By Erez Hod
Hi guys!
A few weeks ago I have created a new Wordpress one-click install droplet and connected it to my domain.
In the last few days I am getting an “Error establishing database connection” error.
I logged into the console via SSH, launched htop and noticed that my CPU is running at 100%, the www-data is taking about 40-60% of CPU constantly, MySQL is killing the RAM (maxing it out) and my website is not even loading.
I tried rebooting the server, I tried restarting the apache2, tried restarting mysql, but no luck. When I stop mysql, the website becomes responsive again (although CPU still peaks at 100%).
I tried disabling my Wordpress to the minimum (no plugins, just the original theme) but nothing works.
I also thought maybe I’m getting an XMLC attack, so I tried DO’s tutorial on how to block that (all options) but nothing actually works.
Also, it might be important to say that my Wordpress installation is very minimal and barely has content in it (no one worked on it yet).
Specs (Droplet): 1 GB Memory / 25 GB Disk / FRA1 - Ubuntu WordPress on 18.04.1. PHP 7.2.17 MySQL 5.7.26
Screenshots (htop): https://imgur.com/a/JCdhjO3
Thank you very much!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Greetings!
I’m sorry about the trouble this is causing. I appreciate your attention to detail here, you clearly know well what you are doing with this. Hopefully I can offer some helpful thoughts.
If you’ve reverted to no plugins and default theme, and this continues, my thoughts are leaning toward two possibilities:
- Unfortunate and hidden IP reputation. Something existed on that IP in the past that successfully received attacks, causing the IP to be circulated in some secret list, and now it receives more attacks than normal by default. Those could be brute force or scanning for vulnerable web applications. You might see this behavior by tailing the log like this:
tail -f /var/log/apache2/access.log
- Wordpress has been compromised. Through a theme or plugin most likely, and the impact may remain after disabling them. Often these compromises involve exploiting a PHP script that allows them to upload a script to the site, then they make POST requests to that script from the public facing web server, for whatever malicious purpose may be relevant to that case. Sometimes the file they write to will be an existing Wordpress site file, so you may not see a weird PHP file hanging out anywhere but instead have a default script with some extra goodies added to it. Should this be the case, you may see weird POST requests to an unexpected PHP file in your logs:
grep "POST" /var/log/apache2/access.log
I really like this blog article about finding compromised PHP scripts: http://www.gregfreeman.io/2013/how-to-tell-if-your-php-site-has-been-compromised/
I can’t imagine what else it might be, but I’d love to know if you find out.
Jarland
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.