• Resolved manukkd

    (@manukkd)


    Hi,

    My hosting provider warn me about over CPU usage and they have shared a Get request hitting to my server, I will share the request here hitting to my server. Is there any relation to wordfence?. currently, I have disabled all Rest API requests by using a plugins. but still hitting the request and currently it’s accessible to public

    some requests are as follows, it is hitting more than 300 requests per 15 minute

    “GET /wp-json/wp/v2/posts?_embed&per_page=10 H TTP/1.0” 401 935 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36”

    “GET /wp-json/wp/v2/posts?_embed&per_page=10 HT TP/1.0” 401 935 “-” “okhttp/4.9.2”

    Any Solution on this?

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @manukkd, thanks for reaching out to us.

    For the benefits of anybody referencing this topic, these requests look like the WordPress post embed system, introduced back in WordPress 4.4. This was introduced so that posts could be embedded into other WordPress sites: https://www.ads-software.com/news/2015/12/clifford/

    It is quite plausible that a site or bot is attempting to utilize this feature in some way, but despite the block put in place with your other plugins, they are still making the requests to your site. I tried manually and saw that this action was not permitted now without authentication.

    Wordfence, as an endpoint firewall cannot stop a bot or human (as shown in my test) from trying to make these requests altogether, but rather deal with the requests appropriately according to your settings when they happen. However, if the quantity of requests are actually causing limits to be hit on your server this can be another issue as you mention.

    Whilst manual blocking strategies are generally not recommended as they take up your time, if these requests are coming from a consistent IP or URL, you could block these before they reach your site (and therefore Wordfence) by using any server-side firewall or loadbalancer available on your hosting plan. This may ease the load as they are no longer allowed to load any content from your site at all.

    Let me know how you get on,

    Peter.

    Thread Starter manukkd

    (@manukkd)

    thank you for your help,

    currently, the request from the unauthenticated users is protected with the help of Disable REST API Plugin and the request gets 401 for unauthenticated users. Now the server consuming fair resources. I think someone embeds my site to another WordPress website is the main cause of the issue.

    I have bypassed the wordfence from the list Disable REST API Plugin

    Plugin Support wfpeter

    (@wfpeter)

    Hi @manukkd,

    Ultimately I think despite the REST API plugin dealing with the requests rather than Wordfence, the requests are still hitting your site and resulting in some data being transferred, even if it’s just a 401 message. They could still show in Live Traffic if you have reporting set to “ALL TRAFFIC” rather than “SECURITY ONLY”.

    Hopefully this will reduce load on your server because a smaller amount of data is being sent back with the request, but utilizing any server-side firewall you may have could stop limits set by your host being hit altogether.

    Thanks again,

    Peter.

    Thread Starter manukkd

    (@manukkd)

    Finally, I have applied this code on function.php
    The hosting provider share this link to follow and apply to block unauthorized accces

    https://stackoverflow.com/questions/41191655/safely-disable-wp-rest-api

    add_filter( 'rest_authentication_errors', function( $result ) {
        // If a previous authentication check was applied,
        // pass that result along without modification.
        if ( true === $result || is_wp_error( $result ) ) {
            return $result;
        }
    
        // No authentication has been performed yet.
        // Return an error if user is not logged in.
        if ( ! is_user_logged_in() ) {
            return new WP_Error(
                'rest_not_logged_in',
                __( 'You are not currently logged in.' ),
                array( 'status' => 401 )
            );
        }
    
        // Our custom authentication check should have no effect
        // on logged-in requests
        return $result;
    });
    Plugin Support wfpeter

    (@wfpeter)

    Hi @manukkd,

    I’m glad you were able to implement that code with the help of your hosting provider to hopefully achieve what you want. Provided you’re no longer hitting limits on your hosting plan unintentionally due to the actions of bots/humans, that’s the main goal.

    If you have further Wordfence questions in future by all means start up a new topic and we’ll always be glad to help out.

    Peter.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Rest API request cause over CPU usage’ is closed to new replies.