Knowledge Base

WordPress site hosted in Plesk is slow. Lots of log entries: “POST /xmlrpc.php HTTP/1.0” 499

 
apachefail2banhackinghacking attackhosted

Symptoms

  • WordPress site is very slow.

  • There is a lot of entries in the log file /var/www/vhosts/example.com/logs/proxy_access_log :

    203.0.113.2 - - "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
     203.0.113.2 - - "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 
     203.0.113.2 - - "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 
     203.0.113.2 - - "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)" 
     203.0.113.2 - - "POST /xmlrpc.php HTTP/1.0" 499 0 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"

  • The affected website may cause high CPU usage:

    # top -c
    1180 jdoe 20 0 20864 4280 3436 S 70.7 0.4 0:00.20 php-fpm: pool example.com
    1223 jdoe 20 0 38396 2628 2016 S 88.8 0.3 0:01.07 php-fpm: pool example.com
    1443 jdoe 20 0 29072 2404 6404 S 60.6 0.2 0:00.00 php-fpm: pool example.com

  • Many Apache processes are spawned:

    # pidof httpd
    62997 62996 62995 62994 62977 62976 62959 62710 62707 62705 62703 62702 62701 62700 62682 62681 62680 62663 62662 62645 62616 62581 62580 62579 62569 62568 62554 62520 62412 62411 62409 62408 62407 62406 62405 62381 62379 62378 62377 62359 62358 62344 62077 62075 62073 62072 62071 62067 62064 62060 62059 XXX-XXXX-XXXX-2026 62024 62023 62005 62003 61999 61987 61707 61598 61585 61547 61500 61499 61487 61486 61467 XXX-XXXX-XXXX-1372 61338 61312 61311 61310 61309 61287 61286 61273 61252 61195 61089 61088 61087 61086 61068 61067 61054 61003 60977 60946 60894 XXX-XXXX-XXXX-0890 60874 60873 60858 XXX-XXXX-XXXX-05…

  • Apache may fail with the following error in /var/log/httpd/error_log:

    server reached MaxRequestWorkers setting, consider raising the MaxRequestWorkers setting

Cause

Hacking attack via XML-RPC requests.

Resolution

Secure WordPress instance with a plugin like WordFence or JetPack; They will block malicious requests to the file xmlrpc.php. Both plugins are available for free in WordPress Plugin Catalog.

  1. Log in to Plesk.

  2. Go to WordPress > example.com > Plugins tab and click Install:
    plug.png

  3. Type in the plugin name in the search bar and install it:plug2.png

Alternatively, it is possible to configure fail2ban to block such requests.

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2023 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with love with Plesk WP Toolkit

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt