Does Wordfence Slow Down A WordPress Website?

Every WordPress security plugin faces a fundamental architectural choice: execute security logic on your server or offload it to the cloud.

While Wordfence is a robust endpoint solution, its local-processing model consumes your server’s CPU and memory to function. The result? Your site slows down.

In this article, we’ll take a closer look at Wordfence and explore how it might be dragging down your website’s performance.

We talk about how this impact scales with your traffic, and why a cloud-first architecture is often the only way to maintain site performance.

TL;DR: A user shouldn’t have to decide what the appropriate security level for their website is. Although Wordfence has made efforts to enhance performance, it is often at the expense of security. We recommend installing a Wordfence alternative that protects your site without increasing page load speed.

Wordfence is a popular security plugin for WordPress that has faced criticism for causing significant performance issues for websites. In fact, some web hosts prohibit the use of Wordfence due to these issues, which can result in server resource warnings and slow page load speeds.

Despite attempts to mitigate these performance issues in subsequent updates, some users may find that the changes actually lower the level of security provided by Wordfence. This is because some of the features that improve performance may compromise the plugin’s ability to detect and prevent security threats.

While configuring Wordfence settings can help improve performance to some extent, it’s not always the best solution. More often than not, it’s at the expense of actual security. 

Wordfence is actually one of our top picks for WordPress security plugins; second only to MalCare. So this article is an objective look at some of its shortcomings, after a significant amount of testing.

How Wordfence slows down a site

There are two types of issues that make Wordfence affect a site’s speed and performance. Let’s break them down. 

Culprit 1: CPU spikes during scanning

The Wordfence malware scanner utilises your website’s resources to scan for malware. If your website has a lot of heavy assets, such as images and other media files, the scanning process may take longer and require more resources to find any potential malware.

To address this issue, Wordfence offers the option to perform a limited scan instead of the standard scan, which can be especially useful for high-traffic sites. However, it’s worth noting that this may not be a perfect solution, and there are some limitations to the effectiveness of the limited scan. In the next section, we’ll explore some of the drawbacks of using a limited scan.

For an average site with 10,000+ files, this process can use up all available server resources, causing 503 Service Unavailable errors for actual visitors.

Culprit 2: Firewall rules

One of the primary ways that Wordfence protects your website is through its WordPress firewall. The firewall is designed to analyse incoming traffic and block any suspicious traffic based on predefined rules. While these rules are created to prevent attacks, they can also have a negative impact on your website’s performance by increasing the server load. In some cases, they may cause delays in the processing of legitimate requests.

The impact of the firewall on website performance can vary depending on various factors: 

• Size of your website
• Server resources available
• Complexity of the firewall rules

In earlier versions of Wordfence, all traffic to your website was scanned for malicious activity. However, in recent versions, the plugin now focuses on scanning traffic for certain parameters only and is mainly configured to block brute force bots. 

While protecting against brute force attacks is crucial, it’s worth noting that only a small percentage of successful attacks on WordPress sites are due to poor login security. In fact, most successful attacks are due to vulnerabilities, such as SQL injections and XSS attacks, which are different from brute force attacks. 

Furthermore, limiting traffic to your website is also recommended to improve security and performance. We’ll talk about why this is not a great solution, in a later section. 

Culprit 3: Caching

Wordfence’s caching can also slow down your site. Ironic, we know. Caching and performance is very difficult to do well. If you are looking for a sustained solution to site performance, try Airlift.

Culprit 4: Database bloat

Wordfence stores some of its data in three primary tables: wp_wflogs, wp_wfStatus, and wp_wfHits. Because Wordfence is an endpoint firewall, every single decision, scan heartbeat, and blocked request is recorded directly into your WordPress database.

On a site receiving heavy bot attacks, the wflogs table can grow by several hundred MBs in a matter of days. As this table expands, database queries become slower, which can delay the overall rendering of your site pages, known as database latency.

To be fair, Wordfence relies on the wp-cron system to clean these tables. However, if this system doesn’t work for any reason, the tables never get purged, leading to a bloated database that can eventually hit your hosting’s disk space limits.

The worst part is that a bloated security database doesn’t just affect visitors; it slows down the WordPress Admin dashboard, making every click in the back-end feel sluggish.

😵 As an aside, this will also have downstream impact on site backups. Very few backup plugins are able to smartly leave out log files, and the sizes start to add up.

Culprit 5: WordFence is not stopping the security issues that slow down your site

Malware

It’s important to note that Wordfence may not catch all malware on your site. 

While Wordfence has a comprehensive malware signature database, which they use to detect malware on your site, the problem is in the detection mechanism: signature-matching. Signature-matching relies on the database being updated and 100% comprehensive, which can never be the case. They often face a detection lag as new zero-day exploits emerge.

Zero-day malware attacks and malware with subtle differences can escape under this mechanism. MalCare Security’s architecture utilises behaviour-based detection, which identifies malicious intent (like privilege escalations or unauthorised changes to core files) rather than just matching known code strings.

So malware could be one of the factors contributing to slower website performance. 

⚠️ Even a single bit of malware can lead to a full-blown reinfection. A good WordPress scanner should find every instance of malware on your site.

Bots

Bots are insidious malware that hammer sites for various reasons. Maybe it is a brute force attack bot trying to break into your wp-admin. Or it could be a competitor adding a thousand items to your checkout page in order to scrape product details. 

Repeated requests from bad bots can cripple a site because of the load they put on the server. Wordfence may not be blocking all the bad bots, because some of them cleverly masquerade as good bots, like uptime or search engine bots to pass filters undetected. 

