Mobile app version of vmapp.org
Login or Join
Alves908

: Number of execution and strange POST calls Having a problem with a number of script execution. Host: Siteground Hosting package: GoGeek ( declared for aproximatly 100,000 visitors per month) Current

@Alves908

Posted in: #Optimization #Post #Wordpress

Having a problem with a number of script execution.

Host: Siteground

Hosting package: GoGeek ( declared for aproximatly 100,000 visitors per month)

Current status of execution in last 24h: 58678/40000

Visitors in analitics: aprox. 3000 in last 24h

CMS: Wordpress multisite, Momizat Multinews theme

Cache plugin: SG SUperCacher

also using WordFence, SI CAPTCHA Anti-Spam, Heartbeat Control...

My primary domain is older but it has a lot less visitors. It is however attacked by spammers and bots. That's why I installed captcha for comments and WordFence to mitigate and block abusive bots. Second domain is a parked domain, redirected using Domain Mapping plugin in wordpress multisite subdomain configuration.

This is Top 10 Executed Scripts ffom the beginning of the current month>

Executed Scripts Number of executions


/home/histor69/public_html/index.php -- 182 842
/home/histor69/public_html/wp-admin/admin-ajax.php -- 159 206
/home/histor69/public_html/wp-login.php -- 62 798
/home/histor69/public_html/wp-content/plugins/si-captcha-for-wordpress/captcha/securimage_show.php -- 38 307
/home/histor69/public_html/wp-admin/post.php -- 2 242
/home/histor69/public_html/wp-cron.php -- 2 149
/home/histor69/public_html/wp-signup.php -- 1 324
/home/histor69/public_html/wp-admin/edit.php -- 1 228
/home/histor69/public_html/xmlrpc.php -- 1 050
/home/histor69/public_html/wp-admin/async-upload.php -- 582


I used Heartbeat Control to minimize admin-ajax call, renamed wp-login, denied xmlrpc in htaccess. I obviously cant do much for index.php, captcha (at least for now), wp-cron.php (Im guessing that that is for scheduled posts), edit.php... I need to deal with wp-signup (we dont have any signup) and

It may seem from this that with current visitors I should have such a high amount of execution, but I had more then 40,000 execution with less then 1100 visitors. In fact, when I upgraded to GoGeek account I had a drop in visitors but rise in executions.

The problem is next thing. With visitors call to admin-ajax also increases. I checked raw access logs and one thing really bothers me.

This is how I see a legit admin-ajax call (most of this are made on subdomain), so this is from subdomain raw access log:

XXX.XXX.XXX.XXX - - [14/Jan/2016:01:40:45 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 99 "http://sub.main.domain/wp-admin/post-new.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"


XXX.XXX.XXX.XXX- my company IP

But in raw access log of my main domain I see this:

YYY.YYY.YYY.YYY - - [14/Jan/2016:01:40:43 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 8 "http://parked.domain/somecategory1/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
YYY.YYY.YYY.YYY - - [14/Jan/2016:01:40:44 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory1/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
YYY.YYY.YYY.YYY - - [14/Jan/2016:01:40:44 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory1/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
YYY.YYY.YYY.YYY - - [14/Jan/2016:01:40:45 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory1/" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:45 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:45 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:45 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:46 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:46 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:46 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:46 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:47 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:47 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"
ZZZ.ZZZ.ZZZ.ZZZ - - [14/Jan/2016:01:40:47 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 9 "http://parked.domain/somecategory2/" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko"


ZZZ.ZZZ.ZZZ.ZZZ and YYY.YYY.YYY.YYY are some uknown for me IPs, and they change all the time...

Parked domain is mapped to my subdomain ( the one that is in heavy use).

Questions:


What kind of calls are these? Is there any conection between admin-ajax.php and network mapping? Is there anything else inside WP ( with this configuration) that can cause these calls?
In terms of script execution what are better ways to block certain IPs htaccess IP/page block, WordFence block, cpanel server block (IP).
Best way of blocking pages like wp-signup, wp-login. Even thought I renamed wp-login I still belive a 404 page is generated and a script is called.
Any way to block unauthorized access to wp-admin/* without script execution increase? What I want is to block all access unless you pass login at /customLoginPage. Is that possible?
On Siteground I have an option to use theirs SuperCacher or Google PageSpeed. What option is better?
Best way of blocking bots? Is WordFence good for that or is it better to use htaccess or some other way?
Anything else that could be done i terms of optimizing a site?


Currently Im not interested in upgrading of an account, only in optimization, so please dont tell me to upgrade as an answer. I had I spike in last 24h, but my avarage is around 1500 visitors, thats around 50,000 per month, so my account should hold. and the other thing is that Im really interested in thos admin-ajax calls and further learning best practices of optimization.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Alves908

1 Comments

Sorted by latest first Latest Oldest Best

 

@Jamie184

You are way over thinking this!

Just block the IP addresses.

Here is what is happening:

You are being pinged by systems that are compromised. These systems are (possibly/sometimes) using a database of WP sites and just looking for a way in, however, since these are script-kiddie level attacks, they are not bright enough to just landscape your system and go away if they fail, they just ping your system over and over again looking for a way in.

It is that simple.

WP is the single most attacked software and the single most vulnerable software ever. The reason for this is simple. It has had many vulnerabilities over the years and even without any vulnerabilities, it opens itself up to vulnerabilities with poorly coded themes and plug-ins. It seems of late, Drupal is following suit as well.

This means that any site will be landscaped and if found to be a WP site, it will be attacked. In fact, many scripts do not care if WP is installed or not. I get these attacks all the time. It is just a part of doing business on the Internet. Get used to it.

Just block the IP address and be done with it.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme