So I open up my email the other day and I get a big surprise. One of my web hosting companies basically told me I was hogging resources and that it might lead to my account being suspended. Now, I know the traffic on my websites has been steadily increasing (thankfully), but I couldn’t believe it would be anything approaching a danger zone. While most web hosting plans theoretically provide unlimited storage and bandwidth, if your resource usage starts affecting other customers on the same server you’re on, then you could have your account suspended. Below is part of the actual email message I received:
We have been tracking high resource usage coming from your account with us and wanted to reach out to you before it becomes a problem affecting other customers. Resource usage when taken to an extreme can sometimes lead to a suspension of the account depending on the severity of the issue, and this is something we deeply want to avoid.
After checking my resource log in cPanel, I did indeed notice a spike in usage the past couple of days. However, it wasn’t readily apparent want the cause was. After consulting with the web hosting company’s System Administration team, I discovered that the cause of the high resource usage was a malicious attack on one of my WordPress sites that was in turn trying to attack other sites. Specifically, it appears that the XML-RPC protocol (enabled by WordPress for pinging and trackbacks), was being used for malicious purposes. My web host recommended I disable XML-RPC.
Unless you make use of the Jetpack functions or mobile remote computing, it’s usually better to disable XML-RPC. There are a few different ways of turning off the XML-RPC protocol. You could use your .htaccess file or you could add code to the functions.php file of your WP template. But, the easiest and probably safest way to disable XML-RPC is to use one of the plugins in the WP repository such as the Disable XML-RPC Pingback plugin by Samuel Aguilera. And because this plugin doesn’t totally disable the protocol yet stops the pingback abuse, you should still be able to run mobile apps and Jetpack.
In addition to disabling the XML-RPC protocol, the hosting company also recommended a couple of other measures which I’ve previously written about. Always make sure your software is updated (e.g. have the current release of WordPress installed and the latest versions of your plugins and themes). Also, for WordPress sites, it’s recommended that you install a caching plugin, such as W3 Total Cache, to have your website run faster.
Since disabling XML-RPC pingbacks, my resource usage is back to normal levels. So remember, if you get a notice from your web host concerning high resource usage, it very well may not be your fault but instead some malicious attack. Be sure to contact your web hosting company immediately so they can work with you to solve the problem.