Best Free WordPress Security Plugins: Performance Comparison

We are of the opinion that security plugins in WordPress are unnecessary, with a few exceptions. WordPress is inherently secure (and it should be when it powers almost half of the internet), and most attacks today happen for reasons that a security plugin can hardly prevent:

• Compromised usernames and passwords
• Vulnerabilities in plugins and themes
• Stolen session cookies

We recommend reading or listening to the article we linked earlier.

Nowadays, a security plugin is like an antivirus for Windows: you don’t need one as long as you follow some basic guidelines:

• Keep all your WordPress plugins and themes up to date to patch any potential security holes.
• Use strong and unique passwords for all your logins. This means using a different, strong password for each WordPress user, databaseDatabase A database is a structured system for storing and managing information. In the context of WordPress, the database stores all site data, such as content, settings, and users. WordPress typically uses MySQL or MariaDB., hostingHosting Hosting is the service that allows you to store your website online so that others can access it. It's like renting a space on the internet to make your site available 24/7. control panel, FTP account, etc.
• Remove or change the default username “admin” to make it more difficult for attackers to guess the login details.
• Block the XML-RPC protocol if you are not using it, as it can be a potential security vulnerability.
• Protect your login page. There are several ways to do this:
  • Change the login URL (using the WPS Hide Login plugin).
  • Limit the number of retries when logging in (with the Loginizer plugin).
  • Geo-block it.
• Use the 8G firewall to block the most common attacks.

And if you need a little more protection without compromising your website’s performance, check out these great security recommendations from Vladimir Smitka.

However, If you still want to use a security plugin, we compare the most popular free WordPress security plugins, focusing not on their features but on their performance. Here are the plugins we’ve selected for this comparison:

1. Wordfence Security v7.11.5 with 5+ million installations
2. All-In-One Security v5.3.0 with 1+ million installations
3. Security Optimizer v1.4.13 with 1+ million installations
4. Solid Security v9.3.2 with 900,000+ installations
5. CleanTalk Security v2.133 with 300,000+ installations
6. Jetpack Protect v2.1.0 with 100,000+ installations
7. Shield Security v19.1 with 50,000+ installations
8. SecuPress Free v2.2.5.3 with 40,000+ installations

As you can see, we haven’t included Sucuri Security, MalCare Security and other smaller firewall-only plugins because they’re either cloud-based or too simple (which does not mean it’s bad) to be compared with the rest. Our goal with this article is to compare the supposedly full-featured traditional security plugins and see which one is the fastest WordPress security plugin.

Test Conditions

Each plugin has been set up under the following conditions:

• WordPress 6.5.3 installed.
• We cleared all notifications generated by the plugin on the dashboard.
• We ran all onboarding wizards with the default settings.
• We had nothing scheduled (e.g. regular malware scans); we don’t want anything running in the background.
• We enabled the firewall options with as much “protection” as possible.
• We activated the options to protect against brute force attacks.
• We blocked a single IP: 1.2.3.4
• All other settings were left in the default settings.
• No other plugins were active, other than the plugins being tested and Code Profiler.

Performance Metrics

We measured the performance of each plugin under the following conditions:

• Execution time in the frontend while logged out (ms)
• Execution time on the Dashboard page while logged in as admin (ms)
• Execution time on the login page (ms)
• Total size of CSSCSS CSS is a design language used to control the appearance and formatting of a website. It's used to define colors, typography, layout, and other visual aspects. CSS is either inserted directly into the HTML code or can be added as external .css files referenced by the HTML code. files in the backend (KB)
• Total size of JSJS JavaScript, abbreviated as "JS," is a programming language used to create interactivity on websites. It allows you to add elements like animations, dynamic forms, and real-time updates without needing to reload the page. JavaScript, like CSS, can be inserted directly into the HTML code or can be added as external .js files referenced by the HTML code. files in the backend (KB)

The execution time was measured using the Code Profiler plugin. We repeated each test several times to make sure we got accurate times and then calculated the average value.

Results

	Frontend time (ms)	Backend time (ms)	Login page Time (ms)	Total CSS size (KB)	Total JS size (KB)
Wordfence Security	55	60	63	19	25.9
All-In-One Security	26	25	26	0.77	0
Security Optimizer	23	22	22	0	0.457
Solid Security	59	57	48	4.6	413
CleanTalk Security	17	27	17	2.8	240
Jetpack Protect	31	60	33	0.664	0
Shield Security	136	164	144	3.4	29.1
SecuPress Free	12	29	12	4.2	1.3

Key Takeaways

• Shield Security is simply not an option to consider. Extremely poor performance compared to all competitors.
• We do not recommend Solid Security either, as it loads almost half a megabyte of JS in the backend. In addition, the execution times are too high and are on the same level as Wordfence Security, even though Wordfence Security is a much more complete plugin in terms of features.
• Wordfence Security has been proven to slow down WordPress. It’s not as bad as Shield Security, but all the features take their toll on load time, and it loads quite a large amount of CSS and JS.
• We consider all the other plugins to be better than the previous three, although they also have their drawbacks: SecuPress Free has a poor and ugly interface, Jetpack Protect has sometimes too high execution times, CleanTalk Security loads too much JavaScriptJS JavaScript, abbreviated as "JS," is a programming language used to create interactivity on websites. It allows you to add elements like animations, dynamic forms, and real-time updates without needing to reload the page. JavaScript, like CSS, can be inserted directly into the HTML code or can be added as external .js files referenced by the HTML code., and Security Optimizer feels like an advertisement for SiteGround where everything can be done without a plugin (although, to be fair, the same is true for most of the features of every other plugin).
• If we had to pick a winner, it would be All-In-One Security. It offers good overall performance compared to its competitors, a good and clear user interface and hardly uses any resources in the backend.

Conclusion

No security plugin is perfect in terms of performance. Every plugin we’ve tested has had its drawbacks, either by loading too many resources on the frontend, which affects your visitors, or by increasing execution time, which can make the WordPress backend feel sluggish. If you’ve ever wondered why the WordPress admin panel feels slow, a security plugin could be one of the reasons.

Our comparison highlights the performance aspects that are crucial for optimising WordPress websites when using security plugins. The overall winner is All-In-One Security, as it offers the best balance between execution time, resources loaded and user interface. However, it’s important to remember that a security plugin isn’t always necessary. If you follow basic security guidelines — which we’ve highlighted above — you can run a secure WordPress website without additional plugins.

What do you think? Share your experiences and preferences in the comments! And if you want to further optimize your site, make sure to check out the Ultimate WordPress Page Speed Optimization guide.