Well I am not an expert but I have server status info plugin which tells me about memory usage in the beck-end. Sometimes it jumps to a 100mb. Sometimes is at 2 or 4 or 10mb, depends, and I am running a blog. So when you said that “Sometimes” you get 502, I figured maybe that “sometimes” is when your memory cap gets piked. If you have multiple windows opened it does use more ram, I dunno how much but it does.
512M was just an example. 256 sounds ok, but still it won’t hurt setting it to 512, it is just a limit, it will not reserve that amount from RAM.
As for the page caching I do not see a point in page caching by W3tc if Nginx does that for you, and nginx helper works there. One don’t need another caching. It is redundant, there is no point. That’s why there is --wpfc, --wpredis, -wp --w3tc etc etc.
If using Woo-commerce it can’t function properly without query strings, at least from my experience, so if there is a smoke there is a fire. I had big problems, especially if I used with additional caching. Therefore one should be careful.
(at the moment I am having trouble using separate cache for mobile users… always something with the EE.)
The Bruiser plugin is a much safer option, for me. Wordfence is messing too much with the website.
It is heavier too.
From my experience neither the Wordfence, ithemesSecurity Pro or w/e is necessary. All you need is a server-side firewall and a light plugin to protect you from spam and protect your login page.