Hi,
I have a recurring issue with high PHP-FPM CPU usage. One or more of my WordPress sites suffers some kind of intrusion attempts. Excerpt from the access log of the affected user:
x - - [25/Jun/2025:09:08:41 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:43 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:45 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:47 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:49 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:51 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:54 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:56 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:08:58 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
x - - [25/Jun/2025:09:09:00 +0200] "POST //xmlrpc.php HTTP/1.0" 200 938 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
As you can see, it is not a crazy amount of requests. Some other intrusion attempts (at wp-login.php) started happening once I blocked the IP address, but it’s roughly one or two requests per second, on average.
Blocking all the offending IP addresses significantly reduces system load, but I didn’t expect it to have such an impact. Is there any fine tuning I can do in PHP-FPM in order to alleviate this? I currently have eight CPU cores, and plenty of free memory.