500 Errors and memory/CPU overflow?

Also getting time-outs and Rackspace said it was due to Wordfence. Deactivated and running again.

Do you know if the increased usage is during Wordfence scans? Or while a lot of IP addresses are being blocked? If there is an attack going on, then Wordfence would be doing more work, in logging the IPs to block.

If it is during scans (or if you are not sure when it happens), can you check if you have any of these enabled on your Wordfence Options page?
* Scan files outside your WordPress installation
* Scan image files as if they were executable
* Enable HIGH SENSITIVITY scanning
* Enable debugging mode (near the bottom of the page)

Usually you can disable these, if you’ve turned them on in the past — for most sites without a current infection, they shouldn’t be necessary.

(If you scroll through the scan summary on the Scan page, you can see the start and end times of the last scan, to see if it is taking a very long time.)

I don’t know of any new bugs that are causing excess CPU or memory usage. Do the “500” errors show any other text, if you’ve seen them yourself? Or if not, can you find any details in the site’s error log file? (Often error_log or error.log, but the location and name varies by host.)

-Matt R

Matt,

I ran P3 at different times and the results were the same, so I doubt that WordFence was in the middle of the same function every time. Not ruling that out, just less likely.

As for scans, no, I have none of those higher intensity functions enabled.

I have a another less trafficked site also running WordFence, and it too is consuming far more memory and CPU processes–just not enough to cause the site to shut down. Still, a concern. And again, this is an increase since the previous version.

The error logs show only that too much memory is being consumed. Sadly, it vaguely traces this back to the index.php file in WordPress, and all that tells me is that someone tried to hit the site, it attempted to load, and it failed due to memory restrictions–which we’ve determined are due to too many background processes.

My ISP, midphase, is saying that the site keeps spawning processes that then fail to close, eventually exceeding the server limits. The ISP raised those limits and all it did was permit more processes–which also failed to close, causing the same error. They can’t tell me exactly what those processes are linked to, but since disabling WordFence and returning to my previous firewall plugin, the site has calmed down dramatically.

I hope that helps. Wish there were further details to provide.

Thanks for the additional details. Could you post a couple lines from the error log about the memory usage? The numbers may help, or the specific wording, in case it’s not the usual PHP memory limit.

If you don’t mind sharing an access log file from the site, I could see if something unusual may be affecting Wordfence. Since access logs may include sensitive information like IPs of your visitors (and they’re very long), you can email it to me at mattr (at) wordfence.com

We haven’t seen any issues like this on our servers since the latest update, but it’s possible that it’s related to having Wordfence and another plugin active at the same time — sometimes multiple plugins can interact and cause unusual issues, and an update can cause a new issue between them. I haven’t seen Wordfence cause processes to stay open like your ISP described, other than one process at a time, during scans — but the next one shouldn’t open until the last one is done. (That’s another thing I could check in the access log, as long as it covers the time period when this issue was happening.)

-Matt R

Hi Matt,

I’d like to join this topic because the past 4-5 days I’ve been trying to find what’s causing the high spikes in CPU and I/O usage on my (shared) server as well.

I come to the same conclusion that Wordfence causes a lot of admin-ajax.php calls. Just before I stumbled on this topic I analysed two hours around a spike in CPU and besides some little brute force attack 90% of the (filtered POST requests) data were admin-ajax.php calls from my own IP.

I also noticed that under the Life Traffic tab (where I switched life traffic off) the login / logout tab is still visible. Going to that page gives me so many admin-ajax.php calls.

I also noticed that the spikes were there at night, when there are not many visitors. The CPU spikes are also quite regular which points me into the direction of cronjobs and/or plugins.

I can get you all error and access log data you want, filtered the way you prefer. I can get you stats from from when I open different Wordfence pages, like the Life traffic page. Just let me know.

Btw, leaving the Life Traffic page open for exactly a minute with Real Time disabled gave me 31 admin-ajax.php requests from my IP.

I have also installed the Heartbeat Control plugin, but obviously Wordfence overrides it.

Anyway, I can send you log data via email. I can be reached at okoth1 at gmail dot com

Okoth1:

If you keep a browser open on any Wordfence admin page, it does an ajax request every 2 seconds by default. The current version of Wordfence detects if the browser window is currently active, so it should only happen if that window is in the foreground — minimizing or closing the window would stop the ajax requests. You can also decrease the number of ajax calls by setting “Update interval in seconds (2 is default)” to a higher number, on the Wordfence Options page — for example, if you set it to 10 seconds, you should only see about 6 ajax requests per minute while leaving a Wordfence admin page open.

If you are still having trouble after changing that setting, can you create a new post describing the additional issues, and include a link to this one? www.remarpro.com’s rules ask us to keep each person’s issues in a separate post, even if they are very similar, and it helps us keep track of open issues, too. Thanks!

-Matt R

Sorry to tell you but I switched to Ninjafirewall after reading this article WordPress brute-force attack detection plugins comparison. And man, what am I happy I did that! No more maximum usage spikes when I checked again this morning. My search is over. Wish I knew before.

Anyway, thank you for keeping my websites safe for the past couple of years.

Cheers!

Matt,

Though it took almost a week, my site crashed again with WordFence disabled. While this does not clear WordFence entirely (it still is using a LOT of resources and may be exacerbating the issue), WordFence is not the primary culprit. I was finally able to isolate the plugin that IS the troublemaker.

I will be enabling WordFence again, but I hope that future versions concentrate on tightening its use of server resources.

Thanks.

Thanks for following up. I’ll pass this on to the dev team — we appreciate the feedback!

-Matt R