Excess CPU usage (Hostgator)

Sorry to hear about the trouble — sometimes this can be when a scan is running if the scan takes a long time on your site, or it can mean that there was a fast group of login attempts that Wordfence was blocking.

Past cron jobs are not logged directly, but you can see future cron jobs by clicking the link near the bottom of the Wordfence Options page that says “Click to view your systems scheduled jobs in a new window” — the times are somewhat randomized on the free version.

I think the log you are looking for is the site’s access log — that includes cron jobs and other visits, so it should help you find out what was happening at the time. They can be in different places on some hosts, but Hostgator has a guide to find them here:
Hostgator – raw access logs

If a Wordfence scan was running at the time, you should see lines in the log that include this:
GET /wp-admin/admin-ajax.php?action=wordfence_doScan

For excessive login attempts, you should see a lot of “POST /wp-login.php” attempts. If they were blocked by the Wordfence Security Network, you might not see them the same way, or if your WordPress files are in a subdirectory, they might be listed as 404’s instead of login attempts.

If this narrows down the cause of the issue, but you still need help reducing CPU usage, just reply here, and let us know what you’ve found from the logs.

-Matt R

Thanks for the timely reply! I’m heading over to check on the locations and see if I can find any helpful info.

Here’s what it is sending in the notice I received that they were temporarily suspending my account:

transitiontimecoach.com /wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=1&c

The account SSL cert is expired, HG didn’t update it on time. Arrgh! Just found that out too as it is noted in the email.

Could that cause a mismatch?

Ok, that definitely is the scan, then. You could try disabling some of the scan options, to make the scan take less time — of course, it would also provide less protection. The expired SSL certificate shouldn’t make a difference for this issue.

If you want to email me the scan log, I can see which options may help reduce usage for your site. On the Scan page under the Wordfence menu, click the “Email activity log” link above the second yellow box, and enter my email address: mattr (at) wordfence.com

-Matt R

I received the scan log that you sent — strangely, there is some missing time in the middle, so I can’t see if there were two separate scans or one rather long scan. If you have found the access log for the site, could you email me a copy of that as well?

Also, can you post a listing of the options you have selected under the “Scans to include” section of the Wordfence Options page?

In the meantime, you may want to disable “Enable automatic scheduled scans” on the Wordfence Options page, so the host does not complain — if we can work out better settings in the next couple of days, then you can turn it back on.

-Matt R

Thanks Matt! Super nice to get a reply so quickly!

I turned off auto scans– good idea. But I sure love how that keeps me updated.

Sent you an email with the access files attached.

Scans to include section is in the email I sent too. Didn’t allow it to copy correctly here.

Standing by for any more requests for info.

Kelly

HostGator is sending me the same emails in the past week saying I’m using excessive CPU and they will terminate my account. The logs they are sending are showing 85%+ CPU being caused by WordFence scans. Here is a sample:

PID %CPU STIME CMD
29470 28.3 16:07 /opt/php54/bin/php-cgi /home5/user/public_html/wp-admin/admin-ajax.php
32799 57.1 16:08 /opt/php54/bin/php-cgi /home5/user/public_html/wp-admin/admin-ajax.php
Total CPU usage: 85.9%

It’s coming from this per the logs they sent:

xxx.xxx.xxx.xxx mydomain.com /wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=1&c

They are asking to disable and delete the plugin completey. I unchecked “Enable Live Traffic View” first and I still kept getting emails from them. Now I have unchecked “Enable automatic scheduled scans” too so I guess the plugin isn’t doing much anymore. Please let me know if there is an option to limit or throttle how much CPU the scans use. I don’t mind them taking longer to run.

@lightrunner same except I’m at 84% :^)

What is amazing is that

I’m not getting any support from HG

, but MattR and Wordfence are VERY HELPFUL. Hmmmm!

I’ve run WF for a couple years and this blog has been almost static content wise for most of this year. Only changes have been WP and other plugin updates from time to time.

