A few months ago I bought the mabboud.net domain so my Java library’s package names wouldn’t have a tacky looking ‘sourceforge’ or ‘github’ in them (since Maven Central required you to prove you own the domain). So since I had the domain I decided to setup this site WordPress even though I wasn’t actually intending on blogging yet.
Just a bit after that I posted some images from here on a message board and that small load started causing errors that turned out to be memory issues. So I followed this wonderful guide on making WordPress stable on a micro instance here. Which helped a lot but I ran into a couple extra things it’s didn’t mention.
XML-RPC attacks cause DoS attack like effects
Since micro instances have CPU credits that run away if there’s a sustained greater than 10% CPU load on your instance you’re going to deplete your CPU credit and the server will be extremely slow. A few weeks before launching my blog I ran into this problem with my CPU credits depleting, initially I reasoned maybe my images I posted to the online message board were getting more traffic than before. So I deleted the images and rebooted and the problem briefly went away but came back soon. Of course I initially thought maybe it was a DOS attack but my server didn’t really have any content and there was no way anyone already held a grudge against it so I partially ruled a DOS attack out. But then I did what I should have done from the start and just looked at the apache access logs.
Turns out a single script kiddie/attacker from a single IP address who was only trying to break into my server with a XML-RPC attack was causing a constant 15% load on the server which drained CPU credits making it unresponsive and effectively taking down the server.
So add blocking XML-RPC access to your list of mandatory things you need to do to run WordPress on a EC2 micro server.
Unless you need JetPack You can block completely by adding the following to the end of your .htaccess file (usually at /var/www/html/.htaccess)
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 220.127.116.11 </Files>
CloudFront config issue
The guide linked above skipped setting up cross origin stuff for CloudFront. So if you do the CloudFront config as stated you’re going to get origin access errors for at least fonts. Making your site slightly less pretty or even causing missing icons since many themes use font awesome.
To fix, in the CloudFront’s distro behaviors and add origin to whitelist headers and select the ‘GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE’ radio option
Header set Access-Control-Allow-Origin "*"
Max daily active users
Yesterday and today my post on Things I Learned About Fonts which I thought wouldn’t get that much traffic ended up getting 3500 users today(and still rising), mostly from reddit /r/programming. I think the above making wordpress stable link says that the micro instances would likely not work if you had 1000+ daily active users. However your micro instance can definitely handle more than that for just a day, the CPU load never went above 30% for me and judging by the 30 credits lost over the first 24 hours with the 100 remaining CPU credits it could last 3 more days of that load if for some bizarre reason that post remained popular.
Initially when the load started I noticed it was being a little sluggish occasionally so I bumped my max apache workers up a little from that guides recommended 10 to 25 which stabilized things.
<IfModule prefork.c> ... MaxSpareServers 15 MaxClients 25 ... </IfModule>
Regret for not just using DigitalOcean
I went with AWS since I’m silly and Amazon is shiney making me want to use it and I already use it for CodeCommit. My last short lived blog was on DigitalOcean so I was already aware of it and it’s similar prices. I was also aware of the whole CPU credit thing but I really didn’t think I’d get that much traffic anytime soon, reddit proved me wrong. Before I write more posts that maybe might get more traffic like that I’m planning on moving to DigitalOcean where a $10 droplet has the same specs but no frustrating CPU credit limiting stuff.
Thank you for reading!