iThemes Security slows your site and depletes server resources.

WordPress Mobile Speed

Updated


There are no affiliate links on PagePipe.

Security
Myth: WordPress security plugins don’t affect speed.
The usual recommendation is iThemes Security (formerly Better WP Security).
Most people don’t know security plugins slow down your site and use up server resources.

While studying site security and speed, we tested the iThemes Security plugin. It’s claimed to prevent malware injection. We’re sure it works but the plugin is major overkill. We duplicate it’s core features with lightweight, fast-loading, standalone free plugins. Beneath the surface, this large, 3.1M plugin contains a lurking, greedy speed bite. Chomp!

There’s no detectable difference in load time with most speed tests. With this security plugin onboard there’s not even an extra call (HTTP Request). The plugin appears pretty safe and benign for speed. And it’s popular! What could go wrong?

Nowadays, there’s a herd-panic or paranoia about WordPress security and getting hacked. It’s easy to get caught up in the frenzy – and go plugin crazy. All that’s required are a few simple things. First, change your login from the default “admin.” Duh? Use something a little more challenging for bots. Don’t use “password” as your password. These are obvious right? Right.

Only 8 milliseconds for extra site security with four recommended plugins:

PagePipe uses the following simple security plugins. We predict load time in milliseconds using P3 Plugin Performance Profiler (by GoDaddy). NOTE: P3 plugin will slow down your site. Don’t leave it installed!

Limit Login Attempts Reloaded (40ms)
package download size: 697k

Brute-force attacks are the simplest method to gain access to a site. The hacker tries usernames and passwords, over and over again, with a “bot” until they get in. This lightweight plugin prevents brute force login attacks using .htaccess. .htaccess is a configuration file on web servers running Apache Web Server software. Time-limited number of login attempts block the hacker’s IP address. This plugin also disables XMLRPC.

It’s best to disable the xmlrpc. php files. By disabling it, you ensure this non-feature can’t be used to hack your WordPress website. XML-RPC is a specification enabling communication between WordPress and other systems (like smartphones).

Change Table Prefix (1ms)
package download size: 10k

WARNING: Only use this plugin if you know what you are doing. You can mess up your database and nuke your site. Some hosts like GreenGeeks automatically change the default prefix for you on migration. Protect your website from SQL injections. Replace your database WordPress default prefix (WP_). Use any other alternative prefix in a single click. An SQL injection is a computer attack. Hacker’s can embed malicious code in a poorly-designed applications. Then pass it along to the backend database. Anything can then happen on your site.

Email Address Encoder (2ms)
package download size: 5k

A lightweight plugin to protect email addresses from email-harvesting robots. The plugin encodes addresses into decimal and hexadecimal entities. No configuration required.

Block Bad Queries (BBQ) 4ms
package download size: 7k

A simple, super-fast firewall plugin that protects your site against malicious URL requests. Hackers can redirect user requests from your site to an illegitimate site. No plugin configuration required.

What went wrong?

After installing iThemes Security plugin, we got a GoDaddy email notification. It said our hosting account exceeded its resource limits. What!?

The recommended solution by our benevolent host, of course, is buy more server goodies. But the better answer – they don’t tell you – is simpler and cheaper than that.

Once again, we observe that plugin file weight is indicative of resource consumption. If not page load time, then RAM or MySQL databases are gobbled up. This isn’t always the case. But a fat plugin is suspicious and requires testing. To find out how your site is using resources, click the C-Panel icon labeled CPU and Concurrent Connection Usage.

After the “warning,” we checked Cpanel (CPU and Concurrent Connection Usage). It said RAM usage jumped from 89M normal to the 512M maximum available. We’d never encountered this problem before. The “spike” in the Cpanel Memory data occurred when we installed the iThemes plugin.

We completely uninstalled that nasty security plugin. Ram usage immediately began dropping down. An hour later the RAM usage was 221M. By 1.5hrs, it was 128M. We were finally drifting back into the green zone. Are we the only ones to ever see this weirdness? No. Read on.

In the production notes:

“Enhancement Jan 2016: Updated the File Change Detection feature to attempt a max memory limit of 256M rather than 128M as some users experience out of memory issues which could be fixed with the higher memory limit.”

So what? What’s the big deal?

When you exceed server limits, many hosts at least will start throttling your site. Or worst-case, take your site offline for hours to days. They claim they’re protecting other sites hosted on the server from your malfeasance. You’re dragging everyone else down with you.

Bandwidth throttling is the intentional slowing by your Internet service provider. This helps limit network congestion and server crashes. But it’s also often a lame excuse to justify poor performance. And sloppy cramming of thousands of domains on a server. You can’t control this. But you can avoid getting shutdown by memory-hog plugins – like iThemes Security.

Is iThemes Security the Lone-Ranger plugin that consumes RAM? Nope.

There are a bunch of plugins we know of (and many others we don’t). But they aren’t security plugins.

Here are some examples:

Checking broken links one by one is not physically possible, even for a small site. There are many free and paid tools that check for broken links. You can get the Broken Link Checker plugin (active installs 500,000) and check the health of your links with it.

But Broken Link Checker is a RAM hog. You’ll see two spikes on the graph below. The first is when we switched on Broken Link Checker and it started it’s automated crawling of the site. The second peak is UpDraft Plus doing an automatic site backup. We keep Link Checker deactivated and only run it once a month.

What if you’re running Link checker? And doing a backup? And have a hog security plugin running all together? You’re doomed. What can you do!?

Changing the PHP version from 5.3 to 7.x reduced RAM usage by 20 to 30 percent. This keeps us safe. Now we idle around 70M. We’re staying far away from the 512M rail. But when we do daily backups, we push up to around 300k usage. We improved this with better backup plugin settings. We could do manual backups when we create new content. But instead we compromise and switch from daily to weekly backups to reduce the load. That works for us.

Godspeed-

Steve Teare
performance engineer
October 2021

 

PagePipe Site Tuning Services for Speed

Instead of band-aid approaches, we drill down to the root cause of your slow site. This is origin optimization. Also known as site tuning. To do this, we analyze site components:

  • Hosting
  • Theme
  • Plugins
  • Scripts and third-party services.
  • Images and media library.
  • We minimize globally loading plugin effects.

Find out more details about Site TuningGet Speed!