Slow Web Site vs. Insecure Web Site :(

wordpress

#1

My wordpress web site has been crawling for a while, and last week it went down all together. Dreamhost said that this tiny web site was using too many server resources. They recommended deactivating some of the plugins.

I shut down All-in-One SEO and Jetpack. That got the site back up, but it was still very slow. Dreamhost said they were still choking it for using too many server resources.

I then started shutting off parts of Better WP Security that were known resource hogs. I was reluctant to do this because the site has been hacked before (involving days for me to fix), and there was a blatant attempt last week (over 100 spam comments hit all at once on Valentines Day). There were also a lot of DDOS attacks and a large scale brute force attack specifically targeted at Wordpress sites. It seems to me that fending stuff like this off could have involved an unusual amount of security resources, but all Dreamhost would say is my site, which supposedly has “unlimited bandwidth” was using too much.

While trying to speed up the load time, I found that the caching plugin, WP Super Cache, wasn’t effective anymore. I tried to replace it with Hyper-Cache, but I couldn’t get the cron job for the cleaning process to start. Dreamhost then suggested W3 Total Cache. This involved editing htaccess, editing wp-config, deleting files and folders, changing permissions, etc. In the course of doing this, I managed to break the web site again. Removing W3 Total Cache manually from the plugins folder and reversing everything I did would not bring the site back online.

Dreamhost then suggested removing htaccess. Editing htaccess so it looked the same as my other dreamhost sites didn’t help. I ended up removing it all together. The web site is back up, but all the security measures that were in htaccess are now gone.

Now I am back at square one, with the web site loading extremely slowly (probably because Dreamhost is still choking it), with crippled security (no htaccess, half my security measures turned off) and no caching.

Dreamhost takes 1-2 days to respond to each email, so the web site has been down for a few days at a time twice, and glacial slow the rest of the time. The emails are often redundant and point me to wikis with instructions that are a bit beyond my capabilities. I managed to install PuTTY and connect to the server, but most of the commands in the wiki don’t work. When I did get a process list, the processes all looked normal to me…except one that was in a GAMES directory(!) That directory is nowhere in the web site, and if that thing is the culprit, then my web site is being penalized for something we don’t even use!

I am extremely frustrated by this situation. It’s taking way too long to resolve. The owner of the web site has tried to flag Dreamhost support on Twitter, but they just say they will get back to us ASAP while another day goes by.

This is a small, relatively simple web site. It’s mostly static. No video, standard recommended plugins. The account has “unlimited” bandwidth and storage space, so there should be no problem at all here. I could swear Dreamhost even used to guarantee 99.9% up time.

Yet, Dreamhost itself is choking the site and not being very explicit as to how I can address that. I’ve ended up without caching, which just makes the problem worse. I’ve been dismantling security measures knowing full well that if we get hacked again, I’m going to be spending days manually trying to clean the site up.

This whole situation is just not right. If Dreamhost has a legit beef with the processes the web site is using, they should be able to tell me what to do about it - in ways that don’t wreck the web site or leave it vulnerable to new hacking attempts.


#2

Unlimited space and bandwidth does not mean unlimited resource usage. There’s one more thing you’re not considering, and that’s CPU. Ever used a program that made your computer sound like a rocket was taking off and everything got really slow? That’s what’s going on.

Without knowing which domain you’re talking about, I can’t check if TS gave you any hints as to what was using so much CPU. Normally it’s a theme or a plugin, combined with traffic, so it’s not just ONE thing but a pile of everything.

As for the DDOS stuff… there’s not much more we can do that we’re not already working on (and we are!). You MAY want to try putting a front end like CloudFlare to act as a firewall between you and them.


#3

I don’t want to give the web site here, since I’ve already announced how insecure it is right now. :frowning:

I do understand the difference between CPU and bandwidth usage. However, when a customer buys an “unlimited” account, that certainly creates the impression they could run a huge site with all sorts of bells and whistles on that account. But in this case, we’re talking about a very small, practically static, account. If it’s somehow using more resources than other wordpress accounts of its size, I’d like to know what they are.

I have already added Cloudflare and the Google pagespeed beta for this site.

Here are the currently active plugins:

Askimet (all optional settings currently off)

Bad Behavior (Settings: Normal HTTP logging on, Strict Checking)

Better WP Security (At this point I don’t have permission to view the settings!! But I remember turning off file change detection, database backup, and some other settings that seemed to involve going to the server. Also htaccess, along with the WP Better Security changes made to it, is now gone. I have a red notice that my installation is not actively blocking attackers or scanning for vulnerabilities).

Exploit Scanner (runs on demand)

Fast Secure Contact Form

Official Statcounter Plugin

Optimize Database After Deleting Revisions (runs on demand)

P3 (Plugin Performance Profiler (runs on demand)

Social Media Icons Widget (only a couple activated)

WP-Mail SMTP

Wysija Newsletters (on demand, rarely used)

So: I don’t have a crazy amount of plugins. The plugins I have are well-known and recommended,and their functions don’t overlap. Half of them relate to security and performance. Better WP Security is mostly shut off, and somehow messed up so I don’t have permission to change its settings. I have no caching at all.

