Excessive resources on MANY hosting accounts with Wordfence

  • We are being bombarded with emails from our hosting providing who says that many of our sites are “utilizing excessive resources on the server”. They continue to cite logs like the following that appear to be related to Wordfence….

    xxx.xxx.xxx.xxx – – [08/Dec/2014:14:14:17 -0800] “POST /sys/wp-admin/admin-ajax.php?action=wordfence_testAjax HTTP/1.0” 200 12 “-” “WordPress/4.0.1; https://www.our-domain.com”
    xxx.xxx.xxx.xxx – – [08/Dec/2014:14:14:34 -0800] “POST /sys/wp-admin/admin-ajax.php?action=wordfence_testAjax HTTP/1.0” 200 12 “-” “WordPress/4.0.1; https://www.our-domain.com”
    xxx.xxx.xxx.xxx – – [08/Dec/2014:14:14:50 -0800] “POST /sys/wp-admin/admin-ajax.php?action=wordfence_testAjax HTTP/1.0” 200 12 “-” “WordPress/4.0.1; https://www.our-domain.com”
    xxx.xxx.xxx.xxx – – [08/Dec/2014:14:15:07 -0800] “POST /sys/wp-admin/admin-ajax.php?action=wordfence_testAjax HTTP/1.0” 200 12 “-” “WordPress/4.0.1; https://www.our-domain.com”
    xxx.xxx.xxx.xxx – – [08/Dec/2014:14:15:24 -0800] “POST /sys/wp-admin/admin-ajax.php?action=wordfence_testAjax HTTP/1.0” 200 12 “-” “WordPress/4.0.1; https://www.our-domain.com”
    xxx.xxx.xxx.xxx – – [08/Dec/2014:14:15:41 -0800] “POST /sys/wp-admin/admin-ajax.php?action=wordfence_testAjax HTTP/1.0” 200 12 “-” “WordPress/4.0.1; https://www.our-domain.com”
    xxx.xxx.xxx.xxx – – [08/Dec/2014:14:15:58 -0800] “POST /sys/wp-admin/admin-ajax.php?action=wordfence_testAjax HTTP/1.0” 200 12 “-” “WordPress/4.0.1; https://www.our-domain.com”

    The hosting company is convinced that this is an attack (hacker attempt) on the login page. Could this be related to Wordfence? It seems to be. What are each of these posts indicateing? They are happening at a rapid rate on MANY of our sites.

    Thanks for your attention!

    https://www.ads-software.com/plugins/wordfence/

Viewing 10 replies - 1 through 10 (of 10 total)

  • What is the ip addresses that show there? Are they your ip or the loopback address?

    tim

    Thread Starter Modmacro

    (@modmacro)

    The IP addresses are that of the server. In this case, the IP is 216.227.213.227

    thanks

    What that is is the start of the scan by wordfence. So not a hacker it all, if the IP address is always from your server. The question is this why is there a schedule starting every couple of minutes. Still looking into possible causes and will update as soon as I know something

    Tim

    Thread Starter Modmacro

    (@modmacro)

    Good question, and this is happening on multiple sites, all running the latest Wordfence and the latest WP.

    @modmacro: I’ve the same problem. I’ve installed WP Crontrol and discovered that there were multiple scans scheduled each day, sometimes minutes after each other. Also the activity log showed multiple scans a day. When I removed the duplicate cronjobs “wordfence_start_scheduled_scan” the high resource use disappeared.

    We have isolated a bug where some free users have multiple scans st to run in cron. We’ve filed a priority one bug for this in our system. I’m not sure which release this will be included in (we do them frequently) but it is supposed to be addressed.

    tim

    Moderator Bet Hannon

    (@bethannon1)

    So is it okay to delete all but one of these from wp-cron? (BackupBuddy let me see all of them, and easily delete the extras.)

    I believe so, yes.

    tim

    Thread Starter Modmacro

    (@modmacro)

    Thanks for the update Tim. I’ve alerted the hosting company that this will hopefully be fixed soon.

    Matt-

    I’m happy I read this before installing the plugin, because my hosting provider likes to jump the gun and block every hosting account that may potentially cause problems for the server.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Excessive resources on MANY hosting accounts with Wordfence’ is closed to new replies.