I host(ed) several WordPress sites on Siteground. All of them are low-traffic sites and use between 40 and 1000 CPU seconds per day — nothing to brag about. So I was surprised the other day when I got an email from Siteground saying they were taking all of the sites offline because I had gone over my monthly quota for CPU seconds. I had to pay money to upgrade my account to keep the sites online.
I looked at the logs, and I did see that one of the sites was using around 100,000 CPU seconds per day. It’s not a well-known site, and it is a contest website that isn’t even running the contest right now. My first thought was that it must be the website’s podcast that I started recently, and that it was so popular that thousands of people were streaming my mp3 files which were hosted on the site. So I offloaded the media files to a proxied Amazon S3 bucket, and hoped that would solve the problem. It did not.
The MailPoet Cron Job Was the Problem
So I combed through the access logs, and I found that the problem was the MailPoet cron job. Mailpoet is an email newsletter system for WordPress that integrates very well with WooCommerce and the WordPress system as a whole.
There is a recommended setting in MailPoet to run their PHP cron job every time there is a visitor to the site.
I use this setting on another website too, and I haven’t ever had any problems with this.
Google Bot Caused the Cron Job Attack
The log files looked something like:
220.127.116.11 mywebsite.com - [31/Mar/2022:22:29:48 +0000] "POST /?mailpoet_router&endpoint=cron_daemon&... "MailPoet Cron" ...
The IP address every time was 18.104.22.168. I did a lookup, and this is a Google IP address. I wonder why Google was doing this to the site.
The first thing I did was to change that cron job setting to make it run server side.
I copied and pasted the code starting with
php into the Siteground section in Site Tools called Dev >> Cron Jobs
At a very infrequent interval. Like I said, the site isn’t really being used a lot right now.
I also blocked that Google IP address in my Wordfence settings.
I did the work around 6pm, and you can see by 9pm how drastically the CPU seconds dropped off.
I’d like to report that Siteground was compassionate, and after understanding that I had quickly solved the issue, they refunded me the cost to upgrade my account and let me downgrade to where I was before.
I still don’t know why Google was doing this to this one site.