We launched our WordPress performance and security benchmark tool a little over a year ago. So far we’ve had almost 3500 benchmark runs across 2000 unique domains, so we decided to do a quick analysis of average and aggregate benchmark metrics.
Our free benchmark service gauges a handful of WordPress site parameters, including HTTPS and HTTP/2 availability, average time-to-first-byte (TTFB) of both cached and uncached responses, DNS performance and availability, WordPress core version and the webstack running it, security headers (HSTS, X-Frame-Options, etc.) and others. We weighted-score the results and present an overview of things that should be looked into and an overall performance and security grade.
Of course, these metrics represent only a specific slice of the WordPress community out there. A security- and performance-conscious WordPress administrator, working on improving their site, maybe looking to change hosting providers.
|Cookies on first visit||43%|
Uncached Response Times
|Average uncached TTFB||1826 msec|
|5th percentile||160 msec|
|10th percentile||242 msec|
|50th percentile||889 msec|
|90th percentile||3286 msec|
|95th percentile||5343 msec|
Cached Response Times
|Average cached TTFB||1018 msec|
|5th percentile||124 msec|
|10th percentile||137 msec|
|50th percentile||418 msec|
|90th percentile||1863 msec|
|95th percentile||3213 msec|
We could not identify the PHP version from about 1500 of the sites that were benchmarked, but from those we successfully parse, here’s a chart showing the most used versions:
On the one had, we’re glad to see that 50% of performance-conscious WordPress website admins and developers have an uncached time-to-first-byte of under a second, and a cached time-to-first-byte of under half a second. WordPress can be fast. But on the other hand we’re seeing as many slow WordPress sites here, with 10% of benchmarks showing almost 2 second for cached pages (if cache was really working) and over 3 seconds for uncached requests.
If you’re stuck with a sluggish WordPress site, the best and most proven course of action would be to profile it for bottlenecks. We wrote a performance profiling for WordPress guide last week, so be sure to check it out.
We’re also glad to see over 55% sites served over HTTPS (the portion is actually higher, about 85% but with invalid certificates, so they don’t count). We’re expecting this number to grow over time, especially since free SSL certificates for WordPress sites have been available for quite a while now. HTTP/2 was available on more than half of these, which is fantastic. And while 65% redirected from HTTP to HTTPS forcefully, only 35% issued HSTS headers.
On a sadder note, almost half of the sites issued cookies on first visit. While we don’t record the nature of the cookies presented, the majority are probably PHP sessions, and that is bad. Unique server-side cookies are to be avoided by any means necessary as they can really hurt your cacheability, by sending visits to separate cache buckets.
We’ll meet again in a year or so for a recap. Meanwhile, feel free to benchmark your WordPress site and see how you compare.