50 things you can do to speed up your blog [WordPress Checklist] Shared Hosting High CPU Usage

with 1 Comment IN Marketing & Wordpress
WP Checklist High CPU Usage

Here is pretty much my “checklist” when a host complains about high “resource point” or high cpu usage on a wordpress site. (You can download an excel version of the checklist at the end of this post).

Checklist of what I “Automatically” do now if a site is peaking:

  1. De-activate & Delete Un-used WordPress Plugins
  2. Delete Un-used WordPress Themes
  3. Install the following Site Protection plugins:
  4. Akismet
    Disable XML-RPC
    TimThumb Scanner
    Firewall 2
    Login Lockdown
    SpyderSpanker Pro
    Sabre (if it’s registration spam causing issue)
    Backup Creator
  5. Install the following Site Performance plugins:
    WP Crontrol
    WP-Cron Control
    Plugin Organizer
    Broken Link Checker
    Clean Options
    EWWW Image Optimizer
    WP Clean Up
    W3 Total Cache
  6. Before changing anything or configuring anything else – Backup Website (Backup Creator)
    (Tip: If you have a caching plugin, remove the cache-files from your backup program – this should make your backup much smaller and less-likely to have problems (time-out when backing up, etc.). It will also make it faster if you ever need to restore a backup.)
  7. Update any Out-of-date plugins, themes, or WordPress itself if required.
  8. Run TimThumb scanner & ensure up-to-date
  9. Replace Google Analyticator with Google Analytics for WordPress & Reconfigure
  10. Use WP Cleanup to Delete:
    – Revision Posts
    – Draft Posts
    – Auto Draft Posts
    – Spam Comments
    – Orphan CommentMeta
    – Orphan PostMeta
    – Orphan Relationships
    – Dashboard Transient Feed
  11. Use WP Cleanup to Optimize database
  12. Run Broken Link Checker once – fix/delete any broken links, then Disable & Delete the plugin
  13. Setup WP Firewall 2 to “Whitelist” my host’s cPanel IP address & my own, and configure the settings (everything is “checked” except “Block leading http:// and https://” and I choose to “redirect to homepage” rather than showing a potential hacker the error message.
  14. WP Crontrol
    – Check WP Crontrol for any cron-jobs that are running from plugins that have been uninstalled – and if so, delete
    – Check WP Crontrol for any cron-jobs that are running too often – and if so, adjust
  15. Disable WordPress Cron and replace with manual cronjobs
    – Disable cron in wp-config.php by adding this line:
    define(‘DISABLE_WP_CRON’, true);
    – Configure WP-Cron Control and setup manual cronjob from within cPanel
  16. Configure Plugin Organizer so that the plugins that use the most amount of resources are only used on posts/pages that I specify (whatever is quickest/easiest). I also use Plugin Organizer to re-arrange the plugin load-order, and to disable plugins that are not needed in the backend, or front-end and basically lower my resource usage by only having things enabled where they need to be enabled.
  17. Run Clean Options and delete tables from the options table (always careful to delete only those tables of plugins that I “know” that I’ve uninstalled)
  18. Run images through the “bulk optimize” feature of EWWW Image Optimizer
  19. Ensure Akismet installed & setup – and clear any spam/stats out.
  20. Turn off any “automatic” backups if any are setup (they could be the cause of the spike – check logs against the date of last backup)
  21. Configure SpyderSpanker Pro to Throttle Good bots (55%) and Blacklist & redirect Bad bots back to themselves.
  22. Do a Google PageSpeed test to get hints on what else to optimize, such as:
    – Install & Configure W3 Total Cache
    – Setup a CDN (either on a sub-domain or, my preference: Amazon S3)
    – Minifying javascript & css files
    – Manually optimizing images that EWWW couldn’t access (like theme images, and any images that were not uploaded via the Media Library)
    – Manually re-sizing images to exact dimensions that have been re sized dynamically by a plugin/theme.
    – Find out which Javascript & CSS files are rather large – to decide whether it’s worth having that plugin/theme/widget or replace it with something less resource-heavy, or throttle it by disabling it in Plugin Organizer and only enabling that plugin on posts that need it, etc. (especially worth doing for Facebook, Twitter, and other Social Media related plugins)
    – Convert individual, repeating images into a single sprite image.
  23. Delete unnecessary log files from WordPress backend – (such as Akismet logs, Link-Tracking logs, any plugin that keeps any sort of logs that I don’t need or even look at)
  24. Install Exploit Scanner once to test for exploits, then disable & delete after use. (Usually only if I suspect site has been compromised, otherwise skip this step).
  25. Configure Login Lockout and set the lockout length high and the retries low, and redirect them to homepage instead of letting them know they got the wrong username/password.
  26. Go to cPanel > phpMyAdmin and do a manual repair & optimize of the database (backup first if you’ve never done this before). While there, check out the database, look for anything that shouldn’t be there or the filesizes of certain tables (does it look right or look out of control?) note down anything that needs further investigation, and always backup the database before doing anything in here.

