If you look at older reviews about Wordfence, you’ll see reports that it slows down a website. But recent changes to the Wordfence plugin have greatly increased performance.
I tested the latest version of Wordfence on four of my websites this year. Here’s my verdict: Wordfence doesn’t slow down most of my websites. I’ll discuss the exception later in this article.
Does Wordfence Slow Down Your Website?
When you install Wordfence with default settings on a mid-level hosting package, it will not slow down your website noticeably.
If you are using the most basic entry-level hosting, Wordfence may add to performance issues. High-traffic sites may also have issues with Wordfence. You can change the configuration options to mitigate the impact on performance of scanning and security checks.
Why Do Older Reviews Report That Wordfence Slows Down Websites?
You may find detailed articles with in-depth testing that show a serious performance hit from the Wordfence plug-in. These reviews are legitimate and accurate for the versions they were working with at the time.
The default installation of Wordfence used to come with a very high level of scanning. Every single visit to your website was tracked and logged. And because Wordfence tries to distinguish between humans and bots, there were additional checks for regular page views.
This was okay for new websites with low traffic. But sites with significant traffic were noticeably slowed.
Here’s an example review from 2019. The careful reviewer ran multiple tests and the results were not good. You don’t have to go read it (because I’ll show you soon that it’s out of date). I’ll give you the summary:
“Running Wordfence is expensive from a performance standpoint. Wordfence…can increase your response time between 2x-7x..”Kernl Blog
Up to seven times slower? Yikes! No wonder people with busy websites were complaining on popular forums like Reddit and StackExchange.
But wait. The reviewer ran the tests with the option to scan traffic turned on. That was a perfectly legitimate test because this option was enabled by default at that time.
Crucially, this default has changed since then.
Amended default settings
When you install the Wordfence plugin, the default settings are different than they’ve been in the past.
Specifically, the “Live Traffic Options” are set to “Security Only”. That’s so important that I’ll explain it in detail in the next section.
Wordfence Live Traffic Options
The current default setting for scanning Live Traffic is “Security Only”. This means that only a restricted type of hit on your website are scanned and logged:
- Successful logins to your WordPress site
- Failed logins (wrong password)
- Blocked hits (using the Wordfence IP blacklist)
Normal page views are not logged (unless the IP is on the blacklist).
What’s happening is that your site is protected from the most common form of malicious activity: brute force. Brute force login attempts are when a bot tries thousands of user/password combinations at the WordPress login page.
Beginners tip: the user is typically “admin” in a brute-force attempted. So, it’s a good idea to create a new user with admin permissions and remove the default admin user. But make sure your new login is working before you do so!
By not including normal page views in the default settings, the amount of scanning is greatly reduced. This removes the extra load from your hosting servers.
To check this out, I ran my own tests.
BanditTracker Wordfence Performance Tests
I tested performance across four websites using the Pingdom speed-tracker tool. The sites don’t all have the same plugins or caching. But I ran the same tests on each and averaged the response times.
The tests were at three levels:
- No Wordfence installation
- Default Wordfence installation (and running a scan)
- Wordfence All Traffic option enabled (and running a scan)
For the tests with Wordfence installed, I kicked off a manual scan and started the speed test.
|Test||Configuration||Load Time (ms)||Change|
As you can see, the Wordfence plugin added a 10% performance hit at the default level. My sites aren’t lightning fast (e.g. below 1 second), but I don’t mind the 160-millisecond penalty for peace of mind.
Interesting, the “All Traffic” option was a little slower, but not by much. That, however, may not be the case if you have a high-traffic site.
Testing “real-life” traffic for your site
None of the sites I used for testing are above 50K page views per month.
I could have used a traffic generator to test my sites under significant load. And if this was an “industry standard” test, I would do so.
But I’m not interested in testing high traffic that these sites do not experience. I want to know if they would be adversely impacted by Wordfence now and in the medium future.
I suggest that you run similar tests when you’re about to install Wordfence.
Before the install, check your site using the free Pingdom.com speed checker or another of your choosing. Then, run the same check after the default install of Wordfence.
