Free discrete plugins replace bloated security plugins.

Updated: July 2018
High-speed

While studying site security and speed, we tested the iThemes Security plugin. It’s claimed to prevent malware injection. We’re sure it works but the plugin is major overkill. We duplicate it’s core features with lightweight, fast-loading, standalone free plugins. Beneath the surface, this large, 3.1M plugin contains a lurking, greedy speed bite. Chomp!

B
ut iThemes Security plugin only adds a mere 36 milliseconds. Measured with GoDaddy’s P3 Plugin Performance Profiler (100,000 active installs). Using Pingdom.com, there’s no detectable difference in load time. With this security plugin onboard, there’s not even an extra call (HTTP Request). The plugin appears pretty safe and benign for speed. And it’s popular! (800,000 active installs) What could go wrong?

iThemes Security, WordFence, and Sucuri Security are all popular security plugins. That’s an immediate red flag that they’re slow. Why? It’s crazy. But the speed results for popular plugins always turn out slow in tests. Same for themes. People just go for the heavy plugins loaded with the most features. Overkill. The herd starts following the path thinking active installs must mean goodness. Nope.

Sucuri Security – Auditing, Malware Scanner and Hardening

Remove and add substitute recommended discrete plugins.

SECURITY
Change your WordPress login password to anything that has a total of 16 characters, numbers, or symbols. Make it lower and upper case for a few characters.

“Avoiding both types of attacks is dependent on the complexity of your password. Ideally, your passwords would be at least 16 characters, and contain a combination of numbers, symbols, uppercase letters, lowercase letters, and spaces.”
REFERENCE: https://www.cnet.com/how-to/the-guide-to-password-security-and-why-you-should-care/

Nine-character passwords take five days to break, 10-character words take four months, and 11-character passwords take 10 years. Make it up to 12 characters, and you’re looking at 200 years‘ worth of security – not bad for one little letter. Source

Hey! Backup your site.

For security with free plugins:

Please install: Limit Login Attempts Reloaded
https://wordpress.org/plugins/limit-login-attempts-reloaded/
Increase the login failures to 17. Yes 17 is good enough.

Please install: Email Address Encoder
https://wordpress.org/plugins/email-address-encoder/
No settings needed.

Please install: Change Table Prefix
https://wordpress.org/plugins/change-table-prefix/
Change the prefix to something other than the default “WP_” such as “AS_” or something random.

Remove Sucuri Security – Auditing, Malware Scanner and Hardening plugin
It uses too many server resource and slows down the server. It’s a complicated plugin. The above 3 discrete plugins will suffice for security and speed.

Nowadays, there’s a herd-panic or paranoia about WordPress security and getting hacked. It’s easy to get caught up in the frenzy – and go plugin crazy. All that’s required are a few simple things. First, change your login from the default “admin.” Duh? Use something a little more challenging for bots. Don’t use “password” as your password. These are obvious right? Right.

Then add a plugin to prevent brute-force attacks. The 5-year-old plugin solution is Limit Login Attempts (2 million active installs). But WP Limit Login Attempts (30,000 active installs) is fresh and up to date. (They’re OK. They work. But, we don’t use either of these two on PagePipe). instead we now use, Limit Login Attempts Reloaded (40,000 active installs). It works with PHP version 7.1.

Only 8 milliseconds for extra site security with four recommended plugins:

PagePipe uses the following simple security plugins. We predict load time in milliseconds using P3 Plugin Performance Profiler (by GoDaddy). NOTE: P3 plugin will slow down your site. Don’t leave it installed!

1Brute Force Login Protection (1ms)
Active Installs: 20,000+
package download size: 15.6k

Brute-force attacks are the simplest method to gain access to a site. The hacker tries usernames and passwords, over and over again, with a “bot” until they get in. This lightweight plugin prevents brute force login attacks using .htaccess. .htaccess is a configuration file on web servers running Apache Web Server software.

Time-limited number of login attempts block the hacker’s IP address.


2Change Table Prefix (1ms)
Active Installs: 1,000+
package download size: 10.3k

Protect your website from SQL injections. Replace your database WordPress default prefix (WP_). Use any other alternative prefix in a single click. An SQL injection is a computer attack. Hacker’s can embed malicious code in a poorly-designed applications. Then pass it along to the backend database. Anything can then happen on your site.


3Email Address Encoder (2ms)
Active Installs: 80,000+
package download size: 4.8k

A lightweight plugin to protect email addresses from email-harvesting robots. The plugin encodes addresses into decimal and hexadecimal entities. No configuration required.


