Is there any lightweight firewall plugin substitute for WordFence Security plugin?

WordPress Mobile Speed

Updated: December 2019


There are no affiliate links on PagePipe.

 

“Wordfence is slowing down our site. What’s PagePipe’s suggestion?”

Removing the WordFence Security plugin speeds up your site. When you pull it, how do you protect your website – and still get fast speed?

We remove WordFence from sites during “plugin surgery” (site-origin optimization). Let us tell you why:

On a recent project, WordFence Security plugin caused 545 milliseconds of “site drag.” The plugin was one of 20 installed. It alone was 46 percent of the plugin speed overhead. That’s when a plugin does global loading on every page and post. It slows down the entire site.

Selective plugin activation tricks won’t work for security plugins.
REFERENCE: http://pagepipe.com/selective-plugin-deactivation/

WordFence Security is a heavy plugin. In our case study, it consumed 25 percent of the 2-second performance budget. This is an unpublished technical specification. The plugin author is under no obligation to share speed consequences. This is a convenient sin of omission.

Could we predict this plugin would be slow without installing it?
The answer to that is:

Yes.

Here are the biggest indicators:

1. WordFence Security is a popular plugin. It has 3-million active installations. The natural assumption is it must be the best. We have found a direct correlation between popularity and speed. The more popular a plugin is – the slower it is. Is it always that way? So far. Until WordPress requires accountable publishing of speed impact in read.me files (Maybe never?).

2. The WordFence Security zip package size is 4.6 MB. Super fat. Uncompressed it’s 12.5 MB. For comparison, how big is the WordPress core download? 11.6MB zipped download. That puts the plugin heaviness in perspective. It’s about half the size of the system you’re running on.

How big was the original WordFence Security version 1.4.1 zip file size? 1MB. Did the decompressed 2.3MB to 12.5MB super file size increase significant features? We doubt it. The extra bloat is marketing popups and nag screens. These *encourage* upsales and addons to the Pro version. They’re annoying.

WordFence Security plugin is a Swiss-army knife plugin. It does everything. We prefer discrete plugins that perform one simple function with few or no settings.

Are there better lightweight plugins that block malicious file upload?

Yes. We sell this $9.95 ebook:

https://pagepipe-ebooks.com/police-me-speed-knockoff-inspired-by-ithemes-security-plugin/

But since you asked, here’s what we’re using today for security:

1. Limit Login Attempts Reloaded prevents a brute-force attack: https://wordpress.org/plugins/limit-login-attempts-reloaded/
No settings needed. But we usually change the “4” attempts to “17.”

2. The Change Table Prefix plugin protects your website from SQL injections: https://wordpress.org/plugins/change-table-prefix/
It requires a setting is to change the prefix.

3. BBQ: Block Bad Queries plugin protects your website against malicious URL requests. Hackers can redirect user requests from your site to an illegitimate site. No configuration required.
https://wordpress.org/plugins/block-bad-queries/

4. Deactivate XML-RPC Service plugin: Disabling WordPress XML-RPC is a precautionary measure against brute force attacks. No settings. https://wordpress.org/plugins/deactivate-xml-rpc-service/

5. The Email Address Encoder plugin protects email
addresses by hiding them from email-harvesting bots.
No configuration required.
https://wordpress.org/plugins/email-address-encoder/

These 5 discrete plugins will add only 9 milliseconds to your site.

But here is the biggest tip of all – and it has nothing to do with plugins:

Change your WordPress login password. Make it anything that has a total of 12 characters, numbers, or symbols. Make it lower and upper case for a few characters.

For example:
BlueMou$e61=

Nine-character passwords take five days to break. 10-character words take four months. 11-character passwords take 10 years. Make it 12 characters, and you’re looking at 200 years worth of security – not bad for a little letter.

Godspeed-

Steve Teare
performance engineer

More Unconventional Speed Tips from PagePipe

BONUS OFFER for WooCommerce professionals only

PagePipe invites you to steal this $9.95 performance report, WooComa.

How WooCommerce hurts mobile speed, and what you can do about it. Nine unusual speed tips. Free for a limited time. Signup required. What you get: 13-page ebook, 9 unconventional WooCommerce speed tips.

GET WooComa SPEED NOW

+2776.3 milliseconds potential extra speed per Woo page.

Free same-day shipping to your email in-box. No purchase or credit card required. (ɔ) Copyleft License This work remains available to all. You have the right to freely distribute copies of WooComa with others. If MailChimp messes up and doesn’t deliver your free report, email us and we’ll kick their monkey butt.

Other Related Resources

If you’re new here, start with our best primer speed articles.
If you’re ready to give your WordPress site wings, here are powerful tools to speed up your site.
Learn how the most popular plugins and ideas waste your time – and hurt web speed. Includes important tips for mobile speed without coding.

Build with Empathy
GIVE SPEED