Wordfence vs Cloudflare?


Which of them is faster in terms of security? Wordfence will slow down the wordpress instance whereas cloudflare will affect the ttfb and site load timings.

So which one of them would you recommend

@GulshanKumar @anon65784627 @Saksham


If I talk about WordFence vs Cloudflare, I would always prefer Cloudflare.

I have seen this product as Application Firewall and another Cloudflare as Web Firewall.

One of the major issue I noticed with WordFence, it causes the unnecessary index of URLs with random query strings. A simple Google search can tell more about this… inurl:?wordfence_logHuman

Note: Many users have faced this problem. So, I can’t recommend.

Why I would prefer Cloudflare?

  • To prevent malicious traffic, Cloudflare waf (OWASP, WordPress, XSS) is more powerful.

  • It’s neat and clean, and trusted by large number of websites. Ref: Data 1, Data 2. That’s a reason, why I can trust more.

As per my personal research, slow TTFB with Cloudflare happens only and only in India due to poor routing of traffic. I have not seen this same issue in other countries. Additionally, I have confirmed this problem from CF team, they agreed, there is some issue here.


Cloudflare. @GulshanKumar explained it very well.


I’ve faced this problem as well.


Go with Cloudflare.


Approximately 500ms delay in TTFB due to CF is okay, but index of random query string I would totally not accept. A plugin we trust for security, they have no right to index anything they wish. My decision is final, only and only CF.


I use both.


So Cloudflare is enough for security? I am using them both so should i remove the wordfence


In short, yes.

In long, no (nothing is enough).

I wouldn’t name it enough. More than any services it’s our responsibility to use little common-sense (I mean, best practices) like keeping backup, not using nulled theme or plugin, keeping strong password, etc.

Of course, these are little basic thing which will miss as reminder what Wordfence is best for this.


WordPress is secure, I have no doubt on blank Installation. If it get hacked, most of the time it’s our mistake.

I never use a dedicated plugin for security. CF is best for me.

I keep very very long password. Ref: Screenshot

Thankfully, Cloudflare help me to keep login page secure.

Try browsing this page, it wouldn’t be simple.


is that your home address?


Nope. It’s random characters like offered by any password generator.


So I need to hack your password manager to hack the site. That’s a good plan.


Impossible. You have to crack few more thing first.


Nothing is 100% secure in the world! No matter, how strong your password is! What if by mistake while installing something in your computer or mobile you install a Trojan or RAT, which in return send all the information and act as a keylogger!

Most times things go wrong when we do some mistake from our side only!

Two-Factor Authenication is the best thing that a website can provide the users to protect our account from being compromised! :wink:


I deleted Wordfence yesterday and this is the result

Are those extra strings created by wordfence? Happy to delete it btw


Before deleting, make sure to check its settings

  1. Remove Firewall
  2. Select “Delete Wordfence tables and data on deactivation”
  3. Save settings
  4. Now delete plugin.

I have never seen this kind of permalinks (except for attachment) what you shared in screenshots.


Well, I was wrong. It is Yoast SEO, Check out this in Attachment Sitemap
looks like they are images URL but why this is happening?


In SEO-> Media -> selected “Yes” and this removed the attachment sitemap. Problem solved