WPML compatibility – Serious problem affecting server load
-
Hi there,
I noticed a high server load on a server due to a site having both WPML and Profile Builder installed.The access log was full of records (5-6 per second) as the following, originated from the IP of the server itself:
[server-ip] - - [25/Sep/2017:09:46:01 +0200] "HEAD /en/wp-login.php HTTP/1.1" 404 - "https://[site-url]/en/wp-login.php" "WordPress/4.8.2; https://[site-url]/en"
(Server ip and site url were redacted for privacy reasons).
At the beginning I was thinking it was a security issues, as it was looking as an odd bruteforce attack on wp-login.php, but after some debugging I found that the source of these calls is a compatibility code snippet included in Profile Builder:
/**************************************************** * Plugin Name: WPML * Compatibility with wp_login_form() that wasn't getting the language code in the site url ****************************************************/ add_filter( 'site_url', 'wppb_wpml_login_form_compatibility', 10, 4 ); function wppb_wpml_login_form_compatibility( $url, $path, $scheme, $blog_id ){ global $wppb_login_shortcode; if( defined( 'ICL_LANGUAGE_CODE' ) && $wppb_login_shortcode ){ if( $path == 'wp-login.php' ) { if( !empty( $_GET['lang'] ) ) return add_query_arg('lang', ICL_LANGUAGE_CODE, $url); else{ if( function_exists('curl_version') ) { /* let's see if the directory structure exists for wp-login.php */ $headers = wp_remote_head( trailingslashit( get_home_url() ) . $path, array( 'timeout' => 2 ) ); if (!is_wp_error($headers)) { if ($headers['response']['code'] == 200) { return trailingslashit( get_home_url() ) . $path; } } } return add_query_arg('lang', ICL_LANGUAGE_CODE, $url); } } } return $url; }
This site is setup with italian as primary language and english as secondary language, and, most important, it includes a PB login form in every page (hidden by default and displayed using the Popup Maker, but I think this is not relevant).
When accessing any english page on the frontend, it triggers the above snippet, which performs an HTTP HEAD call to /en/wp-login.php which of course returns a 404. The problem is that also the 404 page includes a login form, so it generates a neverending loop of HEAD requests.I hope that you can fix this issue on the next releases of the plugin.
Thank you.
- The topic ‘WPML compatibility – Serious problem affecting server load’ is closed to new replies.