Sites giving 504 Timeout All of a sudden

Hello everyone,

I am not sure what happened, I was working on WP site and all of a sudden the site have started to give 524 gateway timeout error.

I am using Cloudflare and it is saying that the origin server has timed out. How do I go about fixing this issue?

I am noticing the apache memory usage is a lot more than other services. Is this normal?

mysqld is also using a lot of RAM and CPU

Any changes in setup / plugins or increase in traffic?

You could consider changing the template from “default” to cacheing as this will improve the caching of Nginx and decrease the load of Apache2.

If Apache2 is still running in prefork mode also consider switching over to event move.

Depending on you hard ware/server load 1 gb of memory shouldn’t be a issue. But I could have multiple root causes.

I notice when I stop the mysqld service, the cpu/ram usage drops very low. But when I start the mysqld again, it starts to rise and the sites are also not responding.

I restarted the server and now hestaicp is not opening. Do I need to run a command in SSH to start hestia?

No should start on start up.

Please run systemctl status hestia to check what is going wrong…

The hestia panel started after a few minutes automatically. But the issue is still there, Can I send you site and server details somewhere?

The limit of “Free” support end when I need to log in on a remote server that is not my own. You can send me PM if you want / need how ever if it won’t be “free”

What is the hardware config of your server… CPU cores, RAM, Storage, etc and how many sites are hosted?. This looks like typical out if memory problem

It’s a 6 core 16gb ram SSD vps from contabo.

The website is hacked by malware attack. That might be the reason why it started overloading the server all of a sudden.

I am not sure how I should go about fixing the site. :frowning:

Hi @attiqfsd,
You can replace the WP core and then scan each plugin & theme using

Is there a utility by virustotal that I can use to scan all files in Linux?

There are but those would be slow as they work on API.

How do you recommend I should scan the files?

if it is wordpress, probaly wordfence is something to start. But this isnt related to hestia, so we cant provide any tutorials here. I would suggest to suspend the hacked web domain and restart the fpm service to stop active user processes.

Yes, it is wordpress. what is qeb domain?

The SMTP usage is going up. How do I stop the mail server from restarting? I tried to stop the exim service but it starts again immediately.

a typo, fixed.

systemctl stop exim or systemctl stop exim4 should do the job, but probaly your hacked wordpress is now spaming around. Still suggest to suspend the user or web domain, restart fpm or reboot the whole server to stop the hacked processes then probaly also clear the exim queue.