Muntansir
By:
Muntansir

After a while unless I restart Apache all my websites go down? (Ubuntu 14.04)

May 25, 2016 1.6k views
Apache WordPress

Hi,

I have set up a server on 1gb Ram/1 CPU and it has 4 sites, 2 of them are staging sites, one is a blog and one is a restaurant. All the sites have literally minimal traffic no more then 5 visits a day however I find that after a day or so they all become unresponsive and I have to restart apache2 in my server for them to all be back up again.

Upon further inspection I have seen in the error logs the following things:

[Wed May 25 13:58:15.412099 2016] [core:error] [pid 1335] AH00046: child process 1790 still did not exit, sending a SIGKILL
[Wed May 25 13:58:15.412106 2016] [core:error] [pid 1335] AH00046: child process 1793 still did not exit, sending a SIGKILL
[Wed May 25 13:58:15.412122 2016] [core:error] [pid 1335] AH00046: child process 1811 still did not exit, sending a SIGKILL
[Wed May 25 13:58:15.412129 2016] [core:error] [pid 1335] AH00046: child process 1814 still did not exit, sending a SIGKILL
[Wed May 25 13:58:15.412137 2016] [core:error] [pid 1335] AH00046: child process 1833 still did not exit, sending a SIGKILL
[Wed May 25 13:58:15.412144 2016] [core:error] [pid 1335] AH00046: child process 1834 still did not exit, sending a SIGKILL
[Wed May 25 13:58:15.412165 2016] [core:error] [pid 1335] AH00046: child process 1835 still did not exit, sending a SIGKILL
[Wed May 25 13:58:16.594681 2016] [core:error] [pid 1335] AH00047: could not make child process 1339 exit, attempting to continue anyway
[Wed May 25 13:58:16.594730 2016] [core:error] [pid 1335] AH00047: could not make child process 1340 exit, attempting to continue anyway
[Wed May 25 13:58:16.594755 2016] [core:error] [pid 1335] AH00047: could not make child process 1341 exit, attempting to continue anyway
[Wed May 25 13:58:16.594762 2016] [core:error] [pid 1335] AH00047: could not make child process 1525 exit, attempting to continue anyway
[Wed May 25 13:58:16.594768 2016] [core:error] [pid 1335] AH00047: could not make child process 1495 exit, attempting to continue anyway
[Wed May 25 13:58:16.594774 2016] [core:error] [pid 1335] AH00047: could not make child process 1401 exit, attempting to continue anyway
[Wed May 25 13:58:16.594780 2016] [core:error] [pid 1335] AH00047: could not make child process 1402 exit, attempting to continue anyway
[Wed May 25 13:58:16.594786 2016] [core:error] [pid 1335] AH00047: could not make child process 1422 exit, attempting to continue anyway
[Wed May 25 13:58:16.594792 2016] [core:error] [pid 1335] AH00047: could not make child process 1423 exit, attempting to continue anyway
[Wed May 25 13:58:16.594798 2016] [core:error] [pid 1335] AH00047: could not make child process 1425 exit, attempting to continue anyway
[Wed May 25 13:58:16.594804 2016] [core:error] [pid 1335] AH00047: could not make child process 1611 exit, attempting to continue anyway
[Wed May 25 13:58:16.594810 2016] [core:error] [pid 1335] AH00047: could not make child process 1429 exit, attempting to continue anyway
[Wed May 25 13:58:16.594816 2016] [core:error] [pid 1335] AH00047: could not make child process 1430 exit, attempting to continue anyway
[Wed May 25 13:58:16.594822 2016] [core:error] [pid 1335] AH00047: could not make child process 1432 exit, attempting to continue anyway
[Wed May 25 13:58:16.594828 2016] [core:error] [pid 1335] AH00047: could not make child process 1433 exit, attempting to continue anyway
[Wed May 25 13:58:16.594834 2016] [core:error] [pid 1335] AH00047: could not make child process 1489 exit, attempting to continue anyway
