Table of contents of the article:
One of the most popular requests from WordPress enthusiasts and developers concerns the security of their installation and the possibility of defending themselves from those mysterious dark forces called hackers.
The answer in most cases is given on Facebook groups, social networks and newsletters recommending the installation of security plugins such as WordFence, Sucuri, iThemes Security, very often even all together.
What is not said and what is mostly unknown is that these plugins have an important impact on performance, as for each visit and for different actions (such as login) these scripts (obviously written in a language certainly do not performing as PHP) go to perform a whole series of operations that impact latency and CPU load.
How do these security plugins work? Let's see WordFence for example.
Directly their site: https://www.wordfence.com/blog/2017/01/how-wordpress-firewall-works/ we report the version translated into Italian.
"When you turn on Wordfence's firewall, we use a technique that tells your web server to run Wordfence's firewall code before any other PHP code on your website. The way we do this is to include a directive in your .htaccess file called 'auto_prepend_file'. This directive points to the Wordfence code and guarantees that Wordfence runs before anything else.
Once your website is configured to launch Wordfence firewall, any request that comes in no matter what PHP file it tries to access will first be processed by Wordfence to check if it is safe or not. Our WordPress firewall will execute the request through its own set of rules, perform detailed high-performance analysis, and make a decision to block the request or allow it.
The firewall code that executes this decision before anything else, including WordPress. This means that the WordPress code has not been loaded and the database is not yet connected. This makes Wordfence's firewall code incredibly fast . We can block a malicious request before it even connects to your database and before the bulky WordPress code and API environment are loaded.
Wordfence's firewall code runs before anything else, including WordPress. But it also has the ability to transfer data to WordPress and get data from the WordPress API. This allows us to incorporate the user's identity into our rule set so that we can decide whether or not to authorize a user's access, based not only on the content of the request, but on who they are and what level of access. they have within WordPress.
Using this high-performance execution model means that hackers only reach the superfluous Wordfence firewall and can't get past it. Site visitors friends, crawlers and users can access your full website. This keeps your WordPress website fast and secure."
High performance ? For real ?
After all, what does High Performance mean? In relation to what? After all, a Ferrari is fast. But in relation to whom? At what ? What are the comparison criteria?
High performance in this case means that basically the way adopted to work is the best and fastest one for a WordPress plugin that has to take care of working as a WAF (Web Application Firewall), however the fact that you use PHP (a really slow and blocking language ) to perform i check at EVERY VISIT makes this plugin an absolutely not ideal solution for a high traffic blog or WordPress site.
Always remember that PHP is a very slow language.
As reported by many Benchmarks, PHP has a very high CPU consumption when compared to other languages such as node.js from which we have reported the graph below. This has a strong impact on performance.
Can you imagine a site that for every single visit has to perform even a single trivial operation in PHP? Do you realize or not that the PHP programming language is the slowest thing that can exist? Do we realize that if we have 1000 or more visitors online it is unthinkable to activate PHP for each visitor to avoid a significant slowdown in performance up to a system crash?
Let's take this screenshot from 5 days ago for example. A well-known high-traffic blog with about 15 users connected per minute, or about 250 users per second. Would it really make sense to run a PHP process for each user? No. Obviously.
Our advice
The best advice we can give regarding WordPress security is to very carefully consider the choice of installing these plugins.
If you have an institutional site that is updated infrequently and does not have a large peak of visitors, you could also use it considering that this will put a greater load on the machine as well as latency. As an advantage you will have that of having the site a little more secure.
If, on the other hand, you are working on a high traffic WordPress site, the only valid advice we can give you is to not install these plugins.
If you really need a security solution that behaves like a WAF (Web Application Firewall), use the systems side (and not as simple plugins) solutions such as NAXI, or the most proven mod_security. If, on the other hand, you want to use outsourced services, a commercial version of CloudFlare from € 20 per month can certainly be a good starting point for obtaining a WordPress Web Application Firewall service without burdening the system and avoiding crashes.