Symptoms
The server accumulates long-running WP Toolkit processes, similar to the following, that cause a high server load.
/opt/cpanel/ea-php74/root/usr/bin/php -r require '/usr/local/cpanel/3rdparty/wp-toolkit/plib/vendor/wp-cli/wpt-wp-cli.php'; -d safe_mode=off -d display_errors=on -d opcache.enable_cli=off -d open_basedir= -d error_reporting=341 -d max_execution_time=60 --no-header -- --no-color --path=/home/cpusername/public_html instance info --format=json --check-updates=true
Description
WP Toolkit uses wp-cli to perform tasks, which runs the website's core WordPress files (i.e. index.php, settings.php, and wp-config.php). If these files are infected with malware, the malware will run, which can interrupt this process.
Workaround
- Access the server's command line as the 'root' user via SSH or "Terminal" in WHM.
- Run the following command to locate the WordPress installations with infected installations.
[root@server ~]cPs# ps aux|grep safe_mode=off|grep wp-toolkit|cut -f8 -d '='|cut -f1 -d ' '|sort|uniq
/home/cpusername/public_html - Take note of the accounts with infected WordPress installations.
- Run the following command to locate the running WP Toolkit processes.
ps aux | grep safe_mode | grep -v grep|awk {'print $2'}Use the kill command to terminate each Process ID found with the above command.
kill -13 $pid
Please note that "$pid" must be replaced with the Process ID to terminate.
- Restore the infected accounts from known clean backups.