IMPORTANT: Projected Overage Charges – GPU

In the last few days and weeks we have had a lot of our clients who run WordPress saying they’ve received warnings and additional bills from their web hosting providers for excessive GPU usage. This article will explain what’s going on, how we sorted it out and how you can too.

Here is an extract from an example email from Media Temple …

IMPORTANT: Projected Overage Charges – GPU

This is a notice to inform you that your Grid-Service GPU (Grid Performance Unit) usage for the current billing cycle is projected to exceed the amount included with your purchased plan. Please review the information below as your account will be charged if you exceed the GPUs included with your Grid-Service.

Please note that this is only a projection, as determined by an automated analysis of your Grid-Service. It is entirely possible that, if this pattern of high resource usage continues, you may be liable for substantially higher overages than those currently anticipated by this projection.

Whilst this notification is quite worrying to say the least, let’s break it down. What they are saying is that your website or websites are using more than your allotted GPUs and that it’s likely that if this continues you will be charged for the overage.

So, what is a GPU?

Well it’s not bandwidth (data your server uploads and downloads) or your storage limit, both measured in Gb (gigabytes). A GPU is a measurement of processor (CPU) use on your web server. Every time a page on your WordPress website is accessed, the page has to be created by the web server and this puts load on your web server’s processor.

So, what’s going on?

We had a look at the stats on the server for the websites in question and saw that a pattern quickly formed showing the following scripts that were being run hundreds (and in some cases thousands) of times …

  • /wp-login.php
    This is the login page for Wordpres; hundreds or thousands of hits to this page is not normal and is almost certainly a brute force attempt to hack the admin password. We needed to find a way to completely block this page without denying legitimate access to the WordPress control panel.
  • /wp-admin/admin-ajax.php
    This is a WordPress core feature which is used to provide functionality to the control panel when things happen without you going to another page. Features include (but are not limited to) automatic saving of posts, updating of plugins on the plugin page and viewing of the media library when adding media to a page. In theory this script can be blocked when the WordPress control panel is not in use but some WordPress Themes and Plugins also make use of this file.
  • /wp-cron.php
    This is a WordPress core feature which is used to perform scheduled tasks in the background. Tasks include (but are not limited to) scheduling of posts to go live in the future and automatic updates of the WordPress core. If you’re not too bothered about scheduled posts and you manually keep your WordPress core up-to-date, you can probably block this script however, popular plugins like Wordfence make use of it to keep an eye on your website and inform you when things need attention.
  • /xmlrpc.php
    This is a WordPress core feature which allows users to publish to their WordPress website remotely. This feature has been abused in the past and has been used to brute force admin passwords. If you don’t use another program to publish content to your WordPress website then we believe you should block this script.
  • /robots.txt
    This file tells search engines what can and can’t be crawled and indexed from your website. So excessive hits to this file are quite normal but can be very detrimental to the load on your server if the file doesn’t exist. Why? Because WordPress will create an automatic version of this file which fires up the entire WordPress core to in turn serve a very small file. So, if you don’t have a robots.txt file, you may as well block access to it.

So, how did we fix it?

Well, the most important thing to do was to prevent wp-login.php from being accessed. And we don’t mean limiting the number of times this file can be viewed before the system locks a hacker out (which other popular security plugins do) but actually stopping WordPress from showing the page at all when the default login page is accessed. This is because when hackers use multiple IP addresses to perform a brute force attack on a WordPress website, this has the same affect as a DDOS attack and so to prevent the server being overloaded the WordPress site has to completely ignore these requests.

We decided to develop a plugin (which you can download here) which would do exactly that. We did look at existing plugins but none did the job we required. Some would limit the number of login attempts, some would redirect the login page to the home page.

Our plugin, Block wp-login completely prevents WordPress from seeing any attempts to access wp-login.php by telling the server to put a “403 Forbidden” response on any requests to this page. The plugin then creates a completely new and “secret” login page and lets the WordPress administrators know what the new login is.

Installing and configuring this plugin immediately solves the problem of load on the server caused by multiple hits to the wp-login.php page and in turn helps to limit the hits on wp-cron.php.

The plugin also optionally lets you block access to admin-ajax.php, wp-cron.php, xmlrpc.php and robots.txt.

Feel free to use our plugin and to contact us if you run into problems, find a bug or want to suggest a new feature.

… and don’t forget to leave us a review if you like it!