Issue with abuse of CPU resources

Several days ago I received a notice from Hostgator about abuse of resources. I've been through all of their suggested remedies and achieved a little success but something's still happening that shouldn't. I've been watching my CPU resource chart and noticed a sharp spike around 9 this morning. That is the time I tried to login to my multisite but was not immediately able to do so because my browser said site not available. I checked my log files and I find rows and rows that look like these starting around 9-

216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:03 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:04 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:04 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:04 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:04 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:04 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"
216.17.109.201 - - [01/Aug/2015:09:20:04 -0500] "POST /wp-login.php HTTP/1.0" 403 18200 "-" "-"

I've noticed this same pattern yesterday and day before but did not immediately associate with the time I logged in so it's possible that today is just a coincidence. This is not my IP # or one of Hostgators so I've entered it in my IP Address Deny Manager. My question is- is it possible that my logging in is triggering some sort of loop that overloads my CPU? If so any suggestions for solving this issue?

Thanks,
Larry Bartley

  • Adam Czajczyk

    Hey Larry,

    I hope you're well today and thanks for your question!

    It seems to me like either a crawler robot of some kind is mistakenly trying to access the login site or - which is unfortunately more likely - there's an ongoing attack on the site. These happens more and more often every day as bot networks are picking up new WordPress-based sites.

    Blacklisting the IP indicated in your error-log is a must here. This can be done for example by adding this lines to your .htaccess file:

    Order Deny,Allow
    Deny from 123.123.123.123

    Add this at the very beginning of your .htaccess file and of course replace "123...." with an actual IP number. If you wish to block more IP's, please repeat the "Deny from... "line.

    I also highly recommend the Wordfence plugin. It's a security suite and I can tell from my own experience that it's very efficient:

    https://wordpress.org/plugins/wordfence/

    I hope that helps!

    Cheers,
    Adam

  • lbartley

    Thanks for your prompt reply Adam. I've blocked this IP and many others in the past but I haven't seen this particular pattern before. I've been using WordFence on this site and I just went back and tweeked the settings a little. Also I had forgot about the WPS Hide Login plugin which I just installed. I'd used in the past and found it to be really effective combined with WordFence automatically blocking any IP trying to access "wp-admin". I'll keep a close watch on it with these modifications and see what happens.

    Thanks again,
    Larry

  • Adam Czajczyk

    Hey Larry,

    Thanks for this information!

    I see you've got pretty secure setup there, that's really great :slight_smile:

    I've just took a second look at the error log and what you just wrote pretty much explains the "403" error which is actually "403 Forbidden" error. That means that whoever or whatever is trying to access your wp-login.php isn't able to because your server bounces these requests.

    I wouldn't worry about this particular URL then as the chance to break into your site through it is close to zero :slight_smile: However, the fact that there are access attempts at all actually is a bit worrying.

    I think that once you've made adjustments to your site's security settings, it would be good to keep an eye on the logs just to see what's going on.

    In case you need any further assistance, don't hesitate to ask. I'll be glad to help!

    Cheers,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.