 

Those are the exact step-by-step checklist that I do now if I have no idea what is causing random Resource-Point spikes like the image below:

cpu spike

 

Checklist for trying to find the “Cause”:

  1. Install P3 Plugin Profiler to see what plugins are using the most resources asnd see if there are any that are using a large amount of resources that I can remove or exchange for a more lightweight or better-coded plugin.
  2. Check 404 errors and see if there is anything odd in there that you need to investigate (thousands of visits to a specific page that doesn’t exist, visits to admin-like pages, visits to known exploits)
    – If they are pointing to a file that doesn’t exist that should – fix it.
    – If they are pointing to a file that doesn’t exist and never existed and you have no idea what it could be but it looks suspicious – consider 301 redirecting them some place else.
    – If they are pointing to admin-like pages – ensure you secure your site and find their IP and block them.
    – If they are pointing to known exploits (timthumb, etc.) – ensure your plugins are up-to-date, do your research on that particular exploit (google it) and see what you can do to prevent them from getting in.
  3. If you have SpyderSpanker, you can “watch traffic” live whilst cross-checking IP’s and spiders in Project HoneyPot API* which might help you find some culprits and block them for good (or redirect them back to themselves) * Project Honey Pot is a worldwide project that tracks malicious bots, email harvesters, comment spammers, and other suspicious IP addresses.
  4. Ask your host to give you the lines of the “resource usage per script”. If you have root access to the server (not available on shared hosting accounts), then you can view these logs, otherwise – you’ll need your host to help by providing you with the statistics. (This helped me immensely in finding what was causing high cpu load on one of my websites – other times, it depends on what staff member you get as some provide useless information that doesn’t help at all because they are not switched-on)
  5. Check your AWstats from cPanel and see what IP addresses are the “Top” Visitors and “Top” Robots/Spiders
    – Block any suspicious IP addresses (do an ip-lookup on them or even better, search their IP on Project Honeypot)
    You can use either:
    1.) SpyderSpanker (my choice – it will also do the Honeypot lookup for you and automatically block bad guys), or
    2.) IP Filter plugin, or
    3.) Directly within your cPanel > IP Deny Manager, or
    4.) You can “try” to block them in your robots.txt file but that’s usually useless as ‘bad bots’ ignore it, or
    5.) You can block IP addresses directly within your .htaccess file [1]
  6. Block any countries that you are not targeting that are prone to hack attempts or spam (I use SpyderSpanker for this and then syndicate across to all of my sites in one click) [2]
  7. Turn on turn on the RAW access logs archiving (cPanel > Raw Access Logs > Archive every 24 hours).
  8. Then download the Raw Access logs and see if there are any clues as to why your site is using too many resources (it might show a lot of cron jobs, or point to which files are being accessed the most which will clue you in on where to focus your energies)
  9. Check your cPanel error logs from your server and from cPanel > File Manager.
    The error logs in specific directories can also help find the cause:
    ./wp-admin/error_log will help you find any internal wordpress related errors
    ./wp-content/themes/your-theme-name/error_log will help you find any theme-related errors
    ./public_html/error_log is the main error log  , etc.
    Check for any changed error logs in FileManager (sort by date to see when they were last modified) to find any clues ( PhP warnings, database errors, etc.).

