• Resolved ElviraKate

    (@elvirakate)


    I’m seeing a lot of CPU usage spikes which are causing CPU resources to be limited for my site (I’m on a shared hosting package). My site is small and not complicated, it is pages only, no posts or comments. When I look at the logs, WF is scanning too frequently – one today at 1.15pm and another apparently scheduled for 11.30pm. I have ‘use low resource scanning enabled but the file requests generated by the scan look like a bruteforce attack!
    What can I do to calm Wordfence down?

Viewing 10 replies - 1 through 10 (of 10 total)
  • Hi Kate (@elvirakate)

    Have you tried disabling some scan options? For example: Scan images, binary, and other files as if they were executable.

    Another thing you might want to try is to exclude files from the scan

    Thread Starter ElviraKate

    (@elvirakate)

    Images etc is already unchecked, I’ve excluded pdfs, but other than images I don’t have any other non-WP files. Are there any other obvious file-types or folders I can exclude? The problem is not that the scans take a long time, they don’t – they just hammer away, at intervals that are much smaller than 24 hours. Why would they do that?

    Also, I reset the firewall settings to block IPs that attempt logins more than 3 times, the program doesn’t recognise this and only stops them after 5 attempts. This isn’t really important, just a bit annoying – and goes to ramp up CPU usage as well.

    Any ideas as to what might have gone wrong and how I can fix it?

    @elvirakate,

    Another thing you might want to check is if the Live Traffic View is active.
    If so, try and disable it to reduce the load on the server.

    Regarding the maximum number of attempted logins not being recognized, if the issue persists, could you please create a new thread so we can further investigate?

    Thread Starter ElviraKate

    (@elvirakate)

    Live Traffic View is disabled and has never been activated on either site. Low resource scanning is enabled.
    I forgot to mention that I have two sites with WF installed. One seems to work less intensely than the other, but it is a bit smaller (130MB, the other is 190MB). The larger one generates a high fault count and uses a lot more CPU.
    I’m puzzled by the scan intervals and the number of files mentioned.For a start the timestamp is an hour out (still on GMT), secondly the intervals are odd – on one site the April 1st scan was at 22.09, April 2 at 18.43, April 3 at 18.14; on the other the April 1st scan was at 6.57, April 2 at 00.47, April 3 at 00.25, with two more scans apparently scheduled but not run, at 7.10 and 13.00. Is this expected bahaviour?
    And is it usual to scan up to 3900 or so files, plus hundreds of additional files? I didn’t think there were that many in the folders!
    I’m just concerned that the slightly larger site seems to hit the CPU limit consistently while scanning, while the other doesn’t.

    I’ll leave the attempted logins for another time till I’ve sorted this CPU problem out.

    Hi Kate,

    Sorry about this back and forth process but as I’m not sure what is causing the behaviour I’m going to need additional information.

    In Wordfence –> Scan –> Options, is the “Scan files outside your WordPress installation” feature disabled? This can have a significant impact on the number of files that will be included in the scan.

    Regarding the timestamp being one hour out, I believe this is due to your WordPress site timezone setting. In order to adjust it, go to Settings –> General and scroll down to the Timezone parameter.

    Regarding the intervals between scans, can you confirm that the timestamps you specified are for the Scheduled Wordfence scan time as opposed to the Scan Complete time?

    Could you paste here a screenshot of the Cron Jobs list? To view it:

    • Go to the Wordfence Tools page
    • Go to the Diagnostics tab
    • Scroll down to the Cron Jobs section

    If that’s OK with you I’d like to take a look at the activity log over a 24 hours period with the debugging mode on.

    • Go to Wordfence –> Tools –> Diagnostics
    • Scroll down to the Debugging Options section (bottom of the page)
    • Tick the Enable debugging mode checkbox and hit Save Changes

    Once this modification has been implemented, let Wordfence run as usual and after 24 hours please send an extract of the activity log covering that period to [email protected] (please include your WP forum username and this post’s title in the subject)

    Thread Starter ElviraKate

    (@elvirakate)

    OK, thanks very much for helping. I have two sites which behave slightly differently. Neither has ‘scan files outside WP’ ticked.
    I can’t paste screenshots here, there doesn’t seem to be an option to upload images. Have I missed something? I do see, though, that there are many more cronjobs than I thought there would be, and that one site has more than the other, although WF is configured the same, and the site that has more features neither posts nor comments.

    I’ve enabled debugging and will send you the scan logs tomorrow. So far, though, this is what has been happening on the first (fewer cronjobs) site in the last few days:

    [Apr 03 00:23:27:1491175407.901479:1:info] Scheduled Wordfence scan starting at Monday 3rd of April 2017 12:23:27 AM
    [didn’t complete]

    [Apr 03 07:10:10:1491199810.099242:1:info] Scheduled Wordfence scan starting at Monday 3rd of April 2017 07:10:10 AM
    [Apr 03 13:00:13:1491220813.032734:1:info] Scheduled Wordfence scan starting at Monday 3rd of April 2017 01:00:13 PM
    [Apr 04 08:08:27:1491289707.637843:1:info] Scheduled Wordfence scan starting at Tuesday 4th of April 2017 08:08:27 AM

    [Apr 04 08:11:01:1491289861.080705:1:info] Scan Complete. Scanned 2025 files, 5 plugins, 2 themes, 64 pages, 0 comments and 27868 records in 2 minutes 30 seconds.
    [Apr 04 20:27:26:1491334046.650243:1:info] Scheduled Wordfence scan starting at Tuesday 4th of April 2017 08:27:26 PM
    [Apr 04 20:29:25:1491334165.205375:1:info] Scan Complete. Scanned 2025 files, 5 plugins, 2 themes, 64 pages, 0 comments and 28143 records in 1 minute 55 seconds

    [Apr 05 01:45:15:1491353115.069025:1:info] Scheduled Wordfence scan starting at Wednesday 5th of April 2017 01:45:15 AM
    [Apr 05 01:47:44:1491353264.037868:1:info] Scan Complete. Scanned 2025 files, 5 plugins, 2 themes, 64 pages, 0 comments and 28357 records in 2 minutes 25 seconds.

    Am finding this all very confusing! Sorry!

    Thread Starter ElviraKate

    (@elvirakate)

    Hi, I sent in all the logs and scans to [email protected] (attn Wfyann) before the weekend. Did you get them?

    regards

    Hi @elvirakate,

    Thank you for sending the logs and screenshots.

    The number of scheduled scans displayed on the Cron Jobs list is consistent with the normal 24 hours scan frequency. However, the activity log shows many scheduled scan times for the same dates.

    As I’m not sure on which date the screenshots were taken, could you please check again the Cron Jobs list (Wordfence –> Tools –> Diagnostics) to see if some jobs have a time in the past.

    If so, the issue could be related to WP-Cron.

    Hello @elvirakate,

    Since I haven’t heard back from you I am assuming that you have managed to solve your issue so I am marking this topic as resolved.

    If however, for whatever reason, you are still experiencing this issue and it is not resolved please respond to the post, which will move it back up the queue, and mark this topic as “not resolved”.

    Thank you.

    Thread Starter ElviraKate

    (@elvirakate)

    Hi wfann – it’s not resolved, in fact, but I don’t have time to spend on it for the next few weeks. FWIW I think the CPU usage is better since the tweaks, but the number of faults is as large. It may be an optimisation question, but I can’t do that right now. As long as the sites are working!

    thanks to you and the Mountain Man for your help.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘CPU spikes, scanning too frequently’ is closed to new replies.