I’ll post anything if I get going.

Now that I have unchecked the “enable automatic scheduled scans” things stayed flat on the CPU usage. So that kinda-sorta confirms that is the problem I think. HG released me from the temp suspension from what I can tell. Very interesting that they STILL have not responded to my ticket from Sunday afternoon.

I had several plug-ins update last week. Wonder if that might be the issue.

@wfmattr should I send you my system info by email.

My thought is is @lightrunner and I both have a plugin or two in common, that might be something to disable and turn scans back on and see if we get in trouble again. ??

@kmacker: Thanks for sending the details. I can see in the scan results that there were over 22,000 additional files scanned, aside from the typical files. Given the list of scan options that you also sent, I think this is most likely from every file in the site’s cache being scanned.

You can probably get much better performance from a scan by excluding the typical cache folder from scans using the “Exclude files from scan that match these wildcard patterns” option. Some of the popular caches use:
/wp-content/cache/*

Or Wordfence’s cache folder, if you have Falcon or Basic caching enabled in Wordfence:
/wp-content/wfcache/*

If you use a caching plugin that uses a different folder, you could add that in the same way. If your WP core files are in a subdirectory, you may need to list the directory before the path (e.g., /wp/wp-content/cache/*)

After making the changes, you can try running a manual scan on the Scan page — if it seems to be taking too long, you can click the link to kill the scan. Note how many “additional” files it says it scanned in the lower yellow box. If it is still a large number, there may be additional files that need to be excluded. (Or if you ever switched caching plugins, the old cache may still exist.)

Let me know how it goes.

This exclusion will make it possible for code or bad html files to be hidden in your cache’s folder if someone manages to break into the site, but you would most likely see other files modified as well that are still being scanned. This might be the best balance to keep the host from shutting down the site, while still keeping protection for a good portion of the site.

You could still run a full scan periodically, without excluding the above folders, if needed — especially if you clear the cache first. Or, if your cache can be completely cleared so you can see just an empty folder, you could just clear it periodically to be sure it’s clean.

@lightrunner: The same steps may apply to your site if you have a caching plugin. We don’t currently have a way to throttle scans, but do have a feature request for similar cases and have some performance improvements planned. If the items above don’t help in your case, can you open a separate post, and we can walk through the specifics of your site there? Thanks!

-Matt R

OK, looks good so far! I cleared SuperCache and added the exclusion too. Did a manual scan and it went well. Monitored the CPU and Mem Usage in CPanel and it was 0.6% CPU and 0.4% Mem while it was running. I’d say that’s pretty good.

[Oct 27 14:00:37] Scan Complete. Scanned 4935 files, 22 plugins, 3 themes, 46 pages, 97 comments and 17049 records in 234 seconds.
[Oct 27 14:00:37] Wordfence used 45.53MB of memory for scan. Server peak memory usage was: 79.39MB

was the output final 2 lines. Looks like that did the trick!

Will let you know if it pops back into problem range, but this seemed to be the fix. Not sure why but I see my BackupBuddy jumped by 80MB in one week, and I didn’t do any content changes at all. Perhaps Super-Cache didn’t dump the garbage or something. Hmmm!

@wfmattr Greatly appreciate your excellent help on this! I’m going to upgrade to premium as I switch over to new host and updated site. Outstanding support!

Great, I’m glad to hear it’s working better! It should be possible to re-enable the automatic scans, but I would recommend checking on the time it takes for them to complete, at least for a while. (You can see it on the scan page, in the same place it appears for manual scans.)

This still isn’t an ideal fix since it stops scanning of cache files, but since the scan completed much more quickly, hopefully the host will be happy.

Remember also, if you ever change caching plugins, to make sure the new plugin’s cache is still excluded from scans.

I’ll mark this topic as resolved, but will still pass the details on to the dev team, to see about possible future improvements for the scans that will help prevent such long-running scans like this. Thank you for all of the detail you provided!

-Matt R