After debugging high CPU usage for a week, I’ve discovered that URLs submitted to my WordPress site that result in 404 errors cause high CPU usage. I tested my site with jmeter. When I request a file that exists at 5 requests/second, the CPU usage averages 3.7%. When I request a file that does not exist at 5 requests/second, the CPU usage averages 69%.
I’m using WAMP: Windows Server 2008 R2 Standard, sp 1, 64-bit. Apache version 2.4 MySql version 5.6.9 PHP version 5.4.13 4 GB RAM Intel Xeon CPU 2.93GHz (2 processors)
The strategy that I’ve been using to try to mitigate this problem is to configure Apache to handle requests for extensions that I know WordPress does not need to handle. Here’s the current line I’ve added to .htaccess to identify the extensions that Apache should handle:
RewriteCond %{REQUEST_URI} !(\.action|\.aro|\.ascx|\.asf|\.asp|\.aspx|\.asx|\.avi|\.bat|\.bmp|\.ca|\.cfg|\.cfm|\.cgi|\.class|\.css|\.de|\.divx|\.dk|\.dll|\.doc|\.docx|\.ee|\.el|\.eot|\.es|\.et|\.exe|\.fbcindex|\.gif|\.gz|\.gzip|\.htaccess|\.htm|\.html|\.ico|\.inc|\.ini|\.jpe|\.jpeg|\.jpg|\.js|\.log|\.m4a|\.m4v|\.mdb|\.mid|\.midi|\.mov|\.mp3|\.mp4|\.mpe|\.mpeg|\.mpg|\.mpp|\.nl|\.no|\.nsf|\.odb|\.odc|\.odf|\.odg|\.odp|\.ods|\.odt|\.ogg|\.pdf|\.php|\.phtml|\.pl|\.png|\.pot|\.pps|\.ppt|\.pptx|\.properties|\.pt-br|\.qt|\.ra|\.ram|\.rtf|\.rtx|\.sh|\.shtml|\.svg|\.svgz|\.swf|\.tar|\.tif|\.tiff|\.ttf|\.tw|\.txt|\.wav|\.wax|\.wma|\.wmv|\.wmx|\.wof|\.wri|\.wsgi|\.wwwacl|\.xla|\.xls|\.xlsx|\.xlt|\.xlw|\.xml|\.xsd|\.xsl|\.zip)$ [NC]
This solution works well for known extensions. The problem is that there are some requests, typically submitted by hackers, that look like requests that WordPress should handle. Here are some examples:
https://www.example.com/postnuke
https://www.example.com/asp
https://www.example.com/webmail
https://www.example.com/c32web.exe/CheckError?error=99
I suppose I could configure Apache to handle each specific path, but that’s a lot of maintenance and it would be impossible to enter every path that doesn’t exist. I don’t think that would be a good solution.
This is a security issue because it’s an easy attack vector for a DoS attack.
It would be helpful to know if anyone else has this issue. I wonder if I have something misconfigured or if this is just a limitation of WordPress. Any ideas on how to better handle this issue?
For anyone else having high CPU usage on WordPress, I also found that the Pagelines theme was dynamically compiling CSS which was also causing high CPU usage. I modified the theme to stop doing that which solved that problem.
