Master Terminal Guide to Optimize and Secure 100+ WordPress Sites on WHM/cPanel (Fix High CPU & PHP-FPM Load)

Uncategorized
Posted on | by Rajesh Kumar

Below is a Master Terminal Guide to reduce CPU load across ~100 WordPress sites under /home on WHM/cPanel.

Based on your process output, the main issue is many PHP-FPM WordPress pools consuming CPU at once, especially pools like gurukulgalaxy_com, theaiops_com, meraapnabihar_com, surgeryplanet_com, and others.

Master Guide: Fix 100 WordPress Sites Under /home

0. Become root

sudo -i
cd /home

1. Create working folder

mkdir -p /root/wp-bulk-fix
cd /root/wp-bulk-fix

2. Find all WordPress installs

find /home -type f -name wp-config.php > wp-config-list.txt
find /home -type f -name wp-cron.php > wp-cron-list.txt

wc -l wp-config-list.txt
wc -l wp-cron-list.txt

View list:

cat wp-config-list.txt

3. Backup all wp-config.php

while read -r file; do
  cp -p "$file" "$file.bak.$(date +%F-%H%M%S)"
  echo "Backed up: $file"
done < wp-config-list.txt

4. Disable WP-Cron safely

This adds:

define('DISABLE_WP_CRON', true);

before wp-settings.php.

while read -r file; do
  if grep -q "DISABLE_WP_CRON" "$file"; then
    echo "Already exists: $file"
  elif grep -q "wp-settings.php" "$file"; then
    sed -i "/wp-settings.php/i define('DISABLE_WP_CRON', true);" "$file"
    echo "Updated: $file"
  else
    echo "Skipped, no wp-settings.php found: $file"
  fi
done < wp-config-list.txt

Verify:

grep -R "DISABLE_WP_CRON" /home/* 2>/dev/null | wc -l

5. Create real server cron for all WordPress sites

Generate cron file:

cat > /root/wp-bulk-fix/wp-cron-jobs.txt <<'EOF'
# WordPress real cron jobs
EOF

while read -r file; do
  echo "*/10 * * * * /usr/local/bin/php $file >/dev/null 2>&1" >> /root/wp-bulk-fix/wp-cron-jobs.txt
done < wp-cron-list.txt

Review:

cat /root/wp-bulk-fix/wp-cron-jobs.txt

Install into root crontab:

crontab -l > /root/wp-bulk-fix/root-cron-backup.txt 2>/dev/null

cat /root/wp-bulk-fix/root-cron-backup.txt /root/wp-bulk-fix/wp-cron-jobs.txt | crontab -

Verify:

crontab -l | grep wp-cron.php | wc -l

6. Block xmlrpc.php globally using Apache include

This is safer than editing 100 .htaccess files.

Create Apache security include:

cat > /etc/apache2/conf.d/wp-xmlrpc-block.conf <<'EOF'
<Files "xmlrpc.php">
    Require all denied
</Files>
EOF

Test Apache config:

apachectl configtest

Restart Apache:

/scripts/restartsrv_httpd

7. Protect WordPress login from brute force

Create global Apache rule:

cat > /etc/apache2/conf.d/wp-login-rate-limit-note.conf <<'EOF'
# WordPress login protection should be handled with CSF/LFD, Imunify360, or Cloudflare.
# Avoid blocking wp-login.php globally unless you whitelist your own IP,
# because it can lock out real site admins.
EOF

8. Find most CPU-heavy PHP-FPM pools

Run anytime:

ps -eo pid,user,%cpu,%mem,args --sort=-%cpu | grep php-fpm | head -50

Also summarize pool names:

ps -eo args --sort=-%cpu | grep "php-fpm: pool" | awk -F'pool ' '{print $2}' | sort | uniq -c | sort -nr | head -30

9. Tune PHP-FPM from WHM, not directly

Do not edit generated PHP-FPM files manually.

Use:

WHM → MultiPHP Manager → User Domain Settings → PHP-FPM Settings

For heavy sites set:

pm = ondemand
pm.max_children = 2
pm.max_requests = 50
pm.process_idle_timeout = 10

For normal sites:

pm = ondemand
pm.max_children = 5
pm.max_requests = 100
pm.process_idle_timeout = 10

Restart:

/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd

10. Find suspicious WordPress files

Recent PHP changes:

find /home -type f -name "*.php" -mtime -7 -ls | head -200

Known bad names:

find /home -type f \( \
-name "wp-vcd.php" -o \
-name "wso.php" -o \
-name "r57.php" -o \
-name "c99.php" -o \
-name "alfanew.php" -o \
-name ".xtmp_*.php" \
\) -ls

Do not delete blindly. First move to quarantine:

mkdir -p /root/wp-bulk-fix/quarantine

Example:

mv /path/to/suspicious.php /root/wp-bulk-fix/quarantine/

11. Remove exposed PHPUnit from public sites

First list:

find /home -type d -path "*/vendor/phpunit" -ls

Backup list:

find /home -type d -path "*/vendor/phpunit" > /root/wp-bulk-fix/phpunit-dirs.txt

Remove only after review:

while read -r dir; do
  rm -rf "$dir"
  echo "Removed: $dir"
done < /root/wp-bulk-fix/phpunit-dirs.txt

12. Restart services

/scripts/restartsrv_apache_php_fpm
/scripts/restartsrv_httpd
systemctl restart mariadb

13. Monitor after changes

watch -n 5 'ps -eo user,pid,%cpu,%mem,args --sort=-%cpu | head -30'

Check load:

uptime
free -h

Check Apache/PHP errors:

tail -f /usr/local/apache/logs/error_log

14. Rollback WP-Cron change if needed

To remove the line:

find /home -type f -name wp-config.php | while read -r file; do
  sed -i "/DISABLE_WP_CRON/d" "$file"
  echo "Rolled back: $file"
done

Restore old root crontab:

crontab /root/wp-bulk-fix/root-cron-backup.txt

Best execution order

Do this order:

1. Find all wp-config.php
2. Backup wp-config.php
3. Disable WP-Cron
4. Add real cron jobs
5. Block xmlrpc.php globally
6. Tune PHP-FPM for top CPU pools
7. Scan suspicious PHP files
8. Remove exposed PHPUnit
9. Restart services
10. Monitor CPU

Biggest impact will come from:

WP-Cron disable + real cron
xmlrpc.php block
PHP-FPM max_children reduction
WordPress caching
bot protection

For your server, start with the top CPU pools first: gurukulgalaxy_com, theaiops_com, meraapnabihar_com, surgeryplanet_com, and bhaso_com.

0 0 votes
Article Rating
Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Aiko Suzuki
Aiko Suzuki
13 days ago

This guide is incredibly helpful for managing high traffic sites while keeping the server performance stable and secure.

0
Reply
1
0
Would love your thoughts, please comment.x
()
x