Benchmarking the performance of ‘Wordfence’, a WordPress plugin

Image of Mattias Geniar

Mattias Geniar, November 12, 2014

Follow me on Twitter as @mattiasgeniar

I decided to give Wordfence a try, a plugin for WordPress. It advertises itself as a Security plugin with an additional benefit: performance improvements. Its claim is “to better survive a DDoS attack on your site, your site needs to use as a little resources as possible”. That makes sense. But a 50x performance increase as they claim? That needs to be tested.

Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.

Includes Falcon Engine, the fastest WordPress caching engine available today. Falcon is faster because it reduces your web server disk and database activity to a minimum.

Game on!

The test

It’s a simple “ab” (Apache Bench) benchmark against this site, similar to the PHP 5.4 vs PHP 5.5 vs HHVM benchmark.

$ ab -c 1 -n 100 /

So the test is: how long does it take to do 100 requests, one after another? The first test is done against a vanilla WordPress. The second test against a WordPress with the Wordfence plugin enabled, but with the “security” features disabled (no IP checking, no brute-force protection etc., only the caching is enabled).

Without the plugin

I had no other “performance” plugins enabled, no W3 Super Cache or anything. Plain old vanilla WordPress with some plugins, but nothing to increase the speed.

So, here are the results. 2 test runs after each other.

$ ab -c 1 -n 100 /
Time taken for tests:   146.746 seconds

$ ab -c 1 -n 100 /
Time taken for tests:   166.953 seconds

First run took 146 seconds, the second one took 166 seconds. That’s an average of 156 seconds for 100 requests or 1.56 second per request. That’s pretty bad, actually.

With the Wordfence plugin enabled

Same test, with the performance plugin enabled. The test went like this.

$ ab -c 1 -n 100 /
Time taken for tests:   7.681 seconds

$ ab -c 1 -n 100 /
Time taken for tests:   7.735 seconds

First run took 7.6 seconds, second run took 7.7 seconds. Average: 7.6 seconds for 100 requests. That’s 0.076 seconds per request.


Wordfence Performance

The results don’t lie: yes, it works. It works the same way as the WP Super Cache plugin used to work: it generates static HTML files that are served directly, without touching PHP or MySQL. If you’re running Nginx, you have to add additional rewrite-rules to your vhost config to allow this. If you’re using Apache, extra .htaccess RewriteRules will be added to enable this feature.

How did this perform compared to the “old” (read: original) WordPress performance? That’s fairly obvious. First, the response times on the homepage (and all other pages) dropped drastically.

Wordpress Response Times

And as an extra result, the download speeds increased drastically, as the request didn’t have to wait so long for the server to respond.

Wordpress Download Speeds

Conclusion: the 50x performance increase isn’t a lie: the plugin achieves this the same was as Varnish would, by keeping a generated HTML in memory/on disk and serve that on future requests. Efficient cheating.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.