Announcement

**doneritehosting** · 20-02-2013, 11:27 PM

Hey clive, can you post the IP? Id like to compare notes..

**djblalock** · 21-02-2013, 01:01 AM

I'd also like the IP, I will keep a watch for it and just block it if it is going to drive up my CPU

**clivejo** · 21-02-2013, 01:01 AM

Its hard to tell as I dont know when it started exactly to pin point the IP that triggered it. The IP's that visited over and over, hitting wp-cron were

46.249.199.31 - UK based
1.202.218.71 - China
14.110.79.64 - China

They seem to just appear to hit the /wp-comments-post.php and the wp-cron.php files. Also get a spam post on the site too.

**clivejo** · 21-02-2013, 01:08 AM

To be honest I'm noticing a lot of abusive traffic from China. Being an English language site maybe I could block China IP addresses, or serve them a static page?

Could I use GeoIP in the domain tools for this?

**clivejo** · 21-02-2013, 01:14 AM

Eakkkk

http://sameid.net/ip/46.249.199.31/

This is the shared IP address of the webserver! Shared with 296 other domains! Something weird going on here!

---------
EDIT : Ok from what I read, every-time a visitor accesses the site the web server itself calls the wp-cron.php script to run background tasks that Wordpress needs to do to keep itself working right. So when the spam bot hits me with a comment the cron job is busy writing it to database and emailing me a notification of the new comment. But why the spike in the CPU load?

Between 1200-1800 I used 6.16% , which then drops back to 1.17% from 1800-2400

**wjleong** · 21-02-2013, 09:55 AM

May be you can try to point your dns to cloudflare dns, use it as dns firewall to filter out the spammers, abusers etc.

I'm doing that way and with the same amount of quality traffic (google analytics stat), CPU load from 12-15% reduce to 2-3%. Although that, I still moved out my site to another cPanel vps in other host due to shared hosting respond time higher and high page load time.

**doneritehosting** · 22-02-2013, 01:04 AM

Originally posted by clivejo View Post

Eakkkk

http://sameid.net/ip/46.249.199.31/

This is the shared IP address of the webserver! Shared with 296 other domains! Something weird going on here!

---------
EDIT : Ok from what I read, every-time a visitor accesses the site the web server itself calls the wp-cron.php script to run background tasks that Wordpress needs to do to keep itself working right. So when the spam bot hits me with a comment the cron job is busy writing it to database and emailing me a notification of the new comment. But why the spike in the CPU load?

Between 1200-1800 I used 6.16% , which then drops back to 1.17% from 1800-2400

Well clive the reason your cpu load is spiking is because wp is not just sitting there static anymore. It takes cpu to do cron processes, his the databases to serve pages and such... Any IP that I find just hitting comments I ban the IP from my control panel.

I looked I do not have those particular IPs hitting my site (yet) but thanks to your post I found another couple of ips hitting just comment.post and banned the ips.

The logic, There is a visit to the post url first and then if the visitor wishes to post a comment then you will see comment.post in the breadcrumb url trail for the same ip. A plugin to block comment spam is not the answer. No the bot cannot post comment spam because of the plugin but.. the bot is still hammering your server to post spam and pages are being served..

Worked for me.. And thanks for your information as well I did not realize regular visitors caused wp to do cron jobs.. Been driving myself nuts trying to find out why I have so many cron jobs showing

Been workin for me.

**doneritehosting** · 22-02-2013, 01:44 AM

Originally posted by clivejo View Post

To be honest I'm noticing a lot of abusive traffic from China. Being an English language site maybe I could block China IP addresses, or serve them a static page?

Could I use GeoIP in the domain tools for this?

You are supposed to be able to do this clive.. I've never tried it before though

**clivejo** · 27-02-2013, 05:22 PM

Today between 6-12 my CPU usage shot up again from an average of 1.7% to 13.7%. It was from an IP 78.46.23.245 which is repeatingly trying the login.php script.

Code:

78.46.23.245 - - [Wed Feb 27 08:02:35 2013] "POST /wp-login.php HTTP/1.1" 200 3075 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
78.46.23.245 - - [Wed Feb 27 08:02:36 2013] "GET /wp-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

Obviously a brute force attack, and I'm getting really pi$$ed off now with them. Anyone any ideas on how to remove the login script totally or rename it to something these annoying bots cant guess?

**wjleong** · 28-02-2013, 07:37 AM

Originally posted by clivejo View Post

Today between 6-12 my CPU usage shot up again from an average of 1.7% to 13.7%. It was from an IP 78.46.23.245 which is repeatingly trying the login.php script.

Code:

78.46.23.245 - - [Wed Feb 27 08:02:35 2013] "POST /wp-login.php HTTP/1.1" 200 3075 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
78.46.23.245 - - [Wed Feb 27 08:02:36 2013] "GET /wp-admin/ HTTP/1.1" 302 0 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"

Obviously a brute force attack, and I'm getting really pi$$ed off now with them. Anyone any ideas on how to remove the login script totally or rename it to something these annoying bots cant guess?

How about using .htaccess to place a password protection ? This prevent them from being access the file, so CPU won't run ?

**clivejo** · 28-02-2013, 11:18 AM

I was thinking that, I can easily protect the directory via the Hespia CP.

Would you have instructions on how to edit the .htaccess to protect just one file?

I have banned the IP but its only a matter of time before another one comes along.

I have also added this to my .htaccess file as a temporary measure

Code:

 <Files wp-login.php>
    order allow,deny
    deny from all
    </Files>

**wjleong** · 28-02-2013, 01:05 PM

Originally posted by clivejo View Post

I was thinking that, I can easily protect the directory via the Hespia CP.

Would you have instructions on how to edit the .htaccess to protect just one file?

I have banned the IP but its only a matter of time before another one comes along.

I have also added this to my .htaccess file as a temporary measure

Code:

 <Files wp-login.php>
    order allow,deny
    deny from all
    </Files>

may be you can refer to

http://webdesign.about.com/od/htaccess/ht/password_1_file.htm

DEVShed

http://forums.devshed.com/security-and-cryptography-17/htaccess-code-to-password-protect-1-file-9519.html

Founded in 1997, DEVShed is the perfect place for web developers to learn, share their work, and build upon the ideas of others.

I have never try to protect a file, but I did used it to protect a directory. As my mention previously (not previous one, but previous previous), try cloudflare service that act as external firewall to help filter the abusers.

**nancy29** · 11-03-2013, 09:33 AM

Hi,
my site was recently hacked by some albanian hackers I would recommend you to use wordpress security plugins and block ips with more than 2 unsuccessful attempts also rename your wp-admin folder.

**clivejo** · 11-03-2013, 03:37 PM

Do you have any suggestion as to what plug-in to use?

Announcement

CPU is 5 times higher than normal

CPU is 5 times higher than normal

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment