WordPress hosting done right. done fast. done secure


How to solve high load on VPS for whm/cpanel and WordPress

This is one of the real problem areas of VPS hosting. You’re given certain resources on your VPS plan to manage (CPU, RAM, disk) – managed or unmanaged – in the end it’s up to you to solve if things start to crumble performance wise.

server is busy
You’ll probably notice slow sites first, then uptime robot or similar will tell you sites are intermittently offline, followed by large periods of offline.

High Load

First thing to look at is your ‘load average’ top right of when you log into whm.
loads of less than your CPU cores – is generally OK. Loads of 20-50 trouble, loads over 100 – defcon 1.
high load is either:

– disk is pegged (performance is maxed out) (see my link above)
– cpu is pegged
– ram is pegged – and your swapping , which just leads to disk being pegged.


You can attack this problem in a few ways:
1. get more analysis
2. or start trying random things (throw stuff at the wall, and see what sticks).

More analysis

– I really like newrelic. It will graph your web hits, CPU usage, Disk performance, RAM usage. There is a good chance that you’ll spot what is wrong fairly quickly. The free plan is fine for this. There is 2 component to install, the server and php agent. If you just install the server part (which is easier), you get a good amount of graphs anyway.
– run some disk performance checks.
– run ‘iostat 2’ from ssh, and see your swapping rate, disk read and write IO/second.
– have a look at this in WHM “Home »Server Status »Daily Process Log” – it might give you an idea of the account stealing CPU

Understanding hits

Hits can come from various sources :

  • real users
  • good crawlers/bots like google and bing
  • bad bots – like bauduspider – a search engine from China that doesn’t spread requests
  • hackers
  • DDoS attack

rate limiting requests

Given there are good/bad requests, and limited server resources, we need to curtail the bad requests in some way, otherwise the bad requests will eventually swamp the server.

– mod_security with owasp is a great start, and for general security of WordPress
– ban repeated wp-login requests
– ban repeated xmlrpc requests
– ban repeated 404 requests
– then rate limit tcp connection, and http requests, on the loadbalancer (haproxy). but if you don’t have this. you can do this in apache with a few different tools (apache_qos, mod_ratelimit, can also be done in mod_security)
the ‘ban repeated’ I have custom scripts, but fail2ban might be able to achieve the same result. A real hardware firewall can be of help here also.
– it can be backup plugins in WordPress competing for resources on your server
– it can be wordfence (or similar) doing daily scans in WordPress, competing for resources on your server
– it can be a noisy neighbour (some other VPS on your same server) – slightly harder to diagnose, but not impossible.

Of course, we do all of this, and more for all our customer – so you’d never need worry about it.

By on May 18th, 2016

Email or call, and we can arrange a time to chat call 0412927156 or CONTACT US TODAY!