-1

recently we moved to a new host (DO) for one of my client after being on a shared account .

I was monitoring the cpu and it was always at 100% , knowing that the site dosnt get a lot of traffic , decided to check the access log and i saw the following (1-5 queries / second) NO STOP .

I removed my domain and added example.com

10.17.0.2 - - [19/Nov/2016:09:41:15 +0000] "GET /http:/example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 404 47448 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:21 +0000] "GET /http://example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 301 550 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:22 +0000] "GET /http://example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 301 550 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:16 +0000] "GET /http:/example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 404 47445 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:16 +0000] "GET /http:/example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 404 47472 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:22 +0000] "GET /http://example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 301 550 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:23 +0000] "GET /http://example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 301 550 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:17 +0000] "GET /http:/example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 404 47412 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:17 +0000] "GET /http:/example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 404 47438 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:24 +0000] "GET /http://example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 301 550 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:24 +0000] "GET /http://example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 301 550 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:18 +0000] "GET /http:/example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 404 47426 "-" "WordPress/4.3.6; http://example.com"
10.17.0.2 - - [19/Nov/2016:09:41:18 +0000] "GET /http:/example.com/wp-content/themes/jupiter/assets/stylesheet/min/critical-path.css HTTP/1.0" 404 47446 "-" "WordPress/4.3.6; http://example.com"

And whenever i restart apache it goes back to normal for few minutes then the flood starts again .

I remarked the followings :

IPS that request this are (10.17.0.2 , 127.0.0.1 , server ip , 37.1.213.192)

The files does exist and when try to access it i only see GET /wp-content/...

Sometime the request is http:/example (1 slash) and sometime its http://example

How can i stop this mess ?

enter image description here

Frederik
  • 3,359
  • 3
  • 32
  • 46
Tarek
  • 101
  • 5
  • 1
    In nginx I'd create a location block and return 404 directly, so it didn't hit PHP. There will be a way to do this in Apache but I don't know what it is - htaccess perhaps. I'd then try changing the Wordpress theme and see if it stops, if not I'd try disabling plugins. Basically it's a process of elimination. – Tim Nov 22 '16 at 19:42

1 Answers1

0

As far as I know, wordpress catches 404 errors via PHP, which is very expensive. In order to prevent this request hitting your PHP you have following options:

  • Create file, which returns 404 so apache returns empty file
  • Block this request via .htaccess
Yarik Dot
  • 1,583
  • 12
  • 26
  • what i wanted to know is how this is being called and from internal ip's + for some reason it's being called from : GET /http:/domain.com/ while real request do not add the "domain.com" – Tarek Nov 19 '16 at 11:15