Question

Wordpress One-Click CPU & Memory overloading

Hi guys!

A few weeks ago I have created a new Wordpress one-click install droplet and connected it to my domain. In the last few days I am getting an “Error establishing database connection” error. I logged into the console via SSH, launched htop and noticed that my CPU is running at 100%, the www-data is taking about 40-60% of CPU constantly, MySQL is killing the RAM (maxing it out) and my website is not even loading.

I tried rebooting the server, I tried restarting the apache2, tried restarting mysql, but no luck. When I stop mysql, the website becomes responsive again (although CPU still peaks at 100%).

I tried disabling my Wordpress to the minimum (no plugins, just the original theme) but nothing works.

I also thought maybe I’m getting an XMLC attack, so I tried DO’s tutorial on how to block that (all options) but nothing actually works.

Also, it might be important to say that my Wordpress installation is very minimal and barely has content in it (no one worked on it yet).

Specs (Droplet): 1 GB Memory / 25 GB Disk / FRA1 - Ubuntu WordPress on 18.04.1. PHP 7.2.17 MySQL 5.7.26

Screenshots (htop): https://imgur.com/a/JCdhjO3

Thank you very much!

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Greetings!

I’m sorry about the trouble this is causing. I appreciate your attention to detail here, you clearly know well what you are doing with this. Hopefully I can offer some helpful thoughts.

If you’ve reverted to no plugins and default theme, and this continues, my thoughts are leaning toward two possibilities:

  • Unfortunate and hidden IP reputation. Something existed on that IP in the past that successfully received attacks, causing the IP to be circulated in some secret list, and now it receives more attacks than normal by default. Those could be brute force or scanning for vulnerable web applications. You might see this behavior by tailing the log like this:
tail -f /var/log/apache2/access.log
  • Wordpress has been compromised. Through a theme or plugin most likely, and the impact may remain after disabling them. Often these compromises involve exploiting a PHP script that allows them to upload a script to the site, then they make POST requests to that script from the public facing web server, for whatever malicious purpose may be relevant to that case. Sometimes the file they write to will be an existing Wordpress site file, so you may not see a weird PHP file hanging out anywhere but instead have a default script with some extra goodies added to it. Should this be the case, you may see weird POST requests to an unexpected PHP file in your logs:
grep "POST" /var/log/apache2/access.log

I really like this blog article about finding compromised PHP scripts: http://www.gregfreeman.io/2013/how-to-tell-if-your-php-site-has-been-compromised/

I can’t imagine what else it might be, but I’d love to know if you find out.

Jarland