4Block Bad Queries (BBQ) 4ms
Active Installs: 70,000+
package download size: 7.2k

A simple, super-fast plugin that protects your site against malicious URL requests. Hackers can redirect user requests from your site to an illegitimate site. No plugin configuration required.


What went wrong?

After installing iThemes Security plugin, we got a GoDaddy email notification. It said our hosting account exceeded its resource limits.

Email warning from GoDaddy hosting (shared Linux, magnetic drives).

The recommended solution by our benevolent host, of course, is buy more server goodies. But the better answer – they don’t tell you – is simpler and cheaper than that.

Once again, we observe that plugin file weight is indicative of resource consumption. If not page load time, then RAM or MySQL databases are gobbled up. This isn’t always the case. But a fat plugin is suspicious and requires testing. To find out how your site is using resources, click the C-Panel icon “CPU and Concurrent Connection Usage.”

After the “warning,” we checked Cpanel (CPU and Concurrent Connection Usage). It said RAM usage jumped from 89M normal to the 512M maximum available. We’d never encountered this problem before. The “spike” in the Cpanel Memory data occurred when we installed the iThemes plugin.

We completely uninstalled that nasty security plugin. Ram usage immediately began dropping down. An hour later the RAM usage was 221M. By 1.5hrs, it was 128M. We were finally drifting back into the green zone. Are we the only ones to ever see this weirdness? No. Read on.

In the production notes:

“Enhancement Jan 2016: Updated the File Change Detection feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.”

So what? What’s the big deal?

When you exceed server limits, many hosts at least will start throttling your site. Or worst-case, take your site offline for hours to days. They claim they’re protecting other sites hosted on the server from your malfeasance. You’re dragging everyone else down with you.

Bandwidth throttling is the intentional slowing by your Internet service provider. This helps limit network congestion and server crashes. But it’s also often a lame excuse to justify poor performance. And sloppy cramming  of thousands of domains on a server. You can’t control this. But you can avoid memory-hog plugins – like iThemes Security.

Is iThemes Security the Lone-Ranger plugin that consumes RAM? Nope.

There are a bunch of plugins we know of (and many others we don’t). But they aren’t security plugins.

Here are some examples:

Checking broken links one by one is not physically possible, even for a small site. There are many free and paid tools that check for broken links. You can get the Broken Link Checker plugin (active installs 500,000) and check the health of your links with it.

But Broken Link Checker is a RAM hog. You’ll see two spikes on the graph below. The first is when we switched on Broken Link Checker and it started it’s automated crawling of the site. The second peak is UpDraft Plus (1 million active installs) doing an automatic site backup. We keep Link Checker deactivated and only run it once a month.

What if you’re running Link checker? And doing a backup? And have a hog security plugin running all together? You’re doomed. What can you do!?

Well, on the C-Panel dashboard is a icon that looks like this:

Click it. You’re taken to a dropdown menu. There you can select the version of PHP (Hypertext Preprocessor), a server-side scripting language. This is the code used to run WordPress.

Our PHP version was set to 5.3. We reduced WordPress memory usage by upgrading from PHP5.3 to PHP5.5. The newer versions compress better and run faster. And this speed improvement is free. Version 7 is the latest and greatest. And supposed to really be fast – but not all hosts provide it yet. How much improvement did we see?

Changing the PHP version reduced RAM usage by 20 to 30 percent. This keeps us safe. Now we idle around 70M. We’re staying far away from the 512M rail. But when we do daily backups, we push up to around 300k usage. We improved this with better backup plugin settings. We could do manual backups when we create new content. But instead we compromise and switch from daily to weekly backups to reduce the load. That works for us.

MORE ESOTERIC SECURITY FOR SPEED GEEKS

Want to complicate your life in the name of absolute security so you can pass an odd security test? Like https://securityheaders.com/ Try one of the futile header modification plugins below. We’re not using them. We tested them and found them over the top in complications. We accept our a big fat “F.” Do we care?

content security policy
Content Security Policy prevents content injection attacks by specifying valid sources of content for a site.

content security policy Pro
This Content Security Policy plugin will help the setup the Content-Security-Policy HTTP response header and block the XSS vulnerabilities.

eazy http headers
Eazy HTTP Headers provides three check boxes for settings on the general settings page.
Two of the check boxes, activate two functions built into WordPress, send_frame_options_header() & send_nosniff_header(), while the other sets a header for X-XSS Protection.
This allows you to control your sites HTTP Headers for X-Frame-Options & X-Content-Type-Options using functions built into WordPress functions.