[Wed May 25 13:58:16.594839 2016] [core:error] [pid 1335] AH00047: could not make child process 1526 exit, attempting to continue anyway
[Wed May 25 13:58:16.594845 2016] [core:error] [pid 1335] AH00047: could not make child process 1451 exit, attempting to continue anyway
[Wed May 25 13:58:16.594851 2016] [core:error] [pid 1335] AH00047: could not make child process 1506 exit, attempting to continue anyway
[Wed May 25 13:58:16.594857 2016] [core:error] [pid 1335] AH00047: could not make child process 1454 exit, attempting to continue anyway
[Wed May 25 13:58:16.594863 2016] [core:error] [pid 1335] AH00047: could not make child process 1455 exit, attempting to continue anyway
[Wed May 25 13:58:16.594869 2016] [core:error] [pid 1335] AH00047: could not make child process 1456 exit, attempting to continue anyway
[Wed May 25 13:58:16.594875 2016] [core:error] [pid 1335] AH00047: could not make child process 1457 exit, attempting to continue anyway
[Wed May 25 13:58:16.594881 2016] [core:error] [pid 1335] AH00047: could not make child process 1458 exit, attempting to continue anyway
[Wed May 25 13:58:16.594909 2016] [core:error] [pid 1335] AH00047: could not make child process 1460 exit, attempting to continue anyway
[Wed May 25 13:58:16.594918 2016] [core:error] [pid 1335] AH00047: could not make child process 1461 exit, attempting to continue anyway
[Wed May 25 13:58:16.594924 2016] [core:error] [pid 1335] AH00047: could not make child process 1463 exit, attempting to continue anyway
[Wed May 25 13:58:16.594930 2016] [core:error] [pid 1335] AH00047: could not make child process 1464 exit, attempting to continue anyway
[Wed May 25 13:58:16.594936 2016] [core:error] [pid 1335] AH00047: could not make child process 1465 exit, attempting to continue anyway
[Wed May 25 13:58:16.594950 2016] [core:error] [pid 1335] AH00047: could not make child process 1466 exit, attempting to continue anyway
[Wed May 25 13:58:16.594957 2016] [core:error] [pid 1335] AH00047: could not make child process 1494 exit, attempting to continue anyway
[Wed May 25 13:58:16.594964 2016] [core:error] [pid 1335] AH00047: could not make child process 1474 exit, attempting to continue anyway
[Wed May 25 13:58:16.594981 2016] [core:error] [pid 1335] AH00047: could not make child process 1475 exit, attempting to continue anyway
[Wed May 25 13:58:16.594987 2016] [core:error] [pid 1335] AH00047: could not make child process 1476 exit, attempting to continue anyway
[Wed May 25 13:58:16.595022 2016] [core:error] [pid 1335] AH00047: could not make child process 1478 exit, attempting to continue anyway
[Wed May 25 13:58:16.595031 2016] [core:error] [pid 1335] AH00047: could not make child process 1479 exit, attempting to continue anyway
[Wed May 25 13:58:16.595055 2016] [core:error] [pid 1335] AH00047: could not make child process 1577 exit, attempting to continue anyway
[Wed May 25 13:58:16.595062 2016] [core:error] [pid 1335] AH00047: could not make child process 1503 exit, attempting to continue anyway
[Wed May 25 13:58:16.595082 2016] [core:error] [pid 1335] AH00047: could not make child process 1504 exit, attempting to continue anyway
[Wed May 25 13:58:16.595089 2016] [core:error] [pid 1335] AH00047: could not make child process 1505 exit, attempting to continue anyway
[Wed May 25 13:58:16.595095 2016] [core:error] [pid 1335] AH00047: could not make child process 1507 exit, attempting to continue anyway
[Wed May 25 13:58:16.595110 2016] [core:error] [pid 1335] AH00047: could not make child process 1513 exit, attempting to continue anyway

