CPU spikes on Ubuntu using RunCloud / AWS Lightsail

I am regularly getting alerts from my AWS Lightspeed server for high CPU usage. The configuration is 2vpu, 4gb ram, 80gb ssd. I use RunCloud for server management and have around 10 very low traffic WordPress sites.

I am running WordFence on all sites with the same settings, which I have dialed in as much as possible to lower resource use and harden security. Things like locking out after 3 attempts for 2 months, setting rate limiting for crawlers and humans, low resource scanning, traffic logging in security only mode.

I am also using RunCloud's plugin which provides NGINX cache, as well as Redis object cache, and CloudFlare enabled for all sites.

Occasionally MariaDB will crash, taking down all my sites. It hasn't done this since the latest tweaks to WordFence, but I can't be sure it won't happen.

When I run 'top' I can see occasional processes running anything up to 99% from php-fpm. Some of the usage is from WordFence, but I also see a lot of the following:

Most of the time when I run (within a couple of seconds) s-trace p xxxxx I will get strace: attach: ptrace(PTRACE_SEIZE, xxxxx): No such process

When I do get a result I am seeing a lot of things like: gettimeofday({tv_sec=1691575885, tv_usec=447551}, NULL) = 0 (many results)

accept(25, 0x7ffe63704c60, [112]) = ? ERESTARTSYS (To be restarted if SA_RESTART is set) --- SIGQUIT {si_signo=SIGQUIT, si_code=SI_USER, si_pid=502, si_uid=0} --- close(25) = 0 socket(AF_UNIX, SOCK_STREAM, 0) = 4 rt_sigreturn({mask=[]}) = -1 EINTR (Interrupted system call) munmap(0x7f0b4d8ca000, 65536) = 0 ....

I also see a lot of these type of messages: newfstatat(AT_FDCWD, "/home/runcloud/webapps/xxxx/wp-content/plugins/wordfence/vendor/composer/jetpack_autoload_classmap.php", 0x7ffe636fdc20, AT_SYMLINK_NOFOLLOW) = -1 ENOENT (No such file or directory) readlink("/home/runcloud/webapps/xxxxx/wp-content/plugins/wordfence/vendor/composer/jetpack_autoload_classmap.php", 0x7ffe63702de0, 4095) = -1 ENOENT (No such file or directory)

Jetpack has been deactivated and deleted on this and all other apps, but WordFence seems to be constantly searching for it.

These processes are consuming a lot of resource and sending the server out of burstable zone very often.

Can anyone shed any light on what these mean and how to configure the server?

Since I am not a sysadmin at all, and merely trying to host some WordPress sites, I do ot know what any of this means, or what to look for. If someone can suggest whether I need to post the full output I can do so.

When I do get a result I am seeing a lot of things like: gettimeofday({tv_sec=1691575885, tv_usec=447551}, NULL) = 0 (many results)

Most likely this is being caused by an error detected in PHP. The default behaviour in Wordpress is to suppress reporting of errors - but on a typical Wordpress installation with plugins, each request can generate a LOT of errors. Note that PHP still handles the error - it just does not appear in any logs.

Wordpress describes logging as "DEBUG mode".

Jetpack has been deactivated and deleted on this and all other apps, but WordFence seems to be constantly searching for it.

Are you sure it has been removed? Via the API? Including the directory? If you don't have wpcli - get it and check.

Occasionally MariaDB will crash

hmmmm. I've run several Wordpress installations (20-40) with moderate traffic volumes and never had mysql nor mariadb crash.

If you can't get an explanation from your logs after enabling them, you might want to take a look at xhprof or excimer.