CPU spikes and wp-admin/plugin-install.php?

[Rami M]

Hi,

I am seeing these CPU spikes (shared hosting) and I don’t have any of those plugins installed. Could it be somebody is scanning site for known vulnerabilities? And how can I block those requests using BPS pro?

Thanks.

PID CMD CPU MEM
8745 lsphp 0% 7
8747 lsphp:.../public_html/wp-admin/plugin-install.php 18% 43
8749 lsphp:.../public_html/wp-admin/plugin-install.php 8% 43
8750 lsphp:.../public_html/wp-admin/plugin-install.php 11% 45
8751 lsphp:.../public_html/wp-admin/plugin-install.php 11% 43
8752 lsphp:.../public_html/wp-admin/plugin-install.php 10% 43
8753 lsphp:.../public_html/wp-admin/plugin-install.php 9% 43
8761 lsphp:.../public_html/wp-admin/plugin-install.php 9% 41
8763 lsphp:.../public_html/wp-admin/plugin-install.php 17% 43
8764 lsphp:.../public_html/wp-admin/plugin-install.php 13% 43
8774 lsphp:.../public_html/wp-admin/plugin-install.php 23% 43
Database Queries Snapshot
CMD Duration SQL-query
No data
HTTP Queries Snapshot
Method Duration URL
GET 22.2s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=process-steps-template-designer&TB_iframe=true&width=600&height=550
GET 21.8s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=shortcodes-elements&TB_iframe=true&width=600&height=550
GET 21.8s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=post-link-shortcodes&TB_iframe=true&width=600&height=550
GET 21.8s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=display-during-conditional-shortcode&TB_iframe=true&width=600&height=550
GET 21.6s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=dobsondev-shortcodes&TB_iframe=true&width=600&height=550
GET 21.6s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=intelliwidget-elements&TB_iframe=true&width=600&height=550
GET 21.6s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=black-studio-tinymce-widget&TB_iframe=true&width=600&height=550
GET 21.5s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=acf-repeater-flexible-content-collapser&TB_iframe=true&width=600&height=550
GET 21s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=wp-testing&TB_iframe=true&width=600&height=550
GET 21s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=mp-timetable&TB_iframe=true&width=600&height=550
GET 21s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=luckywp-table-of-contents&TB_iframe=true&width=600&height=550
GET 20.9s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=post-my-contact-form-7&TB_iframe=true&width=600&height=550
GET 20.9s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=intelliwidget-per-page-featured-posts-and-menus&TB_iframe=true&width=600&height=550
GET 20.7s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=art-decoration-shortcode&TB_iframe=true&width=772&height=574
GET 19.6s http://....com/wp-admin/plugin-install.php?tab=plugin-information&plugin=custom-content-shortcode&TB_iframe=true&width=772&height=574
GET 17.5s http://....com/wp-login.php?redirect_to=https%3A%2F%2F....com%2Fwp-admin%2Fplugin-install.php%3Ftab%3Dplugin-information%26plugin%3Demail-subscribers%26TB_iframe%3Dtrue%26width%3D600%26height%3D550&reauth=1

[AITpro Admin]

This is something you are going to need to ask your web host about, but take into consideration that applications/tools/utilities that monitor and report resource usage spikes tend to make things appear to be a problem when in fact a problem does not actually exist.  I have found in my experience that these types of resource usage applications are not accurate whatsoever and portray an exaggerated picture of resource usage “spikes”.  Also it is very common for hosts to try and upsell you to a higher costing hosting package based on the results of these types of resource usage monitoring applications/tools/utilities.  So when you ask your host about what you are seeing what you really want to know is if your website performance is actually really affected negatively.  You can check your own website performance using online website speed testing websites such as Google PageSpeed Insights, Pingdom or GTmetrix.

These do not appear to be malicious or suspicious requests to the /wp-admin/plugin-install.php WordPress file.  What I suspect is being inaccurately seen by your resource usage monitoring application is that the /wp-admin/plugin-install.php WordPress file makes a connection to the WordPress API server to check things like plugin versions.  ie if plugin updates are available for a particular plugin, etc.  And is counting the API connection process to wordpress.org inaccurately.

[Rami M]

Many thanks for your reply. Hosting confirmed those are soft limits not to worry about as long as I don’t see processes being killed.

I am more concerned about all these calls. They include names of plugins not present (only one plugin from the list was there. My previous cloud firewall reported that plugin having malicious code, but I removed the install and did a clean WP install).

Are these calls still not worrying?

Thanks.

[AITpro Admin]

Yep, the plugins would not need to be present.  These are internal requests from your website (not external requests to your websites) to the WordPress API server.  Technically there is not really an official “request” going on here.  I assume you went to the WordPress Plugins Add New page where plugins are listed that are in the WordPress Plugin Repository on the wordpress.org site that can be installed from your website.  In order to list available plugins your website makes a request to the WordPress API server for plugins stored in the WordPress Plugin Repository.  I am keeping the explanation very dumbed down since going into technical details is not really necessary to do.  Bottom line these “requests” are completely normal and nothing to worry about.

[Rami M]

Many thanks for your help and for the simple explanation.

[Author]

Posts