Cloudways is looking like a scam site

I moved several small sites plus one large site to Cloudways back in December. Then, on February 15, 2020 the CPU of the small server spiked to 100% and has stayed at 100% ever since.

This makes no sense for several reasons. 1) The sites were moved exactly as they were at WPEngine where they had no such issues. 2) Cloudways continues to send me alerts “suggesting” that I upgrade my server even though I have turned OFF “Server upgrade suggestions” under CloudwaysBot>Notifications>Settings. 3) I saw that a couple of the sites were getting hit by brute force attacks so I reported the IPs to their hosts, added security plugins to block IPs based on failed logins, changed the name of the wp-admin pages and even turned off xmlrpc to stop these attacks. 4) Although the server shows 100% CPU usage, the details for the apps only show 2.38% CPU usage - how can that be?

Even though they claim to have things in place to mitigate brute force attacks (https://www.cloudways.com/blog/what-is-brute-force-attack/) they certainly are not helping on my little sites.

The whole thing just seems like a scam to get people to buy larger servers and pay Cloudways more money.

Have you tried raising a support ticket? Personally, over the last 1.5 years I’ve had 1 or 2 instances of servers being overly busy, and ticket support was able to put some custom firewall options (and some general server tweaks) in for me which fixed things up straight away.

Overall I’m really happy - I suggest you see what a ticket agent has to say. Be polite and provide as much info as possible in a concise fashion.

1 Like

Go to Applications, Monitoring, Analytics, and Bot Traffic. All the bots you see need to be blocked. But not with a wordpress plugin. Those plugins require the wordpress environment to fire up and consume resources in order to function. That’s what you want to stop. The way to do this is to kill the request before it even gets to the wordpress initialization. Your former host must have been doing this. But now you have to do it yourself.

What I did is put any bot (except google) in the file “robots.txt” in the root directory. The format is as follows:

User-agent: serpstatbot
Disallow: /
User-agent: zoominfobot
Disallow: /
User-agent: BLEXBot
Disallow: /
User-agent: webmeup-crawler
Disallow: /
User-agent: SiteExplorer
Disallow: /
User-agent: Dotbot
Disallow: /
etc.etc. etc…

1 Like

@ john.chandler the robots.txt file is only a suggestion for bots to follow. It won’t stop the malicious ones. That’s why you would also want a security plugin. Preferably a security plugins that bans IP address using the .htaccess file which is run before the WordPress environment is loaded.

@ ljhubbardjr There are a number of things that could have happened. If you haven’t been keeping your plugins and theme up to date, or are using less popular plugins, perhaps a hacker was able to exploit a vulnerability in one of the plugins and install a crypto mining bot on the server. When you say the apps only reported 2.38% CPU usage, that’s only a single moment in time. Did you check the CPU usage of all of the apps more than once? You can find out what process is taking up all of the CPU usage if you SSH in and run the top command. I would ask a Cloudways support representative to help you out. They’ll be able to get to the bottom of what is going on.

2 Likes

I opened a chat session and the person was less than helpful. They started rattling off all types of files or cron jobs or something with names like “rnrdwrfdesd” that mean less than nothing to me.

I don’t run websites for a living (or even a profit). After this debacle, I advised the 3 people that I have been keeping sites online for that they needed to move them to the WordPress host of their choice. I’ll be doing the same thing with my WP site - moving it to a managed hosting account.

Unless the server has been hacked, I really don’t see how all of a sudden on February 15 or 16 the server suddenly went to 100% CPU and has never (not even once) dipped below that.

It definitely isn’t because of traffic. While I did find 2 of the sites being hit by brute force hacking attempts, I immediately changed the name of the login page, disabled xmlrpc, implemented IP ban plugins and that took care of the brute force hacking attempts as far as the activity monitoring shows.

The reason I think Cloudways is a scam is mainly because their constant badgering to scale up the server doesn’t stop even when I have unchecked that alert.

I don’t like web design or web hosting. People see GoDaddy offering WordPress sites for $3.95 a month (or whatever) and they are shocked when I tell them that I will not design any site for less than $5k and that it will take 30 days to complete.

I am a perfectionist and, to be frank, that does not seem to blend well with web design.

I am simply done with it all. I am moving my site to a host and shedding all of the sites that I have been hosting for others. I have too much to do with my main business of managed services for small businesses and the fact that my mother was diagnosed with cancer less than 2 weeks ago and I am helping her with her doctors visits etc, to worry about hosting WordPress sites.

Scam? seriously? As much as I don’t really use CLoudways anymore, your might be the wrong sort of customer for them. WP Engine manages your WP security for you at both server and site level - Cloudways only manages it at server level for you (mod-sec etc.).

Why in the world would you turn off notifications from your server? They are there for you benefit. Coming to Cloudways means you want to learn how to manage your own servers. If not, then I’d suggest your take your little sites back to a WP managed hosting outfit.

You have already provided the info for the most likely answer to your problem:
“a couple of the sites were getting hit by brute force attacks”

If before this your CPU usage was fairly low, and then after this your CPU usage jumped to 100% then isn’t that a pretty conclusive indication that your server has already been compromised?

and…
“I reported the IPs to their hosts, added security plugins to block IPs based on failed logins, changed the name of the wp-admin pages and even turned off xmlrpc to stop these attacks.”
these things do nothing to stop what has alreadyhappened to you (and apart fomr installing a security plugin, do nothing to stop people acking your site once they know about it - you need to learn how to secure your WP sites). You’ve most likely joined the millions of other WP sites that are being used as a part of someone’s botnet.

