⚠️ Long-running WP-Toolkit Processes Causing High Load

By /

🧪 Symptoms

On cPanel servers using WP Toolkit, you may observe long-running processes that contribute to high server load. These may look like:

/opt/cpanel/ea-php74/root/usr/bin/php -r require '/usr/local/cpanel/3rdparty/wp-toolkit/plib/vendor/wp-cli/wpt-wp-cli.php'; -d safe_mode=off -d display_errors=on -d opcache.enable_cli=off -d open_basedir= -d error_reporting=341 -d max_execution_time=60 --no-header -- --no-color --path=/home/cpusername/public_html instance info --format=json --check-updates=true

These processes use wp-cli to perform WordPress operations. If a WordPress installation is infected with malware, these processes can hang or run indefinitely, increasing server load.

🔎 Description

WP Toolkit leverages wp-cli to interact with WordPress sites. It loads core WordPress files like:

  • index.php
  • wp-settings.php
  • wp-config.php

If any of these are infected (e.g., via obfuscated code, crypto miners, backdoors), the CLI task can become stuck, increasing CPU usage or running indefinitely.

📌 Reference: This issue has been reported to Plesk, tracked internally as EXTWPTOOLK-10647.

🛠️ Workaround

Step 1: Identify Affected WordPress Installations

Log in via SSH as root or use WHM’s “Terminal” feature, and run:

ps aux | grep safe_mode=off | grep wp-toolkit | cut -f8 -d '=' | cut -f1 -d ' ' | sort | uniq

This returns paths of WordPress sites involved in long-running processes, e.g.:

/home/cpusername/public_html

Step 2: List and Kill WP Toolkit Processes

Run the following to list relevant process IDs (PIDs):

ps aux | grep safe_mode | grep -v grep | awk '{print $2}'

Then kill each process using:

kill -13 PID

⚠️ Replace PID with the actual process ID.

Repeat for all running processes.

Step 3: Investigate and Restore Infected WordPress Installations

  • Scan affected sites using Imunify360, Wordfence, or MalCare.
  • Look for common infection patterns like:
    • Obfuscated eval/gzinflate code
    • Strange admin users
    • Unexpected plugin modifications

Best Practice: Restore sites from known clean backups.

🧼 Optional: Mitigation Steps

  • Consider temporarily disabling WP Toolkit automatic updates if infections are persistent.
  • Use cldetect (if available on CloudLinux) or ImunifyAV/Imunify360 to scan user accounts in bulk.
  • Lock down file permissions: find /home/cpusername/public_html -type f -exec chmod 644 {} \; find /home/cpusername/public_html -type d -exec chmod 755 {} \;

📚 Additional Resources

Scroll to Top