How much can it cost to optimize a WordPress website for speed and security?

Everyone wants the fastest, securest website ever since having a fast site keeps people on your site longer, and having a secure site makes sure it’s always available and not redirecting people to a Viagra website…or worse (is there worse?).

WordPress is a wonderful CMS but its dynamic and Open-Source nature means site owners often suffer from slow-ish and vulnerable sites. That’s why you’ll find a ton of articles online about how to speed up and secure WordPress sites. The problem is that implementing these techniques can end up being quite time-consuming and expensive, so I thought I’d dig in and see what costs an agency can expect when speeding up and securing their customers’ websites.

How to check your site’s speed

The consensus is that a fast site takes under three seconds to load, though we all know that three seconds in internet time is like three minutes in real-world time. Around 3-4 seconds, I find myself muttering “just load already”.

One of the most popular free tools for analyzing site speed is Pingdom. You can test your site’s loading time in a few locations (NYC, San Jose, Stockholm, and Australia).

However, your results from site speed testing tools can vary wildly for the following reasons:

1. The geographic location you select can impact the page load speed, depending on where your site is hosted.
2. If your site is being cached, the first test will always be slower than a second, repeat test.

Despite all that, it can be useful to get some kind of benchmark regarding your site’s speed.

Once you have your speed test results, you can decide if it’s worth it for you to invest resources toward making it faster.

How to check your site’s security

It can be hard to tell if your site has been infected with malware or otherwise compromised, since hackers can be very sneaky. In order to know to a high degree of certainty whether your site is secure or not, there are a number of tools you can use to analyze your site.

You can start with a Sucuri malware scanner, but we’ve found that it doesn’t catch everything and therefore isn’t 100% reliable, but it is a starting point.

You can also run your site through a security header test. Security headers tell browsers how to deal with certain threats and types of content that are being loaded on your site. You can learn more about the implications of security headers in Miriam’s talk from WordCamp Europe about Content Security Policies.

Even if your site scan comes back clean, keep in mind that WordPress is constantly being targeted because of its popularity, and plugins and core software need updating on a regular basis to keep your site secure. Studies have shown that on average, WordPress sites get attacked 50 times a day!

Google cares about speed and security

Google takes security and speed very seriously because they want users to have a good and safe experience on a website. So chances are, if your site is optimized for both, and all your other SEO practices are in place, your rankings could get a boost which translates into more people interacting with your site.

Bottom line: how much will it cost?

You’re not gonna like the answer. The answer is… yep, you guessed it… it depends. The cost depends on just how far you want to take things and what you’re willing to pay for. But the following will give you a rough outline of the costs involved.

There are a heck of a lot of free tools out there (thank you to all you people who make them free) that can seriously help with your site speed and security. But, as you might expect, a paid version of the same service will often give you valuable features and support.

Tools and plugins for a faster WordPress site

Here are some tools that could have the biggest impact on your site speed:

Caching
Caching helps make your site load faster the second time a user visits your site by serving a static version of your site.

1. Free: Plugins include WP Super Cache and W3 Total Cache. Your server provider may also have some additional caching services available.
2. Paid:  WP Rocket is probably the most popular. Cost: $199/year for unlimited websites

CDN
A CDN (Content Delivery Network) serves a copy of your site’s assets (images, stylesheets, javascript files) from a server closest to the user, thereby decreasing page load time.

• Free: The most popular CDN is Cloudflare, which has a free tier but for agencies, this might not be enough.
• Paid CDN: Cloudflare PRO plan: $20/month per domain; StackPath (formerly MaxCDN) Professional plan: $299/month.

Image Optimization
Images can really weigh down a site so it’s super important to compress them.

• Free: reSmush.it, EWWW image optimizer. Smush has a free version but you’d need to upgrade to the PRO version for bulk ‘smushing’, and the ShortPixel plugin has a freemium plugin that lets you bulk optimize up to 100 images. You could also use Tinypng.com but you’d need to manually upload each image, which can get tedious pretty quickly.
• Paid: ShortPixel $30/month for 55,000 images per month

Static Site Generator
Flattening your site into a static site can speed up your site since the pre-rendered files load much faster than a dynamic site, since they don’t have to wait to interact with the database.

• Free: There are free plugins like Simply Static but there are many limitations you should consider before using this tool.
• Paid: I’d like to put Strattic here, except it’s not *just* a static site generator, it also includes a CDN, HTTP/2, automated security, and serverless hosting that lets you have a static site with some dynamic functionality so that you can use native contact forms and site search.

Tools and plugins for a more secure WordPress website

Here are some tools that can have the biggest impact on your site security:

Limit Login Attempts
Limit how many times someone can try to login to prevent brute-force attacks.

• Free:  Wordfence is the most popular WordPress security plugin at the moment, and for good reason. It helps you lock out users after a certain number of password attempts, perform security scans, and many other features. However, it can put a load on your website’s database.
• Also free: Jetpack has a built-in brute-force protection mechanism called Protect. It also adds a widget to your admin dashboard showing how many malicious attacks were blocked on your site.

Automatic updates
Keeping your WordPress up to date is probably the most important thing you can do to keep your site safe.

• Free: Companion Auto Update is a free plugin. ManageWP and InfiniteWP both have free versions of their service.
• Paid: ManageWP bundle for 25-100 sites: $150/month but there’s also modular pricing. InfiniteWP with all addons 1-10 sites: $147 per year

Backups
If you want to sleep easy at night, then it’s critical to have backups since it’s wishful thinking that your site will never ever get hacked. Just be careful to save these backups off-site since otherwise it could quickly hog your server storage quota. Also, if the server with your website crashes, all your backups are at risk too!

• Free: Updraft Plus
• Paid: Blogvault Agencies up to 100 sites: $99/month. We love Blogvault – they make it super easy to backup, migrate, and test-restore sites. There’s also VaultPress, which ranges from $39 – $299/year per site depending on which features you need.

Malware Scanners and cleanup services
It’s important to constantly scan your site for malware, and clean it up immediately if anything is detected.

• Free: Sucuri plugin and Wordfence plugin but in our experience they haven’t always detected malware that was detected by other services such as Malcare.
• Paid: From our experience, Malcare has been extremely reliable and their one-click cleanup is extremely handy: $59/month for up to 20 sites. Sucuri offers a paid version for $500/year per site with fast response report and cleanup.

Additional costs

In addition to these tools and services, it’s likely you’ll also need a developer to implement the rest of the best practices for speed and security such as leveraging browser caching, gzip compression, etc. For a more in-depth look at what you can optimize, here are 21 ways to secure your site, and 9 ways to speed up your site.

Conclusion

If you’re thinking, meh, I don’t really need to do all this stuff, I would also say that not optimizing your site for speed and security could end up costing you just as much, if not more since you’d need to deal with downtime, lost visitors and cleaning up all the damage. To put it another way, making your site fast and secure may be annoying, but taking it seriously yields significant results, and is simply part of the cost of having a website these days.