WordPress security with PHPIDS – plugin benchmark.

PHPIDS logoPHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to.

Security of your blog is very important and to keep your blog safe you must be very careful when installing new plugins. Even when you take all precautions you can never be sure that the plugin you have just installed is secure.
If you are worried about security there is a hope – Mute Screamer plugin. It’s very simple to use. Just install it and set few simple options to suit your needs and you’re done. From now on PHPIDS system will make sure that any input from your visitors will be stripped of any malicious code like SQL Injection or XSS attack.

Sounds good but you may ask – will it slow down my blog?
Well, it’s time to try it!

This is my test setup:

  • WordPress 3.3.2
  • P3 (Plugin Performance Profiler) – to profile wordpress installation
  • Akismet
  • Google XML Sitemaps
  • Better WordPress reCAPTCHA
  • Piwik Analytics
  • WP-Syntax
  • WP Super Cache
  • Mute Screamer

There were 5 main scenarios:

  1. No plugins – all plugins disabled
  2. IDS only idle – only Mute Screamer enabled at normal operation
  3. IDS only attack – only Mute Screamer enabled with attack detected
  4. All plugins – no cache – all plugins except cache enabled
  5. All plugins – with cache – all plugins including cache enabled

Each scenario was run 20 times on different parts of the blog each time.

Detailed results can be found in the following table:
[table id=1 /]
Nothing spectacular, right?
The following graph represents loading time of each wordpress segment in each scenario:

PHPIDS (via Mute Screamer plugin) doesn’t introduce any major weight to your blog as opposed to what you would think.
This breakdown proves the point, Mute Screamer is only a fraction of code needed to display the blog, the core still takes about 70% of resources:

Let’s look at the memory usage and execution of the plugins:

This also proves that the additional security layer will not slow your blog more that any other ordinary plugin (please note that left axis is in logarithmic scale) and even under attack conditions the script doesn’t introduce any significant stress on the system (this can be very important if you want to hide the fact you are using IDS).

Before running those benchmarks I’ve been very skeptical about this plugin but now I’m pretty sure the profit from the increased security costs me only a fraction of what I thought it would.

(During the tests and writing this post the PHPIDS has blocked 6 XSS attacks from the automated bots from all around the world)

Leave a Reply

Your email address will not be published. Required fields are marked *