WordFence has been accused (by a competitor) of slowing down peoples sites, I have also been told by wordpress experts that it’s not worth installing for this reason. But I’ve personally found WordFence’s web application firewall, scans and other features extremely valuable in protecting a WordPress site. To get to the bottom of it, I did a few tests of my own:
Small impact on page load time
In my tests, enabling WordFence’s WAF added about 50-100ms per page request. This would depend on your server’s performance.
For a simple site that you just want to leave up and keep secure, this might be a negligible impact. For a complex site that makes a lot of API calls, it could add up quickly.
Bigger impact on performance under load
The other factor to consider is performance under load. If WordFence is adding 100ms of load on the server’s CPU with every request, that could slow down your web server if you have many concurrent users.
Using one of my favourite tools, Grafana cloud I ran a simple load test on one of my own sites, the site was running on a little VPS with four vCPUs where I keep a few of my personal sites, I think it’s reasonably typical for what you might get with shared hosting:
Without WordFence installed, I ran a test with 30 virtual users repeatedly hitting my site. The response times went from ~400ms to ~4,300ms under load. Users would definitely notice that the site is running slowly.
I then enabled WordFence to see what effect it would have on performance under load:
That’s a big impact! Wordfence increased the average response time by about 50% from 4,300ms to 6,400ms.
WordFence can definitely have a big performance impact on how your site performs under load.
I should note that my website deliberately did not use caching, in practice most normal page views would be cached and wouldn’t necessarily be affected by WordFence at all.
So, should you install WordFence
This is actually a big question, it comes down to what your priorities are and how the other options compare. I like WordFence because it has a powerful Web Application Firewall specifically tuned for WordPress. It also performs malware and vulnerability scans, and sends alerts to administrators. It does all of this on the free plan.
At SafeWp, we find WordFence to be an extremely useful plugin. For most users, we would recommend that you keep using WordFence, but upgrade to a fast web host that can handle the high volume of requests, rather than compromising on security.