WPML compatibility – Serious problem affecting server load

  • Resolved Marco Chiesi

    (@marcochiesi)


    7 years ago

    Hi there,
    I noticed a high server load on a server due to a site having both WPML and Profile Builder installed.

    The access log was full of records (5-6 per second) as the following, originated from the IP of the server itself:

    [server-ip] - - [25/Sep/2017:09:46:01 +0200] "HEAD /en/wp-login.php HTTP/1.1" 404 - "https://[site-url]/en/wp-login.php" "WordPress/4.8.2; https://[site-url]/en"

    (Server ip and site url were redacted for privacy reasons).

    At the beginning I was thinking it was a security issues, as it was looking as an odd bruteforce attack on wp-login.php, but after some debugging I found that the source of these calls is a compatibility code snippet included in Profile Builder:

    
        /****************************************************
         * Plugin Name: WPML
         * Compatibility with wp_login_form() that wasn't getting the language code in the site url
         ****************************************************/
        add_filter( 'site_url', 'wppb_wpml_login_form_compatibility', 10, 4 );
        function wppb_wpml_login_form_compatibility( $url, $path, $scheme, $blog_id ){
            global $wppb_login_shortcode;
            if( defined( 'ICL_LANGUAGE_CODE' ) && $wppb_login_shortcode ){
                if( $path == 'wp-login.php' ) {
                    if( !empty( $_GET['lang'] ) )
                        return add_query_arg('lang', ICL_LANGUAGE_CODE, $url);
                    else{
                        if( function_exists('curl_version') ) {
                            /* let's see if the directory structure exists for wp-login.php */
                            $headers = wp_remote_head( trailingslashit( get_home_url() ) . $path, array( 'timeout' => 2 ) );
                            if (!is_wp_error($headers)) {
                                if ($headers['response']['code'] == 200) {
                                    return trailingslashit( get_home_url() ) . $path;
                                }
                            }
                        }
                        return add_query_arg('lang', ICL_LANGUAGE_CODE, $url);
                    }
                }
            }
            return $url;
        }

    This site is setup with italian as primary language and english as secondary language, and, most important, it includes a PB login form in every page (hidden by default and displayed using the Popup Maker, but I think this is not relevant).
    When accessing any english page on the frontend, it triggers the above snippet, which performs an HTTP HEAD call to /en/wp-login.php which of course returns a 404. The problem is that also the 404 page includes a login form, so it generates a neverending loop of HEAD requests.

    I hope that you can fix this issue on the next releases of the plugin.

    Thank you.

Viewing 1 replies (of 1 total)
  • Plugin Author Georgian Cocora

    (@raster02)

    Hello Marco,

    Thank you for the detailed post. I will notify the developer about this issue and he will look to release a fix.

    Regards.

Viewing 1 replies (of 1 total)
  • The topic ‘WPML compatibility – Serious problem affecting server load’ is closed to new replies.