I have received a warning about my account CPU usage - what do I do?

DISCLAIMER: Please note that this guide is written to provide additional information which may help or assist you in diagnosing excessive CPU issues. Good knowledge of your website, its software and scripts and use of cPanel is essential. If you are inexperienced or otherwise unable to utilise the information provided in this article, we recommend hiring the services of a developer or other individual who can assist you. ThisWebHost cannot provide investigation and diagnostic services, including performing any of the steps listed below, so please do not request this.

Wordpress Attacks:

Over the last 6 months there have been huge, widespread automated attacks against the Wordpress platform. These include "bots" attempting to brute force (repeatedly guess) usernames and passwords to the Wordpress dashboard. Because these "bots" run so quickly, and repeatedly, it is not uncommon for these login attempts (which can occur 2-3 times a second) to cause a dramatic increase in CPU usage for a hosting account. In addition to these brute force attacks, there are also many other exploits of plugins, themes, and numerous other third party components of Wordpress. The very first thing we suggest doing is investigating your site(s) to determine what the most commonly accessed page is. This can tell us if your site is being hit with a brute force attack, or is otherwise possibly being exploited. Fortunately, to find out is reiatively simple:

  • Login to cPanel
  • Under the 'Logs' section, click on 'Webalizer'.
  • At the end of the corresponding row that matches your domain name, click on the magnifying glass icon. If you have multiple sites listed (each additional one corresponds to an addon domain) then you will need to perform these steps on each listed site, one at a time.
  • Once the Webalizer section of cPanel has loaded, click on the top (and current) date. At the time of writing this is 'Jan 2014' for example.
  • Once this new monthly overview page loads, click on the 'URLs' link at the top of the page. This will take you to the section which will display the top 30 accessed URL's on the site.
At this point we recommend looking for anything that looks abnormal. Top URL's should typically be URL's to pages of your site that contain content, such as blog posts, images, or other general content.

Here is an example and screenshot of an account that shows what we consider abnormal activity:

wp-login

In the screenshot above, we can see that the top 2 frequently accessed URL's are the Wordpress wp-login.php page, and the Wordpress xmlrpc.php page. The number of 'Hits' tells us how many times these pages have been accessed in this monthly period - in this case the wp-login.php page over 150,000 times! This is clearly a brute force attack on Wordpress, and is very likely the cause of the increased CPU usage.

Note: If you are seeing different URL's to the image above, you will need to determine if these URL's are normal or abnormal. Not every website will be the same.

Solution to Wordress Attacks
There are many third party Wordpress plugins which could and may assist you in protecting your Wordpress installation, and some that even restrict the number of login attempts that can be made to your blog during a set time period. The problem with such plugins is that they only prevent unauthorised access to your Wordpress site and do not prevent the wp-login.php page from being accessed in the first place. It is this page being accessed frequently that is causing the increased CPU usage, so whilst your site may be more secure, it may not necessarily reduce resource consumption.

The best, and more final solution that we recommend is adding some content to your Wordpress' .htaccess file to restrict access to the wp-login.php page based on your current IP address. This will ensure that only you can access the page and anyone else will receive a server error, preventing the wp-login.php page from even executing. To do this you will need to use FTP to access your hosting account and look for the .htaccess file in your Wordpress folder. Typically it will contain the following content:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>


We recommend adding the following code above this in your .htaccess file:

<Files wp-login.php>
order deny,allow
deny from all
Allow from xxx.xxx.xxx.xxx
</Files>


Please note that you will need to replace xxx.xxx.xxx.xxx with your current IP address. You can find your IP address by using a website such as www.whatismyip.com

When you have finished adding the code, your .htaccess file should look something like this:

<Files wp-login.php>
order deny,allow
deny from all
Allow from 123.456.789.012
</Files>


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>


Additional note: If your IP address changes, or you access your Wordpress Dashboard from a different location or device after implementing the above, you may need to update the IP address in your .htaccess file. If you are receiving a 403 error message instead of your login page, this means your IP address is currently not allowed to access the page.

Conclusion:
The above steps are a great and very secure method to restrict access to your Wordpress login page/dashboard to IP addresses that only you approve. The drawback to this is that it requires the knowledge and ability to make these changes and it can sometimes be difficult to remember to update the IP address in the file, or even be in a situation where you are able to do so (if accessing remotely). Unfortunately, as long as these global widespread attacks continue, we still believe this is the best "solution" to secure your site and to prevent the increased usage caused by these attacks.
  • 49 Users Found This Useful
Was this answer helpful?

Related Articles

My site/cPanel appears down or times out after I tried to login!

What is happening? We monitor all services (E-mail, FTP, cPanel, Web, etc) on our servers for...

My website is generating an "Internal Server Error" or 500 error.

Each time an "Internal Server Error" occurs, this error is fully logged to an error_log within...

Why are my e-mails being marked as ***SPAM*** ?

Why am I seeing e-mails being marked as ***SPAM*** in the subject header? We now implement a...

I've received a warning about my reseller disk space

Due to the way cPanel and WHM works, there can be a difference of disk usage reported by our...

I'm receiving a popup login window when trying to Wordpress

UPDATE NOTE: This system is now deprecated, meaning it is no longer active and has been removed...