Something causing crippling CPU spike

Odd, my main site has 1,362 posts, 579 unique tags, and no such CPU spike when I add tags.

How may tags do you have?

Hardly any. I typically don’t tag posts. But now, when I add 3-5 tags at once—BLAMMO! Server shutdown. I notified my hosting service and they are having their server tech look into it.

I thought it might have been the Classic Editor plugin, so I disabled that, but nope. Not that.

Andrew

Ok, it will be very interesting to hear what the hosting provider has to say.

They didn’t get back to me with more detail. I did just pay to double my CPU to a full core, so we’ll see how that goes.

Thanks!
Andrew

Doubling your CPU should definitely help.

Do keep us updated about this!

Unfortunately, my session timed out and I lost my first typed reply. (Grrr. Sigh.) Here it goes again…

As I said previously, I upgraded to a full core for my server plan. Today, I posted for the first time since. The CPU spiked to 100% and my site got limited again—even with a full core! I don’t get it.

“Your site has been limited within the past 24 hours”

From To CPU-USAGE:>ACPU CPU-USAGE:>MCPU aEP mEP lEP aMEM mMEM
11-20 18:00 11-20 19:00 6 100 1 1 25 11.5M 72.8M

I think this is the bad thing above:
CPU-USAGE:>MCPU hit 100.

PID CMD CPU MEM
39579 lsphp:ome/[account stuff]/pickleballjourney.com/xmlrpc.php N/A 44
39580 lsphp:ome/[account stuff]/pickleballjourney.com/xmlrpc.php 15% 40
39712 lsphp:me/[account stuff]/pickleballjourney.com/wp-cron.php N/A 26
39750 lsphp:ome/[account stuff]/pickleballjourney.com/xmlrpc.php 41% 23

HTTP Queries Snapshot
Method Duration URL
POST 7s https://[my URL stuff].com/xmlrpc.php

So frustrating.

Andrew

disable XML-RPC if you do not use it
it is used by attackers to brute force your user password

there are plugins https://www.ads-software.com/plugins/search/xml-rpc/

Thanks, Liew. I currently do use it, but I can get around it, if I have to. However, so far, there has been no evidence of any brute force attack in my logs. The CPU spike always seems to coincide with me editing a post.

Andrew

PID CMD CPU MEM
39579 lsphp:ome/[account stuff]/pickleballjourney.com/xmlrpc.php N/A 44
39580 lsphp:ome/[account stuff]/pickleballjourney.com/xmlrpc.php 15% 40
39712 lsphp:me/[account stuff]/pickleballjourney.com/wp-cron.php N/A 26
39750 lsphp:ome/[account stuff]/pickleballjourney.com/xmlrpc.php 41% 23

As you can see above, the XMLRPC processes are eating up quite a lot of your CPU with one process using 41% and the other process using 15%.

This leaves very little CPU left for other operations of your website, which is why you may hit your CPU limit even by just editing a post.

You should definitely take actions to prevent further attacks to XMLRPC.

If you can’t disable it, consider putting your website behind CloudFlare which should help reduce the number of bots accessing your website.

Thanks, James. I’ll try disabling XMLRPC and see what happens.

As far as attacks, when I checked the logs there was no evidence of any. Since the site gets little traffic (for now), nearly all the visits are by my IP addresses . . . the rest are a pittance. The CPU spikes definitely coincide with me editing/posting.

Here’s a question. If I’m editing on via a desktop browser, why is there any XMLPRC activity? I thought that was for mobile devices. ??

Thanks,
Andrew

As far as attacks, when I checked the logs there was no evidence of any.

What logs are you checking? Some attacks may not be logged at shared hosting account level and may only be logged at the server or root level.

Here’s a question. If I’m editing on via a desktop browser, why is there any XMLPRC activity? I thought that was for mobile devices. ??

Because they are not being accessed by you but by automated bots which are attempting to exploit XMLRPC of your website.

xmlrpc.php is required by connected apps (like the WordPress mobile apps), and connected services (like Jetpack and IFTTT).

But, it can also be used as a gateway to attempt to brute-force guess your password (repeated attempts, constantly, until they get it right). Plenty of plugins, including Jetpack, protect against this though by locking out attackers after a set number of failed attempts.

With that said though, if you aren’t using a connected app or service, it’s probably an attack.

https://www.ads-software.com/plugins/block-bad-queries/ doesn’t protect xmlrpc.php from brute force attacks, but it may also help, as it blocks several common attack types.

Same trouble here…

When I edit a page it created a bunch of HTTP tasks that maxes out memory, maxes out I/O, but the processor is just rolling at 15% same as always.

What fixes this is to toggle the PHP version from 7.4 to 7.3, and then back to 7.4 on the CPANEL.

While this is happening, the server is unavailable for use.

I believe this started with the upgrade to 7.4.

Thoughts?

For some reason I need to be on PHP 7.2 otherwise the site goes down.. but yeah same issue, complete crash of the server when adding lots of tags at once. I basically copy a comma separated list and then paste in the tags and it spawns a whole bunch of tasks and bam server goes down.

I’ve spent a lot of time in the server logs and I’ve attributed this to a DDOS attack. What finally worked for me was the free plugin “Protection against DDoS”. Setting the redirect to 127.0.0.1 turned them away.
During the bad times, I was taking 50,000 hits a day from over 100 countries to the xmlrpc.php and wp-login.php files. It’s now down to 50,000 hits per week. Fhis plugin disabled the xmlrpc feature and requires a cookie from my site to load up the wp-login.php page. (redirects to 127.0.0.1 if the cookie doesn’t exist, so they hammer themself).