View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions High traffic, site unresponsive
Log in to Ask a Question

High traffic, site unresponsive

development

I have a very simple WordPress site (running on Apache) set up that I don't expect to be getting more than a dozen hits a day. Quite frequently, I'm seeing the site take a minute or more to resolve; to make sure it's not a WP or PHP problem, I've created a tiny (44 bytes) HTML-only page at http://whatiread.fyi/test.html - this is also grindingly slow at these times. Ping / ssh don't seem to have any problem and resolve speedily.

When these problems occur, Linode's dashboard tells me that the CPU usage and network traffic are unusually high. I can't imagine that 100kbps sustained for an entire day is legitimate traffic; what it's showing for the last couple of hours is more reasonable. What can I do to identify and stop this problem?

~~![](<URL url=)http://i.imgur.com/dSKQAO6.png" />

Thanks.~~

8 Replies

It is likely that you are running low on memory - try lowering the value of MaxClients in your Apache configuration. (You can search for MaxClients on the forum here for more discussions about that.)

Regarding network traffic, look in your Apache logs to see where it's coming from. Likely candidates are search engines. If they are generating more traffic than you want, then the well-behaved ones can be dealt with by creating a robots.txt file to slow them down or stop them; poorly-behaved ones can be blocked by IP address.

I've changed MaxClients from 30 down to 10, and I've created a robots.txt that blocks everything except Google,and I'm still seeing high unexpectedly high traffic.

Does anyone have any more ideas?

![](" />

What does your Apache log indicate? My guess is script kiddies trying to brute force your WP install.

Some of them even attempt to open up hundreds of connections at once, which can really suck down your server resources as Apache swaps and swaps. Bad bots ignore robots.txt files. If you run Apache as mod_php, every connection you open up it loads up PHP as well. I'd use something like mpm worker and a php fpm setup.

If you can, limit /wp-admin to to just your IP address. That'll cut down on those kinds of attempts. I use a combination of connection limiting via IP Tables and some fail2ban magic. Hosting WordPress is not a walk in the park, which Is why I think hosted providers have really capitalized on this market…

I've locked down the /wp-admin folder, so only 2 IP addresses have access to it, but it doesn't seem to have had any effect. /var/log/apache2/access.log and /var/log/apache2/othervhostsaccess.log are both empty. I'm pretty sure those are the right locations as there's no CustomLog entry in apache2.conf, and those are the default locations in Ubuntu.

You've got logs somewhere, unless you went to some special trouble to disable them. Look in your virtual host configuration files under /etc/apache2/sites-enabled by running grep -i log /etc/apache2/sites-enabled/* or something like it.

Ah, great, thanks.

Yeah, there are a handful of IPs hitting /xmlrpc.php dozens of times a second. I'm pretty sure I can lock that down.

OK, this is one second's worth of requests:

94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.78 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.78 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.78 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.78 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.2 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
93.174.93.234 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.31 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.51.216 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
94.102.49.78 - - [11/Feb/2016:11:17:14 -0500] "POST /xmlrpc.php HTTP/1.0" 403 478 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

Apparently, getting 403 responses doesn't slow down their attempts. But while traffic is still high, CPU usage is way down, and the site's loading time doesn't seem to be impacted. So I think I'm going to call this a win.

Thanks for the help!

First 403 being served from Apache instead of something hitting WordPress will reduce load, as php would have to run the php code.

A few things that can be done that should help

First you can hunt down there are a few php bytecode generators, or php caching, such as APC.

Second reduce and clean up the number of modules loaded in apache and php to what is needed, there are a large number of modules loaded that will cause this to be high, and because of PHP is not thread safe you are probably running in worker mode, which means you have multiple copies of Apache being loaded into memory. By default both can draw a great deal of memory

Third, you can run php through FastCGI instead of Modphp, this would allow you to move apache to a threaded model.

Lastly, you can try other web servers such as nginx, you may find better performance, since Nginx only runs threaded and uses fastcgi for php

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct