My joomla website has very high CPU every day. I found out that there are a lot of visits, more than 3000 visits every day. Something is wrong here because site should not have more than 0-20 visits per day.
I found this in awstats log:
# Date - Pages - Hits - Bandwidth - Visits
BEGIN_DAY 14
20151201 15852 17029 197633349 3527
20151202 15879 16628 189354910 3741
20151203 15854 16728 190080460 3837
20151204 15073 16174 186079195 3455
20151205 13963 14918 175485372 3465
20151206 13200 13817 159671819 3249
20151207 17705 19013 222024412 3309
20151208 13377 14236 168566817 3435
20151209 11851 13306 171561768 3186
20151210 11395 12301 153213055 3248
20151211 14036 15024 182711032 3669
20151212 11846 12394 149109648 3309
20151213 13309 14113 174190207 3365
20151214 9275 9904 125783186 2221
END_DAY
So, what is going here ?
How to solve this problem of so many unwanted visits ?
Edit:
Now I also checked access_log and most of the requests are "GET /login?view=registration&layout=complete HTTP/1.1"
Also when I login as aministrator, I get 404 Component not found.
Edit2:
Now I finally could login to joomla and I saw that there are about 30000 created users, a lot of them have "xxx" in name.
If I look at those numbers they don't indicate legitimate traffic. For example take the rounded daily figures of
16,000 pages
17,000 hits
3,500 visits
Since every image, css file and JS file on a given page will count as a hit, there's no way that you could have 16,000 pages with only 17,000 hits. Ball park figures for this would be that one page might have 20+ hits.
perhaps AWStats is wonky, have you compared your stats against Google Analytics
perhaps your site is being attacked or someone else is hot linking to assets on your site. visitor IP might give you some leads here.
you mention that CPU is high, and this could be related to an attack. Are you able to SSH to your site? Using top or htop could show if some scripts or database calls are being abused
perhaps your site is infected (hopefully not though!)
But how could I protect or defense against it ?
Without knowing more it would be just guesswork and speculation on my part. See what you can find out by examining your site logs. SSH to your site then run HTOP and sort by CPU and identify what's using your resources. Another possibility is https://watchful.li . Get a trial account and run a free site audit and malware scan.
If you can get a handle on the source of the problem it will be easier to figure out how to proceed. Maybe you will have identified file perission problems, a database issue, or infected files, maybe the problem is coming from a specific IP and you could block them with htaccess or Akeeba Admin Tools. I've had good success using the built in security features of CloudFlare as well.
Hope this is helpful!