“Wordfence is slowing down our site. What’s PagePipe’s suggestion?”

Removing the WordFence Security plugin speeds up your site. When you pull it, how do you protect your website – and still get fast speed?

We remove WordFence from sites during “plugin surgery” (site-origin optimization). Let us tell you why:

On a recent project, WordFence Security plugin caused 545 milliseconds of “site drag.” The plugin was one of 20 installed. It alone was 46 percent of the plugin speed overhead. That’s when a plugin does global loading on every page and post. It slows down the entire site.

Selective plugin activation tricks won’t work for security plugins.
REFERENCE: https://speedhospital.org/speedswitch/

WordFence Security is a heavy plugin. In our case study, it consumed 25 percent of the 2-second performance budget. This is an unpublished technical specification. The plugin author is under no obligation to share speed consequences. This is a convenient sin of omission.

Could we predict this plugin would be slow without installing it?
The answer to that is:

Yes.

Here are the biggest indicators:

1. WordFence Security is a popular plugin. It has 4-million active installations. The natural assumption is it must be the best. We have found a direct correlation between popularity and speed. The more popular a plugin is – the slower it is. Is it always that way? So far. Until WordPress requires accountable publishing of speed impact in read.me files (Maybe never?).

2. The WordFence Security zip package size is 4.9 MB. Super fat. Uncompressed it’s 13.6 MB. For comparison, how big is the WordPress core download? 16.5 MB zipped download. (52.9MB unzipped). That puts the plugin heaviness in perspective. It’s about 25 percent of the size of the system you’re running on.

How big was the original WordFence Security version 1.4.1 zip file size? 1MB. Did the decompressed super file size increase significant features? We doubt it. The extra bloat is marketing popups and nag screens. These *encourage* upsales and addons to the Pro version. They’re annoying.

WordFence Security plugin is a Swiss-army knife plugin. It does everything. We prefer discrete plugins that perform one simple function with few or no settings.

Are there better lightweight plugins that block malicious file upload?

Yes. We sell this $9.95 ebook:

https://pagepipe-ebooks.com/police-me-speed-knockoff-inspired-by-ithemes-security-plugin/

But since you asked, here’s what we’re using today for security:

1. Limit Login Attempts Reloaded prevents a brute-force attack: https://wordpress.org/plugins/limit-login-attempts-reloaded/
No settings needed. But we usually change the “4” attempts to “17.”

2. The Change Table Prefix plugin protects your website from SQL injections: https://wordpress.org/plugins/change-table-prefix/
It requires a setting is to change the prefix. We don’t use this on sites that have been migrated. It often will nuke the site. White pages. Many hosts now automatically change the database prefix for you when you migrate to their services.

3. BBQ: Block Bad Queries plugin protects your website against malicious URL requests. Hackers can redirect user requests from your site to an illegitimate site. No configuration required.
https://wordpress.org/plugins/block-bad-queries/

4. Deactivate XML-RPC Service plugin: Disabling WordPress XML-RPC is a precautionary measure against brute force attacks. No settings. https://wordpress.org/plugins/deactivate-xml-rpc-service/

NOTE: This plugin is not longer needed when using Limit Login Attempts Reloaded plugin. It has this security feature built-in now. No setting required.

5. The Email Address Encoder plugin protects email
addresses by hiding them from email-harvesting bots.
No configuration required. But we recommend selecting: Notices and promotions: Hide notices and promotions for all users. This prevents annoying nag screens.
https://wordpress.org/plugins/email-address-encoder/

These 5 discrete plugins will add only 9 milliseconds to your site.

But here is the biggest tip of all – and it has nothing to do with plugins:

Change your WordPress login password. Make it anything that has a total of 12 characters, numbers, or symbols. Make it lower and upper case for a few characters.

For example:
BlueMou$e61=

Nine-character passwords take five days to break. 10-character words take four months. 11-character passwords take 10 years. Make it 12 characters, and you’re looking at 200 years worth of security – not bad for a little letter.