Sometimes one of our servers will be running hot while getting high loads seemingly at random, without a clear reason.
There are a couple of things we can do to troubleshoot this, like checking the server status in WHM. To do this, search "Apache Status" in the WHM search bar.
This will show you if there is one particular site getting hammered with requests— which is often, though not always, the case with random load spikes. Here's an example of what that page would look like when a site is experience a high load (this screenshot is from an outdated version of WHM):
An instance of this would be when one WordPress blog was getting hit very hard with login attempts, often referred to as "brute force login attempts." But, rather than the wp-login.php file, it was the xmlrpc.php file which has been a vulnerability for years because it provides “a huge target for brute force login attempts because it bypasses the traditional wp-login.php and goes right for logging in via API.” This was precisely the case with the intense load on Ramones shown above.Forunately, we have a snippet of code we can just add to the .htaccess file in the affected WordPress install to block all calls to xmlrpc.php. Below is the code snippet we copied into .htaccess in this case that brought the load back down almost immediately.
1 <IfModule mod_setenvif.c>
2 <Files xmlrpc.php>
3 BrowserMatch "Poster" allowed
4 BrowserMatch "WordPress" allowed
5 BrowserMatch "Windows Live Writer" allowed
6 BrowserMatch "wp-iphone" allowed
7 BrowserMatch "wp-android" allowed
8 BrowserMatch "wp-windowsphone" allowed
9
10 Order Deny,Allow
11 Deny from All
12 Allow from env=allowed
13 </Files>
14 </IfModule>
15
16 ErrorDocument 403 "Access Denied"