Therefore, bot attacks may not be filtered out by Wordfence, which can lead to spikes in server requests and further slow down your site.

☣️ We know it is dismal that the Wordfence malware scanner (which is slowing down your site) might not be catching malware (which is also slowing down your site). Similarly, the firewall that is slowing down your site while analysing traffic may not be keeping out bots that are paralysing your site with repeated requests.

Optimise Wordfence for speed

The short answer is: Sure. But, it’s like putting a bandaid on a leaky pipe. It’s not solving the main issue. Ideally you need to replace the pipe. 

We’ll explore some of the solutions other websites will suggest. Then we’ll tell you what they’re not telling you.

1. Turn off live traffic

For high-traffic sites, it’s advised to switch from the live traffic option in the firewall settings from All Traffic to Security Only.

Go to Tools > Live Traffic and set the logging mode to Security Only.

However, this may not be the most effective solution. When you have live traffic on your site, the firewall analyses all the incoming traffic, as it is supposed to do. But if you turn it off to speed things up, you’ll lose that security protection.

🔥 A good firewall should speed up your site by keeping away attack requests. Try MalCare, and you’ll see the difference immediately with Atomic Security.

2. Turn on low resource scanning

Wordfence has introduced a setting which allows you to lengthen the scanning duration 2-4x in order to reduce resource usage at any one point. We actually think this may be a good idea, although it is still not ideal to use server resources for scanning at all.

Found under Scan > Scan Options, this reduces the scan’s impact on your server’s I/O by spreading the work over a longer duration. Note that this may extend scan times to several hours.

You can also set the Maximum execution time for each scan stage to 15 or 20 seconds. This prevents long-running PHP processes from being killed by your host, which can cause site crashes.

The danger here is the security plugin might miss an infection because it is using a limited, low resource scan to save speed. A high resource malware (like a DDoS bot or crypto-miner) will consume far more resources than the plugin ever would.

By utilising an offsite malware scanner, you can run deep, comprehensive scans daily without ever impacting your live site’s performance. This ensures you catch the performance-killing malware early without paying a performance tax for the protection itself.

3. Optimise the database

Inside Wordfence, navigate to All Options > Tool Options and find the setting for Amount of Live Traffic data to store. Reduce this from the default to 100 or 500 rows to force the plugin to purge old data more aggressively.

4. Install a speed plugin

Another popular recommendation is to install a speed plugin. We’d agree. In fact, a speed plugin such as Airlift is an essential for WordPress sites. However, you should not have to install it to compensate for a slow security plugin. 

A speed plugin optimizes certain aspects of your site to make it faster without manual effort on your part. It has features like a CDN, caching, and minification of code and images. It cannot fix performance issues caused by security plugins using up server CPU to protect the site. 

More importantly, a solid firewall plugin will speed up your site too. One of the notorious effects of malware is that it slows down sites. Keep out malware, boost performance.

5. Upgrade hosting specs

If you have a basic hosting tier or your server performance is not optimal, upgrading the hosting tier is the recommended solution. Depending on your resources, this might be difficult. And honestly, if a lower tier otherwise works for your site without issues, Wordfence shouldn’t be the only factor that makes you upgrade.

Security and performance (get both)

If you’ve tried all the tricks to fix Wordfence problems, the best option is to switch to another security plugin.

While it is a good free security plugin, plenty of people look for Wordfence alternatives all the time.

What to look for in Wordfence alternative

In WordPress security, performance is dictated by where the heavy lifting happens. With Wordfence, that place it your site. On a performance-focused security plugin, that’s the cloud architecture.

Unlike local plugins, MalCare Security’s architecture is designed to bear the burden of security off-site.

1. Remote syncing: We create a light sync of your site data to our dedicated high-performance security servers.
2. Offsite scanning: 100% of the malware scanning happens on our hardware, not yours. Your server’s CPU remains dedicated to serving visitor requests.

Additionally, with MalCare, you also have a one-click automated removal of malware. Malware detection uses heuristics, not signatures, to pinpoint malware that Wordfence may not catch. There is also a top-notch firewall that safeguards your site from future attacks.

Other ways to speed up your site

If uninstalling Wordfence hasn’t improved your performance, Wordfence may not have been the issue. Try out these methods to optimise your site: 

😵 Side note: There are plenty of reasons why a site may be slow to load, and ways to fix those issues just as well.

Where Wordfence leads

While MalCare Security is optimised for performance and malware removal, Wordfence offers features that may be preferable for specific users:

• Free 2FA & login security: Wordfence provides robust two-factor authentication in their free tier.
• WP-CLI support: For developers managing sites via command line, Wordfence has deeper integration. (MalCare has an API, but on higher plan tiers.)
• Live traffic granularity: For users who want to see every bot attempt in real-time and have the server resources to spare, Wordfence’s dashboard is highly detailed.

Our recommendation is based purely on performance vs security. If you are on high-end Managed WordPress hosting, the speed impact may be negligible. However, on shared environments, the difference is significant. (And many hosts therefore prohibit the use of Wordfence altogether.)

Final thoughts

In conclusion, Wordfence can indeed slow down your site, and while there are some optimizations available, they may not always be the best solution. Choosing a reliable security plugin like MalCare can provide you with a high level of website security without compromising your site’s performance. With its advanced features and ability to protect your site without using your server resources, MalCare is an excellent alternative to Wordfence.

FAQs