Hi, I've got a Wordpress site with almost no plugins eats 100 % CPU top shows following (just web2 user - that's the site): Code: PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4892 web2 20 0 539444 64876 50216 S 16.6 1.6 0:13.18 php5-fpm 4804 web2 20 0 539320 67296 52760 S 16.0 1.7 0:45.59 php5-fpm 4532 web2 20 0 538684 63952 50056 S 14.0 1.6 0:46.45 php5-fpm 4885 web2 20 0 539272 64700 50216 S 13.0 1.6 0:17.83 php5-fpm 4894 web2 20 0 539460 64892 50216 S 12.3 1.6 0:11.02 php5-fpm 4912 web2 20 0 539240 64668 50216 S 11.6 1.6 0:01.24 php5-fpm 4088 mysql 20 0 1348228 81204 10980 S 1.3 2.0 0:04.33 mysqld The site is very low traffic (50 visitors a day), there is almost no traffic on eth0, Wordpress is updated to the latest version, I ran P3 plugin to determine what is using most resources and still can't figure it out. I tried to reboot Apache service and even the whole server. Opinions? Thank you in advance.
It is possible that the site is hacked and it runs a spam bot or similra software now. Check the access.log for unusual activity, e.g. POST requests to files that you won't expect to be accessed by users, scan the website folder for malware and check the mailqueue of the server (command: postqueue -p) to ensure that there are not many spam mails in there.
ok if I do: # tail -n 20 access.log I get following: The IP: 163.172.190.132 reverse DNS: 132-190-172-163.rev.cloud.scaleway.com The contents of /xmlrpc.php is following: Code: <?php /** * XML-RPC protocol support for WordPress * * @package WordPress */ /** * Whether this is an XML-RPC Request * * @var bool */ define('XMLRPC_REQUEST', true); // Some browser-embedded clients send cookies. We don't want them. $_COOKIE = array(); // A bug in PHP < 5.2.2 makes $HTTP_RAW_POST_DATA not set by default, // but we can do it ourself. if ( !isset( $HTTP_RAW_POST_DATA ) ) { $HTTP_RAW_POST_DATA = file_get_contents( 'php://input' ); } // fix for mozBlog and other cases where '<?xml' isn't on the very first line if ( isset($HTTP_RAW_POST_DATA) ) $HTTP_RAW_POST_DATA = trim($HTTP_RAW_POST_DATA); /** Include the bootstrap for setting up WordPress environment */ include( dirname( __FILE__ ) . '/wp-load.php' ); if ( isset( $_GET['rsd'] ) ) { // http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html header('Content-Type: text/xml; charset=' . get_option('blog_charset'), true); ?> <?php echo '<?xml version="1.0" encoding="'.get_option('blog_charset').'"?'.'>'; ?> <rsd version="1.0" xmlns="http://archipelago.phrasewise.com/rsd"> <service> <engineName>WordPress</engineName> <engineLink>https://wordpress.org/</engineLink> <homePageLink><?php bloginfo_rss('url') ?></homePageLink> <apis> <api name="WordPress" blogID="1" preferred="true" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" /> <api name="Movable Type" blogID="1" preferred="false" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" /> <api name="MetaWeblog" blogID="1" preferred="false" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" /> <api name="Blogger" blogID="1" preferred="false" apiLink="<?php echo site_url('xmlrpc.php', 'rpc') ?>" /> <?php /** * Add additional APIs to the Really Simple Discovery (RSD) endpoint. * * @link http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html * * @since 3.5.0 */ do_action( 'xmlrpc_rsd_apis' ); ?> </apis> </service> </rsd> <?php exit; } include_once(ABSPATH . 'wp-admin/includes/admin.php'); include_once(ABSPATH . WPINC . '/class-IXR.php'); include_once(ABSPATH . WPINC . '/class-wp-xmlrpc-server.php'); /** * Posts submitted via the XML-RPC interface get that title * @name post_default_title * @var string */ $post_default_title = ""; /** * Filters the class used for handling XML-RPC requests. * * @since 3.1.0 * * @param string $class The name of the XML-RPC server class. */ $wp_xmlrpc_server_class = apply_filters( 'wp_xmlrpc_server_class', 'wp_xmlrpc_server' ); $wp_xmlrpc_server = new $wp_xmlrpc_server_class; // Fire off the request $wp_xmlrpc_server->serve_request(); exit; /** * logIO() - Writes logging info to a file. * * @deprecated 3.4.0 Use error_log() * @see error_log() * * @param string $io Whether input or output * @param string $msg Information describing logging reason. */ function logIO( $io, $msg ) { _deprecated_function( __FUNCTION__, '3.4.0', 'error_log()' ); if ( ! empty( $GLOBALS['xmlrpc_logging'] ) ) error_log( $io . ' - ' . $msg ); No obfuscated code - doesn't seem hacked. As a temporary workaround I edited .htaccess and added: Code: Order Deny,Allow Deny from 163.172.190.132 Restarted Apache - service apache2 restart And the problem is gone, but what was the root cause? I have the feeling that this was only a workaround.
That was a brute force attack against the WordPress xmlrpc function. If you do not use any apps to post in wordpress like mobile apps or other software that uses the xmlrpc functions, then better disable it (there are wp plugins for that) or deny access to this file in the .htaccess file.
Thank you till it worked for others - just place inside .htaccess the following (at the very top): Code: <Files "xmlrpc.php"> Order Allow,Deny Deny from all </Files> # BEGIN WordPress