I’m trying to cut down on the unnecessary bloat in the WordPress head section, so I’m experimenting by removing feeds, blocking access to xmlrpc, and similar tweaks. One of the side effects is that I’m getting massive spikes of around 14,000 requests for the various WordPress feeds (listed below). I don’t know why. I thought I fixed it yesterday, but I just noticed another wave a few hours ago.
The biggest clue that may be able to help someone understand what’s happening: The number of feed requests is almost exactly the same as the number of records in my wp_postmeta table. This can’t be a coincidence… but I don’t know how it relates.
All of these requests are from the United States (Cloudflare IP).
All requests have a cache status of “none” and a content type of “empty”.
All requests are served by Cloudflare and receive 301 (Moved Permanently) status code.
The number of redirected requests for the base / domain name suggests that these are http requests getting redirected to https. Most of the requested paths do actually exist in https (and the redirect from http is working), but some like the author feed are disabled. I did just recently switch this domain to https when I started using Cloudflare and APO. (~7 days ago)
I’m using flexible SSL mode. Caching level: standard. ‘Always use HTTPS’ + HTTPS rewrites + HSTS + TLS 1.3 enabled in Cloudflare. Opportunistic encryption disabled.
None of the requests trigger any firewall activity (but I’m sure Cloudflare whitelists its own IPs).
The top paths requested (path - requests):
/ - 2.82k
/author/admin/feed/ - 1.03k
/author/admin/ - 890
/feed/atom/ - 870
/comments/feed/ - 870
/feed/rdf/ - 860
/feed/ - 790
/feed/rss/ - 780
Cloudflare Diagnostic Center shows no related problems (I think), just these 3:
no_dnssec_found - The site does not have any DNSSEC records.
not_found_ds_record - The hostname has no DS records.
mx_does_not_exist - The domain doesn’t have an MX record.