Hi,
I’ve set up [ourdomainname] years ago. I’m not the owner, just keeping it up to date, making backups, etc. When the site suffered from ddos-attacks, I set up a cloudflare account and obviously that worked great, until now. Also, the hosting was upgraded to a vps.
Since this weekend, I found out the site is extremely slow and most of the time my browser isn’t even loading a page at all and shows a 522 error:
(cloudflare time out message pointing to original server screendump was here)
Steps you’ve take to fix it. What CommunityTips, ExpertTips, videos, directions, instructions, and advice you’ve followed to try & fix the issue?
I checked the Wordpress app > Statistics to see how many visitors there were. There were only 50 visitors per day and about 175 page views. These are very low numbers for this site and I think for any hosting. These numbers can’t be the problem.
So I asked the hosting service if there was a problem with the server, showed them the error 522 info, and they said the original server was running fine.
There were many xmlrpc calls though:
108.162.215.161 - - [04/Oct/2021:16:53:05 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:06 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 0.312 - [04/Oct/2021:16:53:06 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:07 +0200] [www.[ourdomainname][ourdomainname]](http://[ourdomainname]strong text/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:07 +0200] [www.[ourdomainname][ourdomainname]](http://www.[ourdomainname][ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:09 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 0.288 - [04/Oct/2021:16:53:10 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:11 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:11 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:11 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:13 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:13 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:13 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 0.356 - [04/Oct/2021:16:53:16 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:16 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:17 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 0.340 - [04/Oct/2021:16:53:18 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:19 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:19 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:20 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:21 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:21 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:22 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 0.308 - [04/Oct/2021:16:53:22 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 301 5 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:23 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:24 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
108.162.215.161 - - [04/Oct/2021:16:53:24 +0200] [www.[ourdomainname]](http://www.[ourdomainname]/) "POST /xmlrpc.php HTTP/1.1" 403 162 "-" "Apache-HttpClient/4.5.2 (Java/1.8.0_161)"
[etc]
But since I’ve set the .htaccess to deny those years ago, I assume these can’t do much harm.
So I pinged [ourdomainname]. The numbers were fine:
64 bytes from 172.67.176.127: icmp_seq=72 ttl=55 time=13.533 ms
64 bytes from 172.67.176.127: icmp_seq=73 ttl=55 time=11.318 ms
64 bytes from 172.67.176.127: icmp_seq=74 ttl=55 time=11.632 ms
64 bytes from 172.67.176.127: icmp_seq=75 ttl=55 time=20.778 ms
64 bytes from 172.67.176.127: icmp_seq=76 ttl=55 time=11.707 ms
64 bytes from 172.67.176.127: icmp_seq=77 ttl=55 time=13.613 ms
64 bytes from 172.67.176.127: icmp_seq=78 ttl=55 time=11.225 ms
Then again, I’m not sure if this is the original server pinging back or just the cloudflare server?
So I logged into our CloudFlare account and read up about 522, but the points mentioned seemed less likely (cloudflare IP adresses blocked etc) unless the host has changed these recently.
So I tried the ‘Under attack mode’, but this didn’t fix it, for me at least.
Purged the cache, just to be sure. Didn’t make a difference.
Disabled the dns A record proxy → then everything worked fine!
However, this exposes the original IP, so I switched it back on. However, I still don’t understand what is going wrong and how to analyse this the right way.