Don’t use Better WP Security

Don’t use Better WP Security. Okay, use it, but only once.

The plugin is great, it analyse your WordPress site, and give you 20 items, that is either Okay, or needs to be fixed.

better_wp_security_checklist

This is usually how a WordPress installation can look like, and yes, some points are good to fix, and the plugin is a good pointer, what should be changed.

The problem is some of the functionality of the plugin, that not only affect the loading time of your website, but it also makes you take a lot of resources when it’s not needed, at all.

One of these features is the ‘Ban Users’ feature, it will add a HUGE list of IP’s to your .htaccess file, those IP’s added is known as bad IP’s, but what about the last few million IP’s doing exactly the same? You ban maybe 1% of the IP’s that is actually trying to hack your site, on the other hand, you kill the performance of your site.

It will also monitor your site constantly, for IP’s trying to access your installation, this is great, but do you use the plugin for just a few months, you’ll start doing this to a server:

wtf

Your site, will every hour start doing calls like this, doing ~17.000 queries per second to your database for around 60-120 seconds, and it will start sending 18 megabyte/s data in MySQL for 60-120 seconds.
60 * 18 = 1080 megabyte.
60 * 17000 = 1.020.000 queries

That’s a lot. And what is the benefit? Nothing, most hosts have a 60 seconds timeout on PHP scripts, that mean your site will simply die, and it won’t be able to process the request.

Yes, your visitor will experience this 60-120 second call to your site. Best thing is, if your site gets a timeout, WordPress will do the query again for the next user as well, until 5 minutes has passed.

The site above, has 1500 unique visitors a month, it have been running for around 8 months, and already now you see queries like this.

Using the plugin Better WP Security, surely have some benefits, but also huge drawbacks like this ban list, you can disable it, as well as the ‘File change detection’, these 2 features of the plugin, is enough to get your site banned from resource usage on any normal host, as well as killing the performance of your site.

You can be unlucky enough that the ‘visitor’ visiting your site, while this query is running, could be the Google Bot, if Google Bot see the site generating really slow, it will punish your SEO and in worst case, it won’t be able to index most of your site due to the loading issue.

Want to protect the admin panel? Look at ‘How to stop brute force attacks on WordPress installations‘. This should result in people not getting access to your Admin panel, that easy. Consider using Better WP Security to fix most of the issues, and then disable the plugin again.