Updated: December 2019
There are no affiliate links on PagePipe.
“Wordfence is slowing down our site. What’s PagePipe’s suggestion?”
Removing the WordFence Security plugin speeds up your site. When you pull it, how do you protect your website – and still get fast speed?
We remove WordFence from sites during “plugin surgery” (site-origin optimization). Let us tell you why:
On a recent project, WordFence Security plugin caused 545 milliseconds of “site drag.” The plugin was one of 20 installed. It alone was 46 percent of the plugin speed overhead. That’s when a plugin does global loading on every page and post. It slows down the entire site.
Selective plugin activation tricks won’t work for security plugins.
WordFence Security is a heavy plugin. In our case study, it consumed 25 percent of the 2-second performance budget. This is an unpublished technical specification. The plugin author is under no obligation to share speed consequences. This is a convenient sin of omission.
Could we predict this plugin would be slow without installing it?
The answer to that is:
Here are the biggest indicators:
1. WordFence Security is a popular plugin. It has 3-million active installations. The natural assumption is it must be the best. We have found a direct correlation between popularity and speed. The more popular a plugin is – the slower it is. Is it always that way? So far. Until WordPress requires accountable publishing of speed impact in read.me files (Maybe never?).
2. The WordFence Security zip package size is 4.6 MB. Super fat. Uncompressed it’s 12.5 MB. For comparison, how big is the WordPress core download? 11.6MB zipped download. That puts the plugin heaviness in perspective. It’s about half the size of the system you’re running on.
How big was the original WordFence Security version 1.4.1 zip file size? 1MB. Did the decompressed 2.3MB to 12.5MB super file size increase significant features? We doubt it. The extra bloat is marketing popups and nag screens. These *encourage* upsales and addons to the Pro version. They’re annoying.
WordFence Security plugin is a Swiss-army knife plugin. It does everything. We prefer discrete plugins that perform one simple function with few or no settings.
Are there better lightweight plugins that block malicious file upload?
Yes. We sell this $9.95 ebook:
But since you asked, here’s what we’re using today for security:
1. Limit Login Attempts Reloaded prevents a brute-force attack: https://wordpress.org/plugins/limit-login-attempts-reloaded/
No settings needed. But we usually change the “4” attempts to “17.”
2. The Change Table Prefix plugin protects your website from SQL injections: https://wordpress.org/plugins/change-table-prefix/
It requires a setting is to change the prefix.
3. BBQ: Block Bad Queries plugin protects your website against malicious URL requests. Hackers can redirect user requests from your site to an illegitimate site. No configuration required.
4. Deactivate XML-RPC Service plugin: Disabling WordPress XML-RPC is a precautionary measure against brute force attacks. No settings. https://wordpress.org/plugins/deactivate-xml-rpc-service/
5. The Email Address Encoder plugin protects email
addresses by hiding them from email-harvesting bots.
No configuration required.
These 5 discrete plugins will add only 9 milliseconds to your site.
But here is the biggest tip of all – and it has nothing to do with plugins:
Change your WordPress login password. Make it anything that has a total of 12 characters, numbers, or symbols. Make it lower and upper case for a few characters.
Nine-character passwords take five days to break. 10-character words take four months. 11-character passwords take 10 years. Make it 12 characters, and you’re looking at 200 years worth of security – not bad for a little letter.