WordPress is the most common CMS in the Russian-speaking segment on the Internet. It is easy to manage and learn, but sometimes, users of this system experience issues with CPU overload. The account may be suspended if the load coming from it threatens server operation. In case of overload, you can usually see the script it is coming from. The most frequent cases:
admin-ajax.php script
This script allows taking actions in the website’s admin panel. You can simply leave the post-editing tab open and go about your business. While this page is open, the script will save what is written in the post, thereby generating requests to the database and increasing the load on the server.
You can set save time using the heartbeat-control plugin. After installing a plugin, go to Settings -> Heartbeat Control Settings and select Modify Heartbeat in the Heartbeat Behavior dropdown. Then select Locations All and choose Frequency 60 or Higher. Find detailed instructions by following the link.
xmlrpc.php script
This script is used for the bulk upload of articles to the website. This script is also frequently used as an entry point at the time of DDoS attacks. In most cases, website owners do not know about the features of this file and don’t use it. If you don’t use it, open this file for editing and add "die();" line after the opening tag <?php. This will stop script execution in the very beginning, preventing the increased server load. If you use it, reduce the size of uploaded files and divide them into two parts. A good idea would be to restrict access to this file from certain IP.
wp-login.php script
If you see requests coming to that address, it means someone is trying to hack your website by picking up the login and password to the website’s admin panel. Install the plugin to limit the number of sign-in attempts made from one IP, or add a captcha to the sign-in form. This will be enough to protect your website from hacking.
index.php script
This may mean basically anything. But the main reasons are scanning by search bots and DDoS attacks. To find out the reasons, review access logs. Logs clearly show requests from search bots and DDoS attacks. Signs of this are sign-ins from one IP or one subnetwork. Bots are also characterized by the text *Bot in the request. You can protect your website from some bots by adding the following line to robots.txt.
crawl-delay:10
It will set a 10-second interval between scanning. Unfortunately, it may not work for some bots or in the case of DDoS attacks. In these cases, you can use a third-party security service, like Cloudflare.
If all of the above steps did not work out and the load is increased due to traffic to the website from regular visitors, optimize your website.
To optimize and reduce the load, we recommend installing the WP Super cache plugin. This plugin is the only one among other free plugins that showed actual results in reducing the load. Go to the “Advanced” tab on the plugin settings page and enable the following options:
- Caching enabled.
- Use mod-rewrite for cache servicing.
Leave the default values for the remaining options. Then press “Update mod_rewrite rules”. In the “Caching timeout” field, select 0 and press “Change copy lifetime”.