After running some checks on my webserver I noticed that the CPU was running high between 90-100% capacity. Considering the normal usage was between 2-3 % this didn’t look right.

Initially when running the top command I found that the processes that were hogging the CPU were all PHP-CGI processes.

After some further investigation I determined the issue was down to a DDOS attack on one of my wordpress based sites.

An example of one of the errors can be found in the server logs as follows:

Example of DDOS attack in logs:
[04/Apr/2019:11:22:33 +0200] “POST /xmlrpc.php HTTP/1.0″ 403 – “-” “Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)

These errors were persistent in the logs. You can see a reference to a file by the name of xmlrpc.php.

XML-RPC is a remote procedure call protocol that allows anyone to interact with your WordPress website remotely. Basically it allows you to manage your site without having to login via the normal wp-login.php page.

The problem with XML-RPC being enabled however is it also opens your website up to the risk of brute force password and DDoS attacks.

There are several ways to disable XML-RPC however this is the solution I used. I made the changes in WHM as follows.

Navigate to – WHM -> Apache Configuration -> Include Editor

Select – Pre VirtualHost Include
Under Select an Apache Version click on the drop down and choose “All Versions of Apache”

Add the following text:

Click on Update. Updates will be saved and Apache will be restarted.

Following this update the CPU usage dropped significantly from 95% down to around 10%. I still noticed however that CPU usage was higher than expected. I traced this down to several persistent connections to posts on the blog. It looked like my posts were being scraped using web scraping scripts by external sites and then re-published elsewhere. There are quite a few auto-blog sites that steal blog posts from various blogs.

So I decided to take further lock down actions. I routed this blogs DNS via a free service called cloudflare. Cloudflare incorporates many security features including DDoS Protection. Once the site was added to Cloudflare I then enabled “Under Attack Mode”.

Once attack mode was enabled CPU usage dropped back to 1% and the server was again running correctly. This will allow you to investigate the issue further and correct it. You can then disable attack mode later. Alternatively you can leave the attack mode enabled for an additional layer of security. While under attach mode you will notice a 5 second warning delay before your website loads. Hopefully this will help others who experience an abnormally high CPU load for PHP-CGI processes on their servers.