “password” as your password. These are obvious right? Right.

Then add a plugin to prevent brute-force attacks. The 5-year-old plugin solution is Limit Login Attempts (2 million active installs). But WP Limit Login Attempts (30,000 active installs) is fresh and up to date. (They’re OK. They work. But, we don’t use either of these two on PagePipe).

Only 8 milliseconds for extra site security with four recommended plugins:

PagePipe uses the following simple security plugins. We predict load time in milliseconds using P3 Plugin Performance Profiler (by GoDaddy). NOTE: P3 plugin will slow down your site. Don’t leave it installed!

1Brute Force Login Protection (1ms)
Active Installs: 20,000+
package download size: 15.6k

Brute-force attacks are the simplest method to gain access to a site. The hacker tries usernames and passwords, over and over again, with a “bot” until they get in. This lightweight plugin prevents brute force login attacks using .htaccess. .htaccess is a configuration file on web servers running Apache Web Server software.

Time-limited number of login attempts block the hacker’s IP address.


2Change Table Prefix (1ms)
Active Installs: 1,000+
package download size: 10.3k

Protect your website from SQL injections. Replace your database WordPress default prefix (WP_). Use any other alternative prefix in a single click. An SQL injection is a computer attack. Hacker’s can embed malicious code in a poorly-designed applications. Then pass it along to the backend database. Anything can then happen on your site.


3Email Address Encoder (2ms)
Active Installs: 80,000+
package download size: 4.8k

A lightweight plugin to protect email addresses from email-harvesting robots. The plugin encodes addresses into decimal and hexadecimal entities. No configuration required.


4Block Bad Queries (BBQ) 4ms
Active Installs: 70,000+
package download size: 7.2k

A simple, super-fast plugin that protects your site against malicious URL requests. Hackers can redirect user requests from your site to an illegitimate site. No plugin configuration required.


What went wrong?

After installing iThemes Security plugin, we got a GoDaddy email notification. It said our hosting account exceeded its resource limits.

Email warning from GoDaddy hosting (shared Linux, magnetic drives).

The recommended solution by our benevolent host, of course, is buy more server goodies. But the better answer – they don’t tell you – is simpler and cheaper than that.

Once again, we observe that plugin file weight is indicative of resource consumption. If not page load time, then RAM or MySQL databases are gobbled up. This isn’t always the case. But a fat plugin is suspicious and requires testing. To find out how your site is using resources, click the C-Panel icon that looks like the one below:

CPU and Concurrent Connection Usage icon on hosting C-Panel.

After the “warning,” we checked Cpanel (CPU and Concurrent Connection Usage). It said RAM usage jumped from 89M normal to the 512M maximum available. We’d never encountered this problem before. The “spike” in the Cpanel Memory data occurred when we installed the iThemes plugin.

We completely uninstalled that nasty security plugin. Ram usage immediately began dropping down. An hour later the RAM usage was 221M. By 1.5hrs, it was 128M. We were finally drifting back into the green zone. Arewe the only ones to ever see this weirdness? No. Read on.

In the production notes:

“Enhancement Jan 2016: Updated the File Change Detection feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.”

So what? What’s the big deal?

When you exceed server limits, many hosts at least will start throttling your site. Or worst-case, take your site offline for hours to days. They claim they’re protecting other sites hosted on the server from your malfeasance. You’re dragging everyone else down with you.

Bandwidth throttling is the intentional slowing by your Internet service provider. This helps limit network congestion and server crashes. But it’s also often a lame excuse to justify poor performance. And sloppy cramming  of thousands of domains on a server. You can’t control this. But you can avoid memory-hog plugins – like iThemes Security.

Is iThemes Security the Lone-Ranger plugin that consumes RAM? Nope.

There are a bunch of plugins we know of (and many others we don’t). But they aren’t security plugins.

Here are some examples:

Checking broken links one by one is not physically possible, even for a small site. There are many free and paid tools that check for broken links. You can get the Broken Link Checker plugin (active installs 500,000) and check the health of your links with it.

But Broken Link Checker is a RAM hog. You’ll see two spikes on the graph below. The first is when we switched on Broken Link Checker and it started it’s automated crawling of the site. The second peak is UpDraft Plus (1 million active installs) doing an automatic site backup. We keep Link Checker deactivated and only run it  once a month.

What if you’re running Link checker? And doing a backup? And have a hog security plugin running all together? You’re doomed. What can you do!?

Well, on the C-Panel dashboard is a icon that looks like this:

Click it. You’re taken to a dropdown menu. There you can select the version of PHP (Hypertext Preprocessor), a server-side scripting language. This is the code used to run WordPress.

Our PHP version was set to 5.3. We reduced WordPress memory usage by upgrading from PHP5.3 to PHP5.5. The newer versions compress better and run faster. And this speed improvement is free. Version 7 is the latest and greatest. And supposed to really be fast – but not all hosts provide it yet. How much improvement did we see?

Changing the PHP version reduced RAM usage by 20 to 30 percent. This keeps us safe. Now we idle around 70M. We’re staying far away from the 512M rail. But when we do daily backups, we push up to around 300k usage. We improved this with better backup plugin settings. We could do manual backups when we create new content. But instead we compromise and switch from daily to weekly backups to reduce the load. That works for us.

Steve Teare
performance engineer

What others think of us:


"Hi, Steve. Thank you very much for the elaborate report. I'll implement your suggestions and spread the word about your amazing service." francophilesanonymes.com, Guernsey, UK

by - Zvi Chazanov