The Eazy HTTP Headers Settings section is on the general settings page.

http headers
HTTP Headers gives your control over the http headers returned by your blog or website.

http security
Set up header instructions included in the HTTP protocol for website security improvement.

This plug-in provides enabling of the following measures:

* HSTS (Strict-Transport-Security)
* CSP (Content-Security-Policy)
* Clickjacking mitigation (X-Frame-Options in main site)
* XSS protection (X-XSS-Protection)
* Disabling content sniffing (X-Content-Type-Options)
* Referrer policy
* Expect-CT
* Remove PHP version information from the HTTP header
* Remove WordPress version information from the header

security header optimization
Advanced HTTP security header optimization toolkit. Content-Security-Policy, Strict Transport Security (HSTS), Public-Key-Pins (HPKP), X-XSS-Protection and CORS.

The plugin provides Content Security Policy Management with support for Reporting API and legacy policy conversion based on browser sniffing.

The plugin supports most security headers, including Strict Transport Security (HSTS), Public-Key-Pins (HPKP), X-XSS-Protection and all Cross-Origin Resource Sharing (CORS) related headers (Access-Control-Allow-Origin).

security headers
SetTLS headers for HSTS.

TLS is growing in complexity. Server Name Indication (SNI) now means HTTPS sites may be on shared IP addresses, or otherwise restricted. For these servers it is handy to be able to set desired HTTP headers without access to the web servers configuration or using .htaccess file.

This plug-in exposes controls for:

* HSTS (Strict-Transport-Security)
* HPKP (Public-Key-Pins)
* Disabling content sniffing (X-Content-Type-Options)
* XSS protection (X-XSS-Protection)
* Clickjacking mitigation (X-Frame-Options in main site)
* Expect-CT

HSTS is used to ensure that future connections to a website always use TLS, and disallowing bypass of certificate warnings for the site.

HPKP is used if you don’t want to rely solely on the Certificate Authority trust model for certificate issuance.

Disabling content sniffing is mostly of interest for sites that allow users to upload files of specific types, but that browsers might be silly enough to interpret of some other type, thus allowing unexpected attacks.

XSS protection re-enables XSS protection for the site, if the user has disabled it previously, and sets the “block” option so that attacks are not silently ignored.

Clickjacking protection is usually only relevant when someone is logged in but users requested it, presumably they have rich content outside of WordPress authentication they wish to protect.

Expect-CT is used to ensure Certificate Transparency is configured correctly.

simple iframe buster
You can set the X-Frame-Options header to SAMEORIGIN. Also enqueues a javascript based iframe blocker.

Provides a method of adding X-Frame-Options to the http headers for sites hosted in an environment that does not grant access to
the webserver config, .htaccess or lack mod_headers type facility.

+ Sets X-Frame-Options to SAMEORIGIN
+ Enqueue iframe blocking javascript

wp content security policy
Block XSS vulnerabilities by adding a Content Security Policy header, plugin receives violations to easily maintain the security policy.

Content Security Policy (CSP) is a W3C guideline to prevent cross-site scripting (XSS) and related attacks. XSS allows other people to run scripts on your site, making it no longer your application running on your site, and opens your whole domain to attack due to “Same-Origin Policy” – XSS anywhere on your domain is XSS everywhere on your domain.

CSP tells your browser to push least-privilege environment on your application, allowing the client to only use resources from trusted domains and block all resources from anywhere else.

Adding CSP to your site will protect your visitors from:

* Cross-site scripting (XSS) attacks
* Adware and Spyware while on your site

This plugin will help you set your CSP settings and will add them to the page the visitor requested. Policy violations will be logged in a database table which can be viewed via an admin page that supplies all the violations, along with counts. Buttons easily allow you to add the sites to your headers or to ignore them.

This plugin also allows you to ignore sites that repeatedly violate your policies. For example, some tracking images will show as violating your policies, but you still don’t want them to run, therefore you can block the site from showing up in your logs – note, however, that the browser will still call your server and your server will still spend resources processing the call.

Godspeed—

Steve Teare
performance engineer

Mobile WordPress Speed – without coding!

What others think of us:


"I'm a non-programmer and have been breaking my head trying to figure out slow performance of my site. I found my answer stumbling upon your blog and also saved me $$$ from buying pro versions of plugins. Thanks a ton for your efforts." Fabstori.com  India

by - Jabal Shah

Contact Form 7 plugin slows down page speed for your entire website. Not just your contact page.
Gutenberg versus Elementor: mobile speed - good or bad?