Loading slow and eating up RAM and CPU

Hi @barrelleaf,

Whilst we are constantly working on making the plugin faster, perform better, and use less resources, there are not set amounts of RAM, CPU or database queries that we know Wordfence will definitely require in each use-case or hosting environment. This is also not a widespread problem across our sizeable customer base but does crop up from time to time with certain configurations.

Before making an assessment from my side about what the cause might be, it’d be great if I could grab a copy of your site diagnostics which you can send to wftest @ wordfence . com. You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

Note: For the fastest response time, please make sure and add any information or questions directly to this topic and not the email address above unless asked.

Thanks,

Peter.

Hi @wfpeter,

Sure. I’ve sent it.
Thank you.

Nora

Hi there,

I’m waiting for a response from email or here, but I haven’t received any yet.
Would like to know if there’s anything wrong.

Thank you.

Hi @barrelleaf,

Thank-you for your diagnostic. I think that the quantity of plugins running and other memory settings for your site seem within normal operating parameters unless you’re on a very restrictive shared hosting plan, but part of the speed issues may be the fact that there is a 403 Forbidden error when requests enter your site. The 403 seems to be triggered by Cloudflare and may be blocking incoming requests. Please try the following:

• Login to Cloudflare
• Go to “Firewall”
• Click the “Firewall Rules” tab
• Click “Create a Firewall rule”
• Name the rule under “Rule Name”
• Set the “Field” under “When incoming requests match…” to “IP Address”
• Enter your site’s IP address under “Value”
• At the bottom, under “Then…Choose an action” change “Block” to “Allow”
• Click “Deploy

Once you have added your site to the Cloudflare Whitelist, head back over to your site and attempt another scan.

Let me know if this helps and if you have any questions!

Thanks,

Peter.

Hi @wfpeter, thank you for your help.

I’ve added my site’s IP address on Cloudflare as you instructed.

But I went back to the backend and clicked “Start New Scan”, it showed “Scan Failed
The scan has failed to start. This is often because the site either cannot make outbound requests or is blocked from connecting to itself. ”

Here is the screenshot. Not sure what’s wrong.

Hi @barrelleaf,

Thanks for your diagnostic. I believe in your other ticket we added the Wordfence IPs to the Cloudflare whitelist so if those and your site are now allowed, the scan issue shouldn’t be presenting. The actual text from your diagnostic reads:

Bot Protection Firewall
…
Blocked because of Malicious Activities

This is a Cloudflare error page that should be suppressed with the allowing of your own site and our IPs to the whitelist. Please try the following to get me further log information:

• Kill any existing scan if it is still running (The “Start New Scan” button turns in to a “Stop” button while the scan is running)
• Go to your Scan > Scan Options and Scheduling page and locate the “Performance Options”
  Set “Maximum execution time for each scan stage” to 20 on the options page
• Click to “Save Changes”
• Go to the Tools > Diagnostics page
• In the “Debugging Options” section check the circle “Enable debugging mode”
• Click to “Save Changes”.
• Start a new scan
• Copy the last 20 lines or so from the Log (click the “Show Log” link) once the scan finishes and paste them in the post.

If your scan runs again when trying the above steps, you can leave all the settings above except for “Enable Debugging Mode”. Otherwise, drop me the log information and I’ll look further into it for you.

Thanks,

Peter.

Hi @wfpeter,

I’ve followed the steps and run the scan.

The log:

