Table of contents of the article:
One of the most discussed and requested topics by both enthusiasts and developers in the WordPress world is undoubtedly that relating to installation security. The goal is to protect your websites from intrusions, attacks and, in general, from those insidious and malicious entities commonly known as hackers. In this context, we are looking for effective solutions to secure our digital environment.
If you delve into online forums, dedicated Facebook groups or thematic newsletters, the most common and almost canonical answer concerns the adoption of specific security plugins. Among the most popular in this field, we find WordFence, Sucuri and iThemes Security. It is not uncommon that the installation of more than one of these plugins is suggested, sometimes in combination, to obtain a security coverage considered more complete.
WordFence is one of the most popular security plugins for WordPress, offering a wide range of features to protect your website. Among its main features, we find malware scanning, firewall, and protection against brute force attacks. The plugin is known for its user-friendly interface and the ability to monitor traffic in real time, allowing site administrators to react promptly to any potential threat.
WordFence Official Site
Sucuri is another highly regarded security plugin in the WordPress community. It offers a full suite of security tools, including a web application firewall (WAF), malware monitoring, and DDoS protection. Sucuri is particularly popular for its site cleanup service, which helps remove malware and restore compromised websites.
Sucuri Official Site
iThemes Security is a robust and versatile security plugin for WordPress, with a number of features designed to protect your website from various types of vulnerabilities. Some of its functions include protecting against brute force attacks, scanning for malware, and implementing security measures such as changing database table prefixes and protecting the .htaccess file.
iThemes Security Official Site
However, what often remains in the shadows is the side effect of these solutions on website performance. These plugins, written mainly in PHP—due to the intrinsic limitations of this language in terms of performance—have a non-negligible computational cost. For each visit to the site and for a series of specific actions, such as the login process, these scripts initiate a sequence of operations aimed at ensuring security. These operations, however, can negatively impact the site's response time (latency) and the use of system resources, in particular the CPU.
In other words, there is a trade-off between security and performance: installing security plugins may provide a higher level of protection, but at the cost of decreased site performance. This is a crucial aspect to consider, especially for those who are focused on Web Performance and want to offer an optimal user experience without compromises.
How do these security plugins work? Let's see WordFence for example.
Directly their site: https://www.wordfence.com/blog/2017/01/how-wordpress-firewall-works/ we report the version translated into Italian.
"When you turn on Wordfence's firewall, we use a technique that tells your web server to run Wordfence's firewall code before any other PHP code on your website. The way we do this is to include a directive in your .htaccess file called 'auto_prepend_file'. This directive points to the Wordfence code and guarantees that Wordfence runs before anything else.
Once your website is configured to launch Wordfence firewall, any request that comes in no matter what PHP file it tries to access will first be processed by Wordfence to check if it is safe or not. Our WordPress firewall will execute the request through its own set of rules, perform detailed high-performance analysis, and make a decision to block the request or allow it.
The firewall code that executes this decision before anything else, including WordPress. This means that the WordPress code has not been loaded and the database is not yet connected. This makes Wordfence's firewall code incredibly fast . We can block a malicious request before it even connects to your database and before the bulky WordPress code and API environment are loaded.
Wordfence's firewall code runs before anything else, including WordPress. But it also has the ability to transfer data to WordPress and get data from the WordPress API. This allows us to incorporate the user's identity into our rule set so that we can decide whether or not to authorize a user's access, based not only on the content of the request, but on who they are and what level of access. they have within WordPress.
Using this high-performance execution model means that hackers only reach the superfluous Wordfence firewall and can't get past it. Site visitors friends, crawlers and users can access your full website. This keeps your WordPress website fast and secure."
High performance ? Really ? In what context?
The term “high performance” is a relative concept that can vary greatly depending on the context in which it is used. To make an automotive analogue, a Ferrari is unquestionably fast when compared to a production sedan, but may not be the fastest when compared to a Formula 1 car. Therefore, speed and performance are always relative and depend on comparison criteria that are adopted.
Evaluation Criteria for WordPress Plugins
In the context of WordPress security plugins, “high performance” could refer to effectiveness in detecting and preventing threats, ease of use, or efficiency in using system resources. However, the use of the term becomes ambiguous when the implications on site performance are also considered, especially for websites with high levels of traffic.
PHP and Inherent Limitations
Consider, for example, a WordPress plugin that acts as a WAF (Web Application Firewall). Even if it were designed to operate as efficiently as possible, using the PHP language presents inherent challenges. PHP is notoriously slower than other programming languages and can become a bottleneck, especially when it has to perform complex or numerous operations during every single site visit. Its blocking execution model means that each operation must complete before the next can begin, which can significantly slow down the site.
The Performance Dilemma for High Traffic Sites
Therefore, while a PHP-based security plugin might be “high performing” in terms of its ability to detect and neutralize threats, it may not be the ideal solution for a WordPress site that needs to handle a high volume of traffic. In these cases, the need to perform security checks “at every visit” can become a significant limiting factor, negatively impacting both latency and CPU resource usage.
Always remember that PHP is a very slow language.
As reported by many Benchmarks, PHP has a very high CPU consumption when compared to other languages such as node.js from which we have reported the graph below. This has a strong impact on performance.
Can you imagine a site that for every single visit has to perform even a single trivial operation in PHP? Do you realize or not that the PHP programming language is the slowest thing that can exist? Do we realize that if we have 1000 or more visitors online it is unthinkable to activate PHP for each visitor to avoid a significant slowdown in performance up to a system crash?
Let's take this screenshot from 5 days ago for example. A well-known high-traffic blog with about 15 users connected per minute, or about 250 users per second. Would it really make sense to run a PHP process for each user? No. Obviously.
Online security is a topic that concerns every website manager, and in the vast WordPress ecosystem, the options for protecting your site can seem endless. However, not all solutions fit the needs of every type of site.
Critical Evaluation of Security Plugins
Our most sincere recommendation is to be cautious when choosing to install WordPress security plugins. These tools can be very effective, but it is essential to consider the environment in which they will be used.
For Low Traffic Institutional Sites
If you run an institutional site with sporadic updates and a relatively low volume of traffic, using these plugins may be an acceptable choice. However, be aware that this will lead to an increase in server workload and an increase in latency. The upside is that you will get a higher level of security for your website.
For High Traffic WordPress Sites
For WordPress sites with a high volume of traffic, the most valuable advice we can offer is to avoid installing these plugins. The impact on performance could be significant and potentially harmful.
WAF Solutions System Side
If you have a compelling requirement for a security solution that acts as a WAF (Web Application Firewall), our recommendation is to explore system-side options rather than relying on WordPress plugins. For example, you can consider NAXI, an open-source security firewall for NGINX web servers, or the more traditional and proven one mod_security for Apache.
Outsourced Security Solutions
If you prefer to opt for managed security services, a solution like the commercial plan of CloudFlare, which starts at around €25 per month, can provide an effective Web Application Firewall service without burdening your system or causing crashes.
Ultimately, the key is to choose the security solution best suited to your specific environment, always taking into consideration both your security needs and site performance implications.