If your site crawls with the default settings, then read on.
How to Check If Wordfence Is Slowing Your Website
If you have recently installed Wordfence and are seeing a marked slowdown, then the first step is to deactivate the security plugin and see what happens.
If you’re not sure how to do this, we have an article on ways to remove Wordfence. You can safely choose the first option described, which is a partial deletion.
If that fixes the performance, then Wordfence may not be the actual culprit. Or at least, it may have an accomplice that is really the problem. Another plugin may be interacting with Wordfence in a way that consumes extra resources.
You can check this by disabling and enabling different combinations of plugins. If you find that a plugin doesn’t play nice with Wordfence, then you need to decide which is more important to you. You may decide to ditch that social media plugin and keep your protection.
If you use external services on your website, that might also be a cause of conflict. One example is Ezoic, the advertising provider. Their FAQ has specific instructions on extra configuration for Wordfence to avoid performance issues.
Suppose you find that Wordfence is definitely the sole cause of your performance woes. Is there anything you can do, other than uninstalling it? Yes, read on.
What To Do If Wordfence Slows Down Your Website
Before you chuck it in the bin, let’s take a look at some remedial action.
If your site is on cheap entry-level hosting, then you may have been allocated very sparse resources by your hosting provider. Wordfence gives you the option to drop the scanning levels right down to the minimum that is still useful.
From the Dashboard, click on the link to “Manage Scan”. From here, you’ll see that the default option is the “Standard Scan”. You can drop this down to a “Limited Scan”.
You can also explore some other options.
The “General Options” list under the Scan Options will show you the many different types of checks. Most are enabled by default. Some may not be necessary for you.
Do you allow comments?
Plenty of website owners choose not to allow comments on their sites. But comment scanning is enabled by default in Wordfence. Do you need it?
Disk space monitoring?
I pay for a mid-level hosting service. I expect my host to monitor disk space and send alerts if there’s a problem. And indeed, they’ve done so in the past.
If you’re using some bare-minimum hosting service, then this option is a good idea. Otherwise, you may not need it.
Some website owners are fanatical about having a minimum set of plugins. If you only use a few highly reputable plugins, then have a think about whether you need the scan for “out of date, abandoned, and vulnerable plugins, themes, and WordPress versions”.
The danger here is that some well-known themes and plugins have introduced temporary vulnerabilities when releasing updates. So if you disable this option, then it is worth re-enabling for a while if you upgrade a plugin, your theme, or WordPress itself.
Only run manual scans
The free version of Wordfence runs a limited scan daily and a full scan every 72 hours.
You can turn off scheduled scans completely under the Scan Options.
Suppose you’re running a special offer and expect a spike in traffic. That may be a good reason to disable scans temporarily. Of course, you’re also increasing your security risk.
Reducing your own impact
On the General Options page, you’ll see a default interval setting of two seconds. T
This setting doesn’t control how often that scanning occurs. It defines how often Wordfence refreshes the information is giving you.
If you (or someone working for you) tend to keep the Wordfence admin page open to monitor traffic, then you are hitting your own site every two seconds. You can change this to something like 15 seconds.
Advanced performance options
Wordfence has a lot of configuration options. These include capping memory consumption and the execution time.
You’d best have a bit of knowledge of hosting and administration to go messing about with these options.
Why Do I Have One Website Without Wordfence?
Wordfence is usually one of the first plugins that I install on a website. However, I removed it from one of my sites.
The reason is that the traffic grew to a high level, and my testing showed that Wordfence was adding a little extra drag on response times. So, I chose to hire a hosting admin expert to review security and performance on the site. This wasn’t cheap, but I was paying for quality. The admin made changes which ensured that I got the same levels of security on this site at the server level.
This allowed me to remove Wordfence completely. Every plugin adds a little bit of load to your hosting server. So, if it’s no longer necessary, it should be removed.
If you are also thinking of removing Wordfence for a site with high traffic, please consider how else you are going to protect your website. I have an article that covers how Wordfence impacts SEO very positively. You need to be sure you are protected from the kinds of threats to indexation and rankings that I describe.