[May 28 08:01:53] Scheduled Wordfence scan starting at Friday 28th of May 2021 08:01:53 AM
[May 31 09:07:27] Scheduled Wordfence scan starting at Monday 31st of May 2021 09:07:27 AM
[Jun 03 17:55:30] Scheduled Wordfence scan starting at Thursday 3rd of June 2021 05:55:30 PM
[Jun 06 07:56:59] Scheduled Wordfence scan starting at Sunday 6th of June 2021 07:56:59 AM
[Jun 09 09:18:17] Scheduled Wordfence scan starting at Wednesday 9th of June 2021 09:18:17 AM
[Jun 12 08:39:31] Scheduled Wordfence scan starting at Saturday 12th of June 2021 08:39:31 AM
[Jun 15 07:33:59] Scheduled Wordfence scan starting at Tuesday 15th of June 2021 07:33:59 AM
[Jun 16 08:56:10] Scan stop request received.
[Jun 16 08:56:12] Scan stop request received.
[Jun 16 08:57:20] Scan stop request received.
[Jun 16 09:14:04] Request received via unlock email link to unblock all IPs.
[Jun 16 09:14:53] Request received via unlock email link to unblock all IPs via disabling firewall rules.
[Jun 16 09:22:57] Scan stop request received.
[Jun 18 08:07:06] Scheduled Wordfence scan starting at Friday 18th of June 2021 08:07:06 AM
[Jun 19 08:33:12] Calling Wordfence API v2.26:https://noc1.wordfence.com/v2.26/?k=9b643b508dc11f6e9c37cc1490a57760e5adfd32deb5486d0146b17eec6d73fe2ab70e690877f432a6e08ab3c3de0d13231e67076e5ff03c83fc44e0450cf7a91313311bfaa12df360650c08c6f76f6c&s=eyJ3cCI6IjUuNy4yIiwid2YiOiI3LjUuNCIsIm1zIjpmYWxzZSwiaCI6Imh0dHBzOlwvXC93d3cuYmFycmVsbGVhZi5jb20iLCJzc2x2IjoyNjk0ODQyMzksInB2IjoiNy40LjIwIiwicHQiOiJmcG0tZmNnaSIsImN2IjoiNy41Mi4xIiwiY3MiOiJPcGVuU1NMXC8xLjAuMnUiLCJzdiI6IkFwYWNoZVwvMi40LjI1IChEZWJpYW4pIiwiZHYiOiIxMC4xLjQ4LU1hcmlhREItMX5zdHJldGNoIiwibGFuZyI6IiJ9&betaFeed=0&action=timestamp
[Jun 19 08:33:36] Scan stop request received.
[Jun 19 08:33:48] Ajax request received to start scan.
[Jun 19 08:33:48] Entering start scan routine
[Jun 19 08:33:48] Got value from wf config maxExecutionTime: 20
[Jun 19 08:33:48] getMaxExecutionTime() returning config value: 20
[Jun 19 08:33:48] Test result of scan start URL fetch: array ( 'headers' => Requests_Utility_CaseInsensitiveDictionary::__set_state(array( 'data' => array ( 'date' => 'Sat, 19 Jun 2021 00:33:48 GMT', 'content-type' => 'text/html; charset=UTF-8', 'vary' => array ( 0 => 'Accept-Encoding', 1 => 'User-Agent', ), 'cache-control' => 'no-cache, no-store, must-revalidate', 'pragma' => 'no-cache', 'expires' => '0', 'cf-cache-status' => 'DYNAMIC', 'cf-request-id' => '0ac34939780000206106311000000001', 'expect-ct' => 'max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"', 'report-to' => '{"endpoints":[{"url":"https:\\/\\/a.nel.cloudflare.com\\/report\\/v2?s=w8qdsXLFyl3YbTmzecsql3iR7RhVZBsRyMXX7jbHT6Gr%2BDx33QFXeXnDf12lnUxBO255NSpZGH1Xn1aYyUwMSHEUV0EQmrouqiqGd%2F10jEV%2FiTJkjTJcvySqgYv1ayFZ3Lwp6F9aLIXHzufA"}],"group":"cf-nel","max_age":604800}', 'nel' => '{"report_to":"cf-
[Jun 19 08:33:48] Starting cron via proxy at URL https://noc1.wordfence.com/scanp/www.barrelleaf.com/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=0&scanMode=standard&cronKey=92ccd7aac8d398db567b25ed76d96b65&k=9b643b508dc11f6e9c37cc1490a57760e5adfd32deb5486d0146b17eec6d73fe2ab70e690877f432a6e08ab3c3de0d13231e67076e5ff03c83fc44e0450cf7a91313311bfaa12df360650c08c6f76f6c&ssl=1&signature=491364bf1bc6c69215cc11b16c08cdef9473de37c5059658da458337e2d18256
[Jun 19 08:33:49] Scan process ended after forking.