I have over 40,000 rows of this and my server has been live for less than 1.5 weeks. Any help to stop this as I can't even run 1 website of this server as it stands would be hugely appreciated.

Regards,
Muna

1 Answer

This often means that apache has reached it's MaxClients value and cannot create more. The most common reason for this to occur (aside from a massive flood of incoming traffic) is that the KeepAlive and KeepAliveTimeout settings in apache are tuned in such a way that apache is leaving client connections open after a request for long enough that it runs out of available client slots. Tuning these values can help correct this issue. Setting a low timeout value or disabling keepalive are recommended.

A quick search found this guide that covers these settings and how to tune them.

  • Hi,

    I have tried to implement this and after half hour my server was down again.

    [Wed May 25 17:12:12.914119 2016] [mpm_prefork:notice] [pid 3857] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.16 configured -- resuming normal operations
    [Wed May 25 17:12:12.914203 2016] [core:notice] [pid 3857] AH00094: Command line: '/usr/sbin/apache2'
    [Wed May 25 17:21:39.913161 2016] [mpm_prefork:error] [pid 3857] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
    muna@Private-Server-Basic:~$ [Wed May 25 17:12:09.004108 2016] [mpm_prefork:notice] [pid 2554] AH00169: caught SIGTERM, shutting down
    [Wed: command not found
    muna@Private-Server-Basic:~$ [Wed May 25 17:12:12.914119 2016] [mpm_prefork:notice] [pid 3857] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.16 configured -- resuming normal operations
    -bash: syntax error near unexpected token `('
    muna@Private-Server-Basic:~$ [Wed May 25 17:12:12.914203 2016] [core:notice] [pid 3857] AH00094: Command line: '/usr/sbin/apache2'
    [Wed: command not found
    muna@Private-Server-Basic:~$ [Wed May 25 17:21:39.913161 2016] [mpm_prefork:error] [pid 3857] AH00161: server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting
    [Wed: command not found

    I have tried various settings. Apologies this is my first server and as I said I am 2 weeks in with no previous experience in developing or coding etc.

    I appreciate all the help,
    Muna

    • No worries, we're happy to help. Can you paste your configuration file here so we can take a look. It still looks like you're running out of workers (sockets to accept new requests).

      Also, did you make sure to restart apache after making your changes. It looks like you did from these logs but I wanted to make sure as a reload or restart is required to load the updated configuration settings.

      • Hi,

        Yep I did restart Apache after this process, I did some digging around too and found the following file under this location /etc/apache2/mods-enabled/mpm_prefork.conf:

        prefork MPM StartServers: number of server processes to start MinSpareServers: minimum number of server processes which are kept spare MaxSpareServers: maximum number of server processes which are kept spare MaxRequestWorkers: maximum number of server processes allowed to start MaxConnectionsPerChild: maximum number of requests a server process serves

        <IfModule mpm_prefork_module>
        StartServers 5
        MinSpareServers 5
        MaxSpareServers 10
        MaxRequestWorkers 150
        MaxConnectionsPerChild 0
        </IfModule>

        vim: syntax=apache ts=4 sw=4 sts=4 sr noet

        I assume this is where I need to change the max request worked and spare servers etc will try this now and see if it helps.

        Regarding the configuration file of apache:

        This is the main Apache server configuration file. It contains the configuration directives that give the server its instructions. See http://httpd.apache.org/docs/2.4/ for detailed information about the directives and /usr/share/doc/apache2/README.Debian about Debian specific hints. Summary of how the Apache 2 configuration works in Debian: The Apache 2 web server configuration in Debian is quite different to upstream's suggested way to configure the web server. This is because Debian's default Apache2 installation attempts to make adding and removing modules, virtual hosts, and extra configuration directives as flexible as possible, in order to make automating the changes and administering the server as easy as possible. It is split into several files forming the configuration hierarchy outlined below, all located in the /etc/apache2/ directory: /etc/apache2/ |-- apache2.conf | `-- ports.conf |-- mods-enabled | |-- *.load | `-- *.conf |-- conf-enabled | `-- *.conf `-- sites-enabled `-- *.conf * apache2.conf is the main configuration file (this file). It puts the pieces together by including all remaining configuration files when starting up the web server. * ports.conf is always included from the main configuration file. It is supposed to determine listening ports for incoming connections which can be customized anytime. * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ directories contain particular configuration snippets which manage modules, global configuration fragments, or virtual host configurations, respectively. They are activated by symlinking available configuration files from their respective *-available/ counterparts. These should be managed by using our helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See their respective man pages for detailed information. * The binary is called apache2. Due to the use of environment variables, in the default configuration, apache2 needs to be started/stopped with /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not work with the default configuration. Global configuration ServerRoot: The top of the directory tree under which the server's configuration, error, and log files are kept. NOTE! If you intend to place this on an NFS (or otherwise network) mounted filesystem then please read the Mutex documentation (available at ); you will save yourself a lot of trouble. Do NOT add a slash at the end of the directory path. ServerRoot "/etc/apache2" The accept serialization lock file MUST BE STORED ON A LOCAL DISK.

        Mutex file:${APACHELOCKDIR} default

        PidFile: The file in which the server should record its process identification number when it starts. This needs to be set in /etc/apache2/envvars

        PidFile ${APACHEPIDFILE}

        Timeout: The number of seconds before receives and sends time out.

        Timeout 15

        KeepAlive: Whether or not to allow persistent connections (more than one request per connection). Set to "Off" to deactivate.

        KeepAlive Off

        MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. We recommend you leave this number high, for maximum performance.

        MaxKeepAliveRequests 100

        KeepAliveTimeout: Number of seconds to wait for the next request from the same client on the same connection.

