[wp-trac] [WordPress Trac] #37763: Target server overload due to invalid RSS feed URL in RSS widget

WordPress Trac noreply at wordpress.org
Mon Aug 22 11:09:01 UTC 2016 

#37763: Target server overload due to invalid RSS feed URL in RSS widget
--------------------------+-----------------------------
 Reporter:  bstovall      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Widgets       |    Version:  4.6
 Severity:  normal        |   Keywords:
  Focuses:  performance   |
--------------------------+-----------------------------
 Was roped into helping a friend figure out why a Wordpress site he managed
 was constantly registering 100% CPU usage. Turns out that they used the
 RSS widget and had it pointed to an RSS feed for their site. At some point
 the RSS feed had been deactivated and began generating a 404, and the
 server began getting four or five calls ''per second'' to the feed URL,
 effectively DoSing their own server. Although the widget was displayed on
 every page, they only average a few hundred unique visitors a day, so the
 number of requests from the widget far exceeded the number of page views.

 I took some time trying to figure out why it might be doing this, but
 decided to stop looking through the trash WordPress code when I got to the
 fetch_feed() function. I just don't care enough. But I do care if there is
 a bug that causes that many requests when the feed URL returns a 404. I
 don't know how often feed names are changed or removed, but this could
 cause a huge number of unwanted requests.

 My initial guess is that the SimplePie class is like "oh hey a 404 how
 about I try again. oh hey a 404 how about I try again. oh hey a 404 how
 about I try again. oh hey a 404 how about I try again." until it tires
 itself out. But like I said, too much trash code to care since I'm not
 getting paid to fix it.

 Summary:

 1. RSS Widget on page.
 2. Invalid RSS feed URL, pointed to same server as page, returned a 404.
 3. Generated a number of requests for the RSS feed that was substantially
 higher than the number of page views.
 4. Caused 100% CPU usage on server.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37763>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list