Just want to make sure I understand it correctly. After this scan, I should undo all the steps except for the “Enable Debugging Mode”, right?

Thank you.

Nora

Hi @barrelleaf,

Only deselect “Enable Debugging Mode”, the other settings are fine to leave as they are.

Please check the instructions under Scan process ended after forking in our documentation to ensure permissions and .htaccess blocks are not preventing access to the wp-admin folder. Memcache or object-cache may also need to be restarted twice if present on your configuration. Also ensure your own server IP has access to this folder.

Thanks,

Peter.

Hi @wfpeter,

I did keep all the settings but I didn’t get the “Scan process ended after forking” message. It still showed “Scan Failed”.

I tried “Start all scans remotely” but it’s still the same.
I’ve restarted Memcache on my server (Cloudways).
I also checked the .htaccess file and didn’t see anything specific to block access to the wp-admin folder. (I’ve also checked it with one of the server support team.)

Not sure what could I do. ??

Hi @barrelleaf,

Have you allowed both IPs used by your server to the Cloudflare whitelist using the OR separator? I notice there are two in your original diagnostic. Ignore the 3rd listed 127.0.0.1.

I won’t post your server IPs here for security reasons, but you can discover them yourself from the Wordfence > Tools > Diagnostics page under “IP(s) used by this server“. Also check to see whether that IP appears under Wordfence > Live Traffic or Wordfence > Firewall > Blocking. You can choose to “Unblock IP” from both of those screens.

You are already using CF-Connecting-IP as your method of getting visitor IPs so there should be no issue there as it appears to have successfully picked up your IP when sending the report.

Thanks again,

Peter.

Hi @wfpeter,

Thank you for your response.
I did add the server IPs which I found in “IP(s) used by this server“ to the Cloudflare whitelist using the OR separator. (Screenshot) (I have blacked out the IP part.)

I’ve also checked the Wordfence > Live Traffic and Wordfence > Live Traffic or Wordfence > Firewall > Blocking. The two IPs are not in there.

I checked the Connectivity in Diagnostics and it still shows
“wp_remote_post() test back to this server failed! Response was: 403 Forbidden”

Here is the screenshot.

Not sure why the scan doesn’t work.

Nora

• This reply was modified 3 years, 5 months ago by barrelleaf.

Hi @barrelleaf,

I consulted your other topic and had mentioned allowing (on the CF whitelist) the 6 IPs seen on: https://www.wordfence.com/help/advanced/#servers-and-ip-range

I can’t confirm this was done though, as your next question was related to adding your 2 server IPs.

The immediate nature of the scan stopping and 503 errors coming back sounds like an issue we’ve seen in the past where an enabled “Bot Fight” or “Bot Report” mode blocks any requests from our servers straight away.

Thanks again,

Peter.

Hi @wfpeter,

Sorry, maybe I misunderstood the two things. You mentioned “Enter your site’s IP address under “Value”” (that thread) so I use the ones I found in the Diagnostics. Should I replace them with your 6 IP addresses?

Sorry if there is a misunderstanding.

Nora

• This reply was modified 3 years, 5 months ago by barrelleaf.

Hi @barrelleaf,

No, don’t remove any IPs we have already added. Please just add our IPs to be allowed Cloudflare’s firewall. You technically only need to add the ones for Wordfence Central if you use it, so could just add the top 3 if you don’t.

Thanks,

Peter.

Hi @wfpeter,

Thank you for responding. I had added the IPs in the Firewall Rule on Cloudflare (use “or” between the rules).

I purged all cache and tried to run the scan again, but still, the scan still failed to start. The log keeps showing “Scan stop request received.” Really not sure what causes this.

I know it might due to something that I’m not aware of but I’m really running out of ideas.

I really really appreciate your help no matter what. Thank you.

Nora

• This reply was modified 3 years, 5 months ago by barrelleaf.
• This reply was modified 3 years, 5 months ago by barrelleaf.