        KeepAliveTimeout 5

        These need to be set in /etc/apache2/envvars

        User ${APACHERUNUSER}
        Group ${APACHERUNGROUP}

        HostnameLookups: Log the names of clients or just their IP addresses e.g., www.apache.org (on) or 204.62.129.132 (off). The default is off because it'd be overall better for the net if people had to knowingly turn this feature on, since enabling it means that each client request will result in AT LEAST one lookup request to the nameserver.

        HostnameLookups Off

        ErrorLog: The location of the error log file. If you do not specify an ErrorLog directive within a container, error messages relating to that virtual host will be logged here. If you do define an error logfile for a container, that host's errors will be logged there and not here.

        ErrorLog ${APACHELOGDIR}/error.log

        LogLevel: Control the severity of messages logged to the error_log. Available values: trace8, ..., trace1, debug, info, notice, warn, error, crit, alert, emerg. It is also possible to configure the log level for particular modules, e.g. "LogLevel info ssl:warn"

        LogLevel warn

        Include module configuration:

        IncludeOptional mods-enabled/.load
        IncludeOptional mods-enabled/
        .conf

        Include list of ports to listen on

        Include ports.conf

        Sets the default security model of the Apache2 HTTPD server. It does not allow access to the root filesystem outside of /usr/share and /var/www. The former is used by web applications packaged in Debian, the latter may be used for local directories served by the web server. If your system is serving content from a sub-directory in /srv you must allow access here, or in any related virtual host.

        <Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
        </Directory>

        <Directory /usr/share>
        AllowOverride None
        Require all granted
        </Directory>

        <Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
        </Directory>

        Options Indexes FollowSymLinks AllowOverride None Require all granted AccessFileName: The name of the file to look for in each directory for additional configuration directives. See also the AllowOverride directive.

        AccessFileName .htaccess

        <Directory /var/www/html/>
        AllowOverride All
        </Directory>

        The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients.

        <FilesMatch "^\.ht">
        Require all denied
        </FilesMatch>

        The following directives define some format nicknames for use with a CustomLog directive. These deviate from the Common Log Format definitions in that they use %O (the actual bytes sent including headers) instead of %b (the size of the requested file), because the latter makes it impossible to detect partial requests. Note that the use of %{X-Forwarded-For}i instead of %h is not recommended. Use mod_remoteip instead.

        LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
        LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
        LogFormat "%h %l %u %t \"%r\" %>s %O" common
        LogFormat "%{Referer}i -> %U" referer
        LogFormat "%{User-agent}i" agent

        Include of directories ignores editors' and dpkg's backup files, see README.Debian for details. Include generic snippets of statements

        IncludeOptional conf-enabled/*.conf

        Include the virtual host configurations:

        IncludeOptional sites-enabled/*.conf

        vim: syntax=apache ts=4 sw=4 sts=4 sr noet

        Thank you for all of your help this is becoming rather stressful.

        Regards,
        Muna

        • Muna,

          The other settings look good. For the low volume traffic you mentioned this should not be happening. You can adjust the Servers/Workers settings and it should have an effect. I am a bit concerned though. I would recommend reviewing your access log, you can view entries as they come in in realtime with the command:

          tail -f /var/log/apache2/access.log
          

          Ctrl+C will exit when you're done. I am concerned that you might be seeing some type of attack traffic against your apache server to account for the number of requests required for this to occur.

          • Considering its a low traffic site and I have not even shared any of them with anyone let alone online the amount of traffic I am getting is very high:

            188.0.236.9 - - [25/May/2016:19:34:11 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:17 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:18 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:20 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:20 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:21 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:24 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:34 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:26 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:22 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:38 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:32 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:16 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:30 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:30 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:31 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:33 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:43 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:44 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:35 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:36 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:39 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:40 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:41 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:52 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:54 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:43 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:46 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:56 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:33:57 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:48 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:48 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            191.96.249.53 - - [25/May/2016:19:34:49 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
            188.0.236.9 - - [25/May/2016:19:34:45 +0100] "POST /xmlrpc.php HTTP/1.0" 200 603 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

            I feel like this is an attack on my server what can I do?

          • Now we've got something! Yes, these are outside hosts hitting the xmlrpc.php file in WordPress as it provides a potential attack vector if your WordPress is not up to date.

            We have an article specifically on how to block this type of atttack which can be found here.

            WordPress is a popular and powerful CMS (content management system) platform. Its popularity can bring unwanted attention in the form of malicious traffic specially targeted at a WordPress site. There are many instances where a server that has not been protected or optimized could experience issues or errors after receiving a small amount of malicious traffic. This guide will show you how to protect WordPress from XML-RPC attacks on an Ubuntu 14.04 system.
Have another answer? Share your knowledge.