What can generate so much traffic on this website?

Hedy · February 7, 2023, 10:56pm

Hi,

I’m hosting a website, particularly trivial and without anything special, but which using a HUGE bandwith by comparison of the others.
Have a look :

145Gb on seven days !

This is not a normal bandwidth usage for this website and I wonder if there is not a issue something (hack on this website?).
It’s a Wordpress website (and I’m not the webmaster)
I have check the hosted files and the more bigger are png photo file (2Mo for the largest one)

My question is the following : which tools can I use to find HOW this simple website is generating BW : which files are read thousand of times etc… ?

Or maybe have you simply an idea about the cause ?

Hedy · February 7, 2023, 11:01pm

Here the history of this site :

As I can see, the BW increased progressively from one year…
One year ago, it consume only 30Gb/month

And the website didn’t receive any big change (as I can see)

Hedy · February 7, 2023, 11:07pm

The database looks normal :

A lots of spam comments, but normal for a wordpress…

jlguerrero · February 8, 2023, 3:46am

You should read the Nginx or apache logs. You will see all the http requests and you will have your answers.

For an hestiaCP with apache and Nginx you can see the logs with this command

cat /var/log/apache2/domains/mydomain.com.log

Hedy · February 8, 2023, 10:34am

Thanks !
I will try to understand the log with https://goaccess.io/

eris · February 8, 2023, 11:11am

Number of comments are high are you sure it not something like comments spam and a page that loads by the spammers?

Hedy · February 8, 2023, 11:14am

goaccess is a amazing tool !

I found this king of requests :

 Hits       h% Vis.      v% Tx. Amount Mtd  Proto    Data
 ----- ------- ---- ------- ---------- ---- -------- ----
  2325 100.00% 1009 100.00%  17.37 GiB GET  HTTP/1.0 /?attachment_id=102
  1071  46.06%  503  49.85%  14.06 GiB GET  HTTP/1.0 /?attachment_id=111
  1044  44.90%  481  47.67%  13.08 GiB GET  HTTP/1.0 /?attachment_id=39
   468  20.13%   30   2.97%   8.84 GiB POST HTTP/1.0 /?attachment_id=185/wp-comments-post.php
   977  42.02%  289  28.64%   4.95 GiB GET  HTTP/1.0 /?attachment_id=185
   213   9.16%   30   2.97%   1.31 GiB GET  HTTP/1.0 /?attachment_id=185/wp-comments-post.php
   238  10.24%  189  18.73%   1.01 GiB GET  HTTP/1.0 /?attachment_id=184
	98   4.22%   51   5.05% 956.43 MiB GET  HTTP/1.0 /?attachment_id=276
	90   3.87%   48   4.76% 729.65 MiB GET  HTTP/1.0 /?attachment_id=181
   177   7.61%  116  11.50% 685.00 MiB GET  HTTP/1.0 /?attachment_id=339
   126   5.42%  110  10.90% 521.34 MiB GET  HTTP/1.0 /?attachment_id=180
   122   5.25%   78   7.73% 511.30 MiB GET  HTTP/1.0 /?attachment_id=340
	 9   0.39%    1   0.10% 160.51 MiB POST HTTP/1.0 /?attachment_id=339/wp-comments-post.php
	 5   0.22%    5   0.50%  86.04 MiB POST HTTP/1.0 /?attachment_id=340/wp-comments-post.php
	 2   0.09%    2   0.20%  42.66 MiB POST HTTP/1.0 /?attachment_id=181/wp-comments-post.php

The url with /?attachment_id=102 is just a standard photo of the customer…
And the main “visitor” with biggest BW is a Chrome/Windows user… maybe a bot…

I think I will ask my customer to simply maintain his website up to date because it’s probably an obsolete version of Wordpress…
And obviously delete all spams comments…

eris · February 8, 2023, 11:24am

Looks like raw photos … or at least large one

Hedy · February 8, 2023, 11:42am

yes, it looks like this… but in fact, the photo is a classical picture of 990kb…
And best : absolutely no reason than a human open it thousand times a day.
So if it’s a bot, what is it for ?
Mystery

eris · February 8, 2023, 12:20pm

Seing the number of posts requests it probably is used for comment spam on the attachment pages and then keep on loading

Why? No idea…

jlguerrero · February 8, 2023, 1:38pm

Install a temporary fail2ban rule to block some of those resources. Maybe they will stop soon. Or an nginxz template denying access to those attachments and the comments.php

Alternatively you may see the countries from which those connections come from and block them

Hedy · February 8, 2023, 3:26pm

I will do that, thanks

MAN5 · February 8, 2023, 3:37pm

This simply Competitor’s/Spammer DDoS attacks & login hack tries.

mandrael · February 14, 2023, 6:19am

And there are some tools, CleanTalk for preventing spam comments and form spam. They also have a security plugin. And you can turn off hotlinks to pictures, which is an option in several security plugins like AIO security.

Hedy · February 14, 2023, 7:24am

Thanks all for you answers.
Finally, I ask my customer to update his Wordpress and every abnormal traffic is gone !

jlguerrero · February 14, 2023, 7:41am

You can update WP, plugins and themes with a WP cli command. They have a policy to only perform minor updates if you want.

You can have a script that updates the whole server.

Hedy · February 14, 2023, 7:53am

Interesting !
However, I’m just the hoster, so I won’t touch my customer’s files…