Use a good security tool and scan your websites (Wordfence scan is good), clean them up and install some good security software (better things than Wordfence) - and learn how to properly lock down your sites.

WP Engine and other WP managed server tend to provide security setup, but Cloudways is a cloud hosting aggregator - it allows you more freedom to setup things the way that you want it and reduce costs/site, without having to be a proper server admin yourself while holding your hand and providing support for you. It’s a half-way house to using the actual cloud-hosting providers directly.

Maybe it would be better for you to take your sites back to WP Engine.

@russell Plugins and themes are all up to date. I haven’t done anything on the actual server side (the VPS) to make sure that it has not been compromised, but I am not even sure what those things would be.

As for the 2.38%, I do understand that that is a single point in time. But at that same point in time, the CPU is at 100% – and the CPU never gets lower. Look at this screenshot…

CPU is at 100% and the total CPU %s for ALL applications is only 0.56%. Something is definitely wrong here and I don’t think it is DigitalOcean. I have hosted sites at DigitalOcean before and I NEVER had anything like this happen. I just spun up a WordPress instance at DO and rocked on.

I thought that Cloudways might make things a little easier to manage. Guess I was wrong there.

While I am certain that Cloudways is making a profit, without some very basic means of protecting their clients from brute force attacks (as they claim to have) and without a way to look into what is running on the server from the Cloudways dashboard (to aid in diagnosing these runaway CPUs) I think their flag will not be raised nearly as high as it could have been.

I, for one, am moving on.

@russell Then there is this… This is the image of the amount of CPU available since I started this server at Cloudways. It had some spikes near 100%, then it looked like CPU calmed down, then another spate of CPU spikes and on or about February 15, 2020 it spiked at 100% and has never recovered - according to their dashboard.

Unless the server has been hacked, I don’t know what could account for this report of 100% CPU all the time for DAYS without any visible slow-down in the sites hosted on that server. If the CPU was really at 100%, you’d think there would be some kind of slowness when testing the sites, but there isn’t.

While I am certain that Cloudways is making a profit, without some very basic means of protecting their clients from brute force attacks (as they claim to have) and without a way to look into what is running on the server from the Cloudways dashboard (to aid in diagnosing these runaway CPUs) I think their flag will not be raised nearly as high as it could have been.

Before I move on, I will ssh into the server, load a few testing tools and try and verify if the CPU is really at 100% all of the time or if Cloudways is doing something that might not be so above board…

@Russell I agree. I made it sound like the plugins aren’t needed. I should have worded it so to indicate that you still have them operating but do more to try and avoid it getting that far so as to invoke them.

I am having the same issue, when i was on plesk + linode i did not have such issue, immediately the sites move to cloudways i started having BOTS attack, lots of traffic in my login form.

I changed the login URL, installed a plugin to keep anyone not from my country out but yet whenever i open the admin area and load multiple pages the CPU goes up and then begin to reduce.

First i feel they are over charging us (i don’t know much about their setup though) and then there is no PROTECTION in server and app level.

1 Like

Goes up and down

@garth I think a better solution is to get out of hosting sites for other people altogether. I hate doing it. It is a thankless job that I hate.

I just got off a chat session with Cloudways support and the tech could not log into my server. He said he was restarting it and then, several minutes later, said that he could not fix the problem with the server and he opened a ticket for me with a higher level support team. So I will wait to see what happens there.

One thing that is disturbing is that I was able to ssh into the server before the chat and it looks like DigitalOcean/Cloudways is using debian 4.9.189-3+deb9u1 which (according to https://www.debian.org/releases/) is an obsolete version.

According to https://www.debian.org/releases/, anything older than version 8 is obsolete, so why is DigitalOcean/Coudways using it?

According to https://www.debian.org/releases/etch/ security updates for debian 4.x were discontinued in 2010.

@kingsleyfelix9 Yes, but mine has been pegged at 100% for 10 days now. And this is on a server hosting sites that haven’t had a new post posted in 8 months. These are not high volume sites.

Even after taking care of the brute force attacks, the CPU is still spiked at 100%.

Its everywhere, you can use plesk and maybe linode/vultr as they have more quality machine than DO. i have heard of closte. com as well but its PAY AS YOU GO on Google clouds.

If Cloudways is not going to try and keep us safe from bots and hackers, I don’t see the purpose of hosting on Cloudways.

Cloudways says that they do have these things in place. Take a look at this…

That’s almost 67,000 attempts to log in to wp-admin in 24 hours! If Cloudways has any controls in place to help stop this, the hackers haven’t noticed.

This is just before I renamed the login page, turned off xmlrpc and loaded WordFence and enabled banning IP addresses that fail to enter the right login credentials 5 times in 15 minutes. Now the most hits from an outside IP is only 21 on that application.

2 Likes

I meant wp-login.php - but I cannot even edit my posts here without an error from Cloudways…

@garth @ljhubbardjr wait what? debian 4 in 2020? you got to be kidding me. How did you check so i can confirm mine

That is a lot of request

I made a mistake. The debian version of my server is actually 9.11. This is how you check it for yourself… You can ssh into your server using the instructions here --> https://support.cloudways.com/how-to-launch-an-ssh-terminal-from-the-console/

When you get logged in, look at the top of the login box and you should see something like this…