One of my website clients has a whole lot of WordPress sites hosted on Site5. One day she got an email from Site5 support which put her on notice for a big traffic spike, which, if not controlled, would put her in danger of being over her allotted bandwidth quota. She’s a designer, not a coder like me, so she had me check into it.
Looking at AwStats, there was indeed a day that had much higher traffic than any other day that month. But here’s the weird part – her site is a 1-pager, nothing but some photos and links. In essence, it’s an “under construction” page. This isn’t the type of site that usually gets slashdotted. It is listed in Google, but not too prominently yet.
So I became suspicious, and looked further into the site logs. Nothing too scary, although I did see a fair amount of traffic from the Baidu bot, which populates the Chinese search engine, and also some from Yandex, the Russian search engine. So I wrote code to block those bots. The next couple days showed no significant traffic, so I figured that I’d either solved the problem, or it just went away by itself. Besides, she won’t be selling to anyone in those areas anyway, and I assumed I was done.
But then another one of her sites triggered the same warning email. Again, a site that’s nominally in Google, but is clearly not finished. Looking at the logs there, the big traffic wasn’t coming from the search engines (unlike the other site), and although some regions looked a little high, it was mostly coming from United States machines. I did a few IP range blocks, but couldn’t really pinpoint anything. The next day everything was fine again.
It is true that WordPress is a big target for phishing and other types of attacks due to its popularity. But these two sites had all the current security updates, which do a pretty good job of avoiding the non-specific attacks that sites get all the time. I began to wonder if Site5 itself was being scanned by a sort of drive-by phishing script. It’s obviously not a certainty, but based on my observations, it seemed worth investigating.
A couple days later Site5 emailed saying that the traffic had settled down so they were closing the issue. I wrote back describing all the steps I had taken, and how it didn’t really make much sense that those specific sites would get lots of traffic for just one day. Because they were both on Site5, I suggested that he might want to ask around and see if some questionable scanning was being done to the whole Site5 system. If that were the case, obviously it’s not fair to blame the site owner for that. Besides, if a non-geek person were to get one of those mildly threatening emails, he/she would not know about the steps I took, or even what to look for. They could simply get their site banned without being able to do anything about it.
He didn’t take what I said very seriously, and just reiterated that the site wasn’t in violation anymore. So I will ask here. Site5, please have a look at your system and see if your whole system is being targeted. It probably wouldn’t be that difficult for a sysadmin to check, and it would be a big help to your clients to solve it at a systemwide level if it is happening.
All that being said, it IS possible that Site5 has already quietly looked into this and fixed it. Issues like this aren’t the type that a business wants to publicize too much. Or maybe they just need to refine some automated process that generates advisory emails, just making it trigger on more than one day’s worth of high traffic!
Possible Happy Ending
I have a history with Site5. Some years ago my own site was hosted there – I had problems, and their responses to my tech support pleas were just “we killed the process that made your site go down, it’s fine now”. But it happened again and again, and finally I ditched them as a host. Since then, they were bought out by new owners, which, unlike most takeovers, resulted in much better service and uptime! I have since developed and deployed lots of sites there smoothly and easily, so I’ve rarely had any recent trouble, I’m happy to say. I recommend them to clients all the time now, even though I have no affiliate relationship.
Update as of May ’13: I was speaking with the techs of another quality host after they admonished all their clients to update WordPress. They were having unusual traffic on their sites, too. I described the situation above, and their opinion was that my appraisal above was most likely accurate.
Update as of December ’13: This thing just ain’t going away!! Another client of mine got the threatening automated message from Site5. Again, I checked things out and did the same steps as above. A couple new additions: I blocked known malware servers, and wrote a specific command to deflect any traffic coming from a particular source that almost slashdotted their site. Traffic is reasonable again. Just as before, I told tech support what I was up to, while adding that I could probably work for them. 🙂 They were pleasant and cooperative, and apparently mentioned my concerns/suggestions to their overlords, although I doubt they took them too seriously.