Any thoughts? :frowning:

Ps. I use Atahualpa for the theme. This theme had resource-usage problem in the past, but I don’t see that as a known bug on it’s forum now. Some of its files did come up high in the process list, though.
/wp-content/themes/atahualpa/images/expand-down-white.gif
/wp-content/themes/atahualpa/js/DD_roundies.js

Also, there was stuff that seem like normal wordpress functions to me:
/wp-includes/js/jquery/jquery.js
/wp-comments-post.php
/wp-cron.php

The file that got comment-spammed on Valentines day was also on the high-usage process list. I couldn’t find anything hacked about it in the database, though.


#4

There were a couple of WordPress sites I manage that are on VPS. The sites started using tons of CPU. I tried disabling plugins, updating PHP version. Finally, I discovered that both sites were getting hammered with failed login attempts.

Changing the login page was the trick. From that moment on CPU dropped to managable levels. Here is where I learned the basics of how to do this: https://managewp.com/change-your-wordpress-login-url

If you want to first find out if this is your problem, simply install the plugin Login Lockdown…wait a half hour and then check the Login Lockdown logs (or better yet, use phpMyadmin and check the loginlockdown tables…) if you have tons of failed login attempts, then chances are this is your problem. If you have only a few (or none) failed login attempts, then this is not your issue.


#5

Thank you for the advice - I’ll check into the login attempts. At the time Dreamhost started choking the web site, we were under some sort of attack (judging from the comment spam).

It has been immensely frustrating that Dreamhost hasn’t been corresponding about the problem in those terms, rather than encouraging me to deactivate important plugins. :frowning:


#6

Update: no one is getting locked out by Login Lockdown, so that’s not the problem.

Dreamhost is still getting back to me every other day with unhelpful replies. They say they are choking the site because it uses too many resources, but all they give me is the uids. The one time they did give me processes, it made no difference. I turned off the high-impact plugins, and the rest were normal Wordpress files.

I still question whether a small web site in an “unlimited” account should be choked rather than a large web site that makes full use of the resources that were supposed to be at our disposal.


#7

You’ll probably find most shared hosting providers have accounts with “unlimited” bandwidth and disk space. But they all have limits for CPU & RAM usage in their AUP.

But that being said you’re obviously trying to do everything right and aren’t a novice. So faster support response would be helpful.

I see Ipstenu & Elle help out a lot in these forums- maybe they can move this along for you.

You might try as a test (if you haven’t" turning all plugins off temporarily, and see how it effects response time. The P3 profiler you’re using is a very good test to see what the plugins are doing.

A couple plugins that may be helpful to diagnose server performance issues are:
-Benchmark
-WP System Health

Best wishes.


#8

Thank you for the suggestions - I will look into the plugins you suggested.

Disregard my comment about the ghost of WP Better Security - it’s gone now.


#9

I’ve now turned off logging and strict checking in Bad Behavior, as well as removed WP Better Security.

P3 gives plugin impact on page loads at 18.17%

Web site security has been all but demolished (hello, hackers!), and the site still loads like molasses.

Grr. :frowning:


#10

What’s your account here? At least then I can take a look (it’s not tied into the email you use on the forums, so … ) - I don’t know what TS is telling you (nor who is telling you what) so I can’t go poke them for more details.

There’s a WP codex doc on protecting from brute force: http://codex.wordpress.org/Brute_Force_Attacks

The .htaccess block is going to be the best, but if you have a lot of users, it’s a bit meh.


#11

Can I tell you the account via PM?

I’ve had some bad experiences in putting URLs on forums, and I’m especially nervous about this one now that half the security measures are gone.

Regarding the users: there is only one for the WP account, and - at the suggestion of Dreamhost tech support - this account also has its own FTP user.

Regarding the instructions for Brute Force attacks - I had done some of these things already. I’m wary about adding more plugins if these are what are taxing my CPU resources. The things regarding .htaccess should probably be left until after I have a working cache plugin: if the site keeps breaking, I may end up trashing .htaccess a few more times.


#12

Sure, PM or email me at mika.epstein at dreamhost :slight_smile:


#13

Thanks for offering to help. I will have to try to email you. I got this when I tried to send you a PM through the board:

You do not have permission to access this page. This could be because of one of the following reasons:

Your account has either been suspended or you have been banned from accessing this resource.
You do not have permission to access this page. Are you trying to access administrative pages or a resource that you shouldn't be? Check in the forum rules that you are allowed to perform this action.
Your account may still be awaiting activation or moderation. (Resend Activation Code)
You have accessed this page directly rather than using appropriate forms or link.

#14

Click the “Email” button under Ipstenu’s post to send her an email.