I have been doing some research and had a general question about Wordfence. Our site that is a WordPress site has been using Wordfence Premium Security now for over 4 years in conjunction with Cloudflare. I did not realize how resource-intensive Wordfence is and how it performs. My general question is if any of you were me would you remove Wordfence Premium completely and go with the Cloudflare WAF instead? What are the advantages and or disadvantages? End of the day performance and response time is key so I would love to hear everyone’s thought on this process.
I use both, and don’t recommend removing Wordfence. Wordfence does a bunch of stuff Cloudflare WAF doesn’t, such as vulnerability scanning. Plus the Realtime Blacklist. And limiting logins in different ways. And 2FA for logins. Live Traffic is nice at times. And warnings when you need to update something.
What type of load is it putting on your server, and with how much traffic? Is your site an ecommerce site or something where users log in on a regular basis? I use NGINX full-page caching, and that takes a lot of load off my server.
Thank you for the feedback @sdayman. I think I heard some of the similar things but our hosting company and one of their team members suggested we remove it if we had the Cloudflare WAF and how it would significantly enhance performance and response time. I do agree that Wordfence has its pros and it has saved us many times in the past.
As far as the load it is taking forever to respond at times when loading, logging in, and saving for sure. We average around 200,000 views monthly and a WordPress site with over 30 users. To my knowledge we are using NGINX with caching too with our hosting provider and on a VPS. Lastly, we use WP Rocket for caching and the AutoOptimize plugin which I am not sure if thats good or what.
I hope all that helps and the last thing I will share is right now we have the WAF off on Cloudflare due to not knowing how to configure it or what rules to load. Any and all other help on this would be greatly appreciated.
If that’s 200,000 page views per month, that’s an average of 5 per minute. Let’s just say peak times are 10x that, so 50 per minute (1 per second). With WP-Rocket, that should put very little load on the server. That, and Cloudflare CDN, shouldn’t push your server much.
You didn’t say what type of site it was, so I’m still not seeing how it can be straining your server. Even a $20/month VPS should handle this without a problem.
If you really want to see what’s going on with performance, give pantheon.io a try. They have free sandbox sites and I believe you can run New Relic on them for performance insight. I’m not sure on the size limit of these sandbox sites.
@sdayman, Our site is a WordPress site. I ran a GTMetrix of our site and it is giving us a grade of F so just trying to find ways to correct it all. In terms of my original question if I should enable the WAF on Cloudflare what rules are best to turn on that will compliment and work well with Wordfence if I keep them both going?
WAF is pretty good in default configuration, but go through the Managed Rules section and makes sure you have the WordPress option enabled. Do the same for OWASP (WordPress is on Page 2 for OWASP). It’s much nicer to have Cloudflare do the heavy lifting for this so those requests don’t go to your server.
Beyond what @sdayman has suggested, what you can do to better your site performance is to monitor all events caught by Wordfence and try to move them to one of the Cloudflare tools, such as Access, IP Access rules and Firewall Rules, so that they are blocked at the cloud, and not at your origin.
For instance, if you see many blocks being applied against an specific IP address, you can create an IP Access rule to challenge visits from that IP. And if you have a list of URLs that Wordfence blocks automatically, you can create a Firewall Rule with those URLs with an action of Block.
Also, one of the factors that made me move away from Wordfence (I now use NinjaFirewall WP Edition) was actually one of its best features, the Live Traffic. It generates (or used to, not sure if they changed that) a sort non-existing URL for their internal use only, but that the gullible Googlebot finds anyway and keeps trying to crawl. Not only this is a waste of origin bandwidth and CPU resources, as each of these URLs will force WP to generate a 404, but it also adds lots of URLs to your Search Console reports, making it more difficult to visualize the actual 404 errors. If I was still using Wordfence, I’d make sure to craft a Firewall Rule to block those URLs.
Thank you for all the tips and info @cbrandt. Would you be willing or able to help assist me with those rules? I am currently without a web developer and if the doing the steps you suggested will dramatically help our site and the load times it sounds like a good thing especially if I keep Wordfence in place.
I’ll be glad to help if I can, as I believe many others in this community will.
You should first head to your Wordfence logs and origin server logs to try to find patterns of misbehavior, like IP addresses that are constantly being used to try to guess passwords etc, or URLs that being requested that seem suspicious.
You should also familiarize yourself with how Firewall Rules work. Once you create your first rule(s), bring them here, with their specific goal, and we’ll try to help as best as we can.