 

Tried everything? What about these:
  1. Change opt-in boxes to a third-party like Aweber/Mailchimp, etc. instead of using your host autoresponder or plugin.
  2. Do you have any large images on your pages/posts? Even if they are located on your server and not on posts/pages, Google Images and people can still ‘find’ them and download them/view them – using server resources. I use cPanel > File Manager or an FTP program to view files on my server and sort by “size” then I look at the larger files to see if there are any that are needed – maybe I still need them, in which case I can re-size them and optimize them with RIOT image optimizer.
  3. Make site W3c compliant
  4. Remove any social icons that are not needed/used.
  5. Host your mail elsewhere (Google Apps/Gmail) instead of using your host’s (your email counts in the resource usage)
  6. Remove any widgets that are not necessary. (Consider de-activating footer widgets altogether.)
  7. Ensure media like videos and mp3’s are hosted elsewhere (like YouTube).
  8. Change the amount of posts that are shown on the category/archive pages if you can. You might have it set to 10-20, you can change it down to 4-8 depending on what would be suitable for your site/audience.
  9. Replace any external images with internal images if possible (some plugins make this impossible)
  10. Got a slider on the homepage? Consider removing some images/videos from the slider to lighten the load on your homepage.
  11. If server resources are still being used and you’ve tried everything above, then consider optimizing site with CloudFlare which helps block malicious traffic if it exists.
  12. Do you have any big files on your server? Things you’ve offered to others to download, etc. ? If so, consider moving those files to Amazon S3 or a file-sharing website instead of having them download it directly from your site.
  13. cPanel > File Manager, I usually check for any directories that may no longer be needed (I would’ve put them there to begin with, but do I still use them? Was it an old facebook page? Was it something I was testing? Did I install something that I no longer use? Old caching plugin data? Old Plugin files? Old database backups, etc.  (be careful with this one, I don’t think I need to tell you)
[1] Blocking IP Addresses via .htaccess

# BAN USER BY IP
order allow,deny
allow from all
deny from 38.99.82.238
deny from 38.99.82.243
deny from 38.99.82.203

[2] Block Countries via SpyderSpanker

*.bg # Bulgaria
*.by # Belarus
*.cn # China
*.cz # Czech Republic
*.ee # Estonia
*.hu # Hungary
*.kp # North Korea
*.kz # Kazakstan
*.lv # Latvia
*.pl # Poland
*.ro # Romania
*.rs # Serbia
*.ru # Russia
*.sk # Siberia Slovakia
*.sl # Slovenia
*.tr # Turkey
*.ua # Ukraine

[3] Block POST requests from bots

Protect WordPress by only allowing login requests coming directly from your own domain (latest brute force attack that is currently taking place (April, 2013) relies on sending direct POST requests right to your wp-login.php script, so requiring a POST request can only come from your domain name, ensures a normal human login attempt instead of an automated bot.[1]

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?example\.com [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

Want an Excel Spreadsheet version of this page that you can use as a checklist?

Checklist Resources

Please support our site and you will get immediate access.

[sociallocker id=”4893″]

Download my “Quick n Dirty” Checklist that I created in Excel (.xls) tonight:
[Download Checklist] (right-click link, save target/link as)

xls downloadChecklist Resources

SharedHosting-WP-CPU-Checklist

[/sociallocker]

Sources/References:
  1. InMotionHosting – Lock Down WordPress []

Penny (PennyButler.com)
Penny (PennyButler.com)

Who are we? What are we doing here? What is the meaning of life? Penny is a truth-seeker, ever-questioning, ever-learning, ever-researching, ever delving further and deeper down the rabbit hole. This site is a legacy of sorts, a place to collect thoughts, notes, book summaries, whilst providing a searchable archive to easily lookup and reference.

One Comment

  1. Doug says:

    Thanks on your marvelous posting! I really enjoyed reading it, you could be
    a great author.I will remember to bookmark your blog and will
    often come back from now on. I want to encourage you continue your
    great posts, have a nice afternoon!

Leave a Reply

Your email address will not be published. Required fields are marked *