June 24 2019

WordPress Security: WordFence, Sucuri, iThemes Security? Cancel them now NOW!

Which plugins to use for the security of a WordPress blog? Some considerations.

One of the most discussed and requested topics by both enthusiasts and developers in the WordPress world is undoubtedly that relating to installation security. The goal is to protect your websites from intrusions, attacks and, in general, from those insidious and malicious entities commonly known as hackers. In this context, we are looking for effective solutions to secure our digital environment.

If you delve into online forums, dedicated Facebook groups or thematic newsletters, the most common and almost canonical answer concerns the adoption of specific security plugins. Among the most popular in this field, we find WordFence, Sucuri and iThemes Security. It is not uncommon that the installation of more than one of these plugins is suggested, sometimes in combination, to obtain a security coverage considered more complete.


WordFence is one of the most popular security plugins for WordPress, offering a wide range of features to protect your website. Among its main features, we find malware scanning, firewall, and protection against brute force attacks. The plugin is known for its user-friendly interface and the ability to monitor traffic in real time, allowing site administrators to react promptly to any potential threat.

Official Site:
WordFence Official Site


Sucuri is another highly regarded security plugin in the WordPress community. It offers a full suite of security tools, including a web application firewall (WAF), malware monitoring, and DDoS protection. Sucuri is particularly popular for its site cleanup service, which helps remove malware and restore compromised websites.

Official Site:
Sucuri Official Site

IThemes Security

iThemes Security is a robust and versatile security plugin for WordPress, with a number of features designed to protect your website from various types of vulnerabilities. Some of its functions include protecting against brute force attacks, scanning for malware, and implementing security measures such as changing database table prefixes and protecting the .htaccess file.

Official Site:
iThemes Security Official Site

However, what often remains in the shadows is the side effect of these solutions on website performance. These plugins, written mainly in PHP—due to the intrinsic limitations of this language in terms of performance—have a non-negligible computational cost. For each visit to the site and for a series of specific actions, such as the login process, these scripts initiate a sequence of operations aimed at ensuring security. These operations, however, can negatively impact the site's response time (latency) and the use of system resources, in particular the CPU.

In other words, there is a trade-off between security and performance: installing security plugins may provide a higher level of protection, but at the cost of decreased site performance. This is a crucial aspect to consider, especially for those who are focused on Web Performance and want to offer an optimal user experience without compromises.

How do these security plugins work? Let's see WordFence for example.

Directly their site: https://www.wordfence.com/blog/2017/01/how-wordpress-firewall-works/ we report the version translated into Italian.

"When you turn on Wordfence's firewall, we use a technique that tells your web server to run Wordfence's firewall code before any other PHP code on your website. The way we do this is to include a directive in your .htaccess file called 'auto_prepend_file'. This directive points to the Wordfence code and guarantees that Wordfence runs before anything else.

Once your website is configured to launch Wordfence firewall, any request that comes in no matter what PHP file it tries to access will first be processed by Wordfence to check if it is safe or not. Our WordPress firewall will execute the request through its own set of rules, perform detailed high-performance analysis, and make a decision to block the request or allow it.

The firewall code that executes this decision before anything else, including WordPress. This means that the WordPress code has not been loaded and the database is not yet connected. This makes Wordfence's firewall code incredibly fast . We can block a malicious request before it even connects to your database and before the bulky WordPress code and API environment are loaded.

Wordfence's firewall code runs before anything else, including WordPress. But it also has the ability to transfer data to WordPress and get data from the WordPress API. This allows us to incorporate the user's identity into our rule set so that we can decide whether or not to authorize a user's access, based not only on the content of the request, but on who they are and what level of access. they have within WordPress.

Using this high-performance execution model means that hackers only reach the superfluous Wordfence firewall and can't get past it. Site visitors friends, crawlers and users can access your full website. This keeps your WordPress website fast and secure."

High performance ? Really ? In what context?

The term “high performance” is a relative concept that can vary greatly depending on the context in which it is used. To make an automotive analogue, a Ferrari is unquestionably fast when compared to a production sedan, but may not be the fastest when compared to a Formula 1 car. Therefore, speed and performance are always relative and depend on comparison criteria that are adopted.

Evaluation Criteria for WordPress Plugins

In the context of WordPress security plugins, “high performance” could refer to effectiveness in detecting and preventing threats, ease of use, or efficiency in using system resources. However, the use of the term becomes ambiguous when the implications on site performance are also considered, especially for websites with high levels of traffic.

PHP and Inherent Limitations

Consider, for example, a WordPress plugin that acts as a WAF (Web Application Firewall). Even if it were designed to operate as efficiently as possible, using the PHP language presents inherent challenges. PHP is notoriously slower than other programming languages ​​and can become a bottleneck, especially when it has to perform complex or numerous operations during every single site visit. Its blocking execution model means that each operation must complete before the next can begin, which can significantly slow down the site.

The Performance Dilemma for High Traffic Sites

Therefore, while a PHP-based security plugin might be “high performing” in terms of its ability to detect and neutralize threats, it may not be the ideal solution for a WordPress site that needs to handle a high volume of traffic. In these cases, the need to perform security checks “at every visit” can become a significant limiting factor, negatively impacting both latency and CPU resource usage.

Always remember that PHP is a very slow language.

As reported by many Benchmarks, PHP has a very high CPU consumption when compared to other languages ​​such as node.js from which we have reported the graph below. This has a strong impact on performance.



Can you imagine a site that for every single visit has to perform even a single trivial operation in PHP? Do you realize or not that the PHP programming language is the slowest thing that can exist? Do we realize that if we have 1000 or more visitors online it is unthinkable to activate PHP for each visitor to avoid a significant slowdown in performance up to a system crash?

Let's take this screenshot from 5 days ago for example. A well-known high-traffic blog with about 15 users connected per minute, or about 250 users per second. Would it really make sense to run a PHP process for each user? No. Obviously.

Our recommendations

Online security is a topic that concerns every website manager, and in the vast WordPress ecosystem, the options for protecting your site can seem endless. However, not all solutions fit the needs of every type of site.

Critical Evaluation of Security Plugins

Our most sincere recommendation is to be cautious when choosing to install WordPress security plugins. These tools can be very effective, but it is essential to consider the environment in which they will be used.

For Low Traffic Institutional Sites

If you run an institutional site with sporadic updates and a relatively low volume of traffic, using these plugins may be an acceptable choice. However, be aware that this will lead to an increase in server workload and an increase in latency. The upside is that you will get a higher level of security for your website.

For High Traffic WordPress Sites

For WordPress sites with a high volume of traffic, the most valuable advice we can offer is to avoid installing these plugins. The impact on performance could be significant and potentially harmful.

WAF Solutions System Side

If you have a compelling requirement for a security solution that acts as a WAF (Web Application Firewall), our recommendation is to explore system-side options rather than relying on WordPress plugins. For example, you can consider NAXI, an open-source security firewall for NGINX web servers, or the more traditional and proven one mod_security for Apache.

Outsourced Security Solutions

If you prefer to opt for managed security services, a solution like the commercial plan of CloudFlare, which starts at around €25 per month, can provide an effective Web Application Firewall service without burdening your system or causing crashes.

Ultimately, the key is to choose the security solution best suited to your specific environment, always taking into consideration both your security needs and site performance implications.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.


Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.


Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top