Master Terminal Guide to Optimize and Secure 100+ WordPress Sites on WHM/cPanel (Fix High CPU & PHP-FPM Load)

Uncategorized
Posted on | by Rajesh Kumar

Below is a Master Terminal Guide to reduce CPU load across ~100 WordPress sites under /home on WHM/cPanel.

Based on your process output, the main issue is many PHP-FPM WordPress pools consuming CPU at once, especially pools like gurukulgalaxy_com, theaiops_com, meraapnabihar_com, surgeryplanet_com, and others.

Master Guide: Fix 100 WordPress Sites Under /home

0. Become root

sudo -i
cd /home

1. Create working folder

mkdir -p /root/wp-bulk-fix
cd /root/wp-bulk-fix

2. Find all WordPress installs

find /home -type f -name wp-config.php > wp-config-list.txt
find /home -type f -name wp-cron.php > wp-cron-list.txt

wc -l wp-config-list.txt
wc -l wp-cron-list.txt

View list:

cat wp-config-list.txt

3. Backup all wp-config.php

while read -r file; do
  cp -p "$file" "$file.bak.$(date +%F-%H%M%S)"
  echo "Backed up: $file"
done < wp-config-list.txt

4. Disable WP-Cron safely

This adds:

define('DISABLE_WP_CRON', true);

before wp-settings.php.

while read -r file; do
  if grep -q "DISABLE_WP_CRON" "$file"; then
    echo "Already exists: $file"
  elif grep -q "wp-settings.php" "$file"; then
    sed -i "/wp-settings.php/i define('DISABLE_WP_CRON', true);" "$file"
    echo "Updated: $file"
  else
    echo "Skipped, no wp-settings.php found: $file"
  fi
done < wp-config-list.txt

Verify:

grep -R "DISABLE_WP_CRON" /home/* 2>/dev/null | wc -l

5. Create real server cron for all WordPress sites

Generate cron file:

cat > /root/wp-bulk-fix/wp-cron-jobs.txt <<'EOF'
# WordPress real cron jobs
EOF

while read -r file; do
  echo "*/10 * * * * /usr/local/bin/php $file >/dev/null 2>&1" >> /root/wp-bulk-fix/wp-cron-jobs.txt
done < wp-cron-list.txt

Review:

cat /root/wp-bulk-fix/wp-cron-jobs.txt

Install into root crontab:

crontab -l > /root/wp-bulk-fix/root-cron-backup.txt 2>/dev/null

cat /root/wp-bulk-fix/root-cron-backup.txt /root/wp-bulk-fix/wp-cron-jobs.txt | crontab -

Verify:

crontab -l | grep wp-cron.php | wc -l

6. Block xmlrpc.php globally using Apache include

This is safer than editing 100 .htaccess files.

Create Apache security include:

cat > /etc/apache2/conf.d/wp-xmlrpc-block.conf <<'EOF'
<Files "xmlrpc.php">
    Require all denied
</Files>
EOF

Test Apache config:

apachectl configtest

Restart Apache:

/scripts/restartsrv_httpd

7. Protect WordPress login from brute force

Create global Apache rule:

cat > /etc/apache2/conf.d/wp-login-rate-limit-note.conf <<'EOF'
# WordPress login protection should be handled with CSF/LFD, Imunify360, or Cloudflare.
# Avoid blocking wp-login.php globally unless you whitelist your own IP,
# because it can lock out real site admins.
EOF

8. Find most CPU-heavy PHP-FPM pools

Run anytime:

ps -eo pid,user,%cpu,%mem,args --sort=-%cpu | grep php-fpm | head -50

Also summarize pool names:

ps -eo args --sort=-%cpu | grep "php-fpm: pool" | awk -F'pool ' '{print $2}' | sort | uniq -c | sort -nr | head -30

9. Tune PHP-FPM from WHM, not directly

Do not edit generated PHP-FPM files manually.

Use:

WHM → MultiPHP Manager → User Domain Settings → PHP-FPM Settings

For heavy sites set:

pm = ondemand
pm.max_children = 2
pm.max_requests = 50
pm.process_idle_timeout = 10

For normal sites:

pm = ondemand
pm.max_children = 5
pm.max_requests = 100
pm.process_idle_timeout = 10

Restart:

/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd

10. Find suspicious WordPress files

Recent PHP changes:

find /home -type f -name "*.php" -mtime -7 -ls | head -200

Known bad names:

find /home -type f \( \
-name "wp-vcd.php" -o \
-name "wso.php" -o \
-name "r57.php" -o \
-name "c99.php" -o \
-name "alfanew.php" -o \
-name ".xtmp_*.php" \
\) -ls

Do not delete blindly. First move to quarantine:

mkdir -p /root/wp-bulk-fix/quarantine

Example:

mv /path/to/suspicious.php /root/wp-bulk-fix/quarantine/

11. Remove exposed PHPUnit from public sites

First list:

find /home -type d -path "*/vendor/phpunit" -ls

Backup list:

find /home -type d -path "*/vendor/phpunit" > /root/wp-bulk-fix/phpunit-dirs.txt

Remove only after review:

while read -r dir; do
  rm -rf "$dir"
  echo "Removed: $dir"
done < /root/wp-bulk-fix/phpunit-dirs.txt

12. Restart services

/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd
systemctl restart mariadb

13. Monitor after changes

watch -n 5 'ps -eo user,pid,%cpu,%mem,args --sort=-%cpu | head -30'

Check load:

uptime
free -h

Check Apache/PHP errors:

tail -f /usr/local/apache/logs/error_log

14. Rollback WP-Cron change if needed

To remove the line:

find /home -type f -name wp-config.php | while read -r file; do
  sed -i "/DISABLE_WP_CRON/d" "$file"
  echo "Rolled back: $file"
done

Restore old root crontab:

crontab /root/wp-bulk-fix/root-cron-backup.txt

Best execution order

Do this order:

1. Find all wp-config.php
2. Backup wp-config.php
3. Disable WP-Cron
4. Add real cron jobs
5. Block xmlrpc.php globally
6. Tune PHP-FPM for top CPU pools
7. Scan suspicious PHP files
8. Remove exposed PHPUnit
9. Restart services
10. Monitor CPU

Biggest impact will come from:

WP-Cron disable + real cron
xmlrpc.php block
PHP-FPM max_children reduction
WordPress caching
bot protection

For your server, start with the top CPU pools first: gurukulgalaxy_com, theaiops_com, meraapnabihar_com, surgeryplanet_com, and bhaso_com.