WordFence has been accused (by a competitor) of slowing down peoples sites, I have also been told by wordpress experts that it’s not worth installing for this reason. But I’ve personally found WordFence’s web application firewall, scans and other features extremely valuable in protecting a WordPress site. To get to the bottom of it, I did a few tests of my own:
Small impact on page load time
In my tests, enabling WordFence’s WAF added about 50-100ms per page request. This would depend on your server’s performance.
For a simple site that you just want to leave up and keep secure, this is a negligible impact. For A complex site that makes a lot of calls to admin-ajax.php, it could add up.
Bigger impact on performance under load
The other factor to consider is performance under load. If WordFence is adding 100ms of load on the server’s CPU with every request, that could slow down your web server if you have many concurrent users.
Using one of my favourite tools, Grafana cloud I ran a simple load test on one of my own sites, the site was running on a little VPS where I keep a few of my personal sites, I think it’s typical for what you might get with shared hosting:
Without WordFence installed, I ran a test with 30 virtual users repeatedly hitting my site. The response times went from ~400ms to ~4,300ms under load. Users would definitely notice that the site is running slowly.
I then enabled WordFence to see what effect it would have on performance under load:
That’s a big impact! Wordfence increased the average response time by about 50% from 4,300ms to 6,400ms.
So the competitor and performance experts weren’t wrong, WordFence can definitely have a real performance impact on how your site performs under load.
I should note that my website did not have caching
So, should you install WordFence
This is actually a big question, it comes down to what your priorities are and how the other options compare. I like WordFence because it has a powerful Web Application Firewall specifically tuned for WordPress. It also performs malware and vulnerability scans, and sends alerts to administrators. It does all of this on the free plan.
Overall, I find WordFence to be an extremely useful plugin and it is at the core of my WordPress management offering. However after seeing how it can effect the web server’s performance under load, I will consider other other options for clients with high performance needs.
