cPanel CLI

If you are ever using a cPanel server, here are some one-liners for the Command Line Interface.

Over Use of CPUs

Too many php-fpm requests

sudo netstat -an|grep :443|cut -d":" -f2|sort|uniq -c
sudo netstat -an|grep :80|cut -d":" -f2|sort|uniq -c

This has a look at all the connections running on https, parses the external IP address, sorts them then counts them. The result may look like this.

1 443 
2 443 
29 443 
60 443

A quick check of finds that this address has been reported for abuse in the past.


Ban the IP addresses & at the firewall level.

WordPress Attacks

Attacking xmlrpc.php

grep -d skip -e "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/*|cut -d/ -f6|cut -d":" -f1|sort|uniq -c

This gives an output of:


In the case of epiphany, I dug a bit deeper and found:

grep "POST /xmlrpc.php HTTP/1.1" /usr/local/apache/domlogs/|cut -d"-" -f1|sort|uniq -c

152 (Amazon)
1295 (Amazon)

There is no reason for an Amazon IP do be doing this unless it is a compromised website at this address.
Ban the IP addresses & at the firewall level.

Email Server under Attack

Sent today

grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep 2020-11-17 | wc -l


You only have a few days worth of records, so I do this hourly and have an extended script that ends me an email if more than 400 emails are sent in a day.
If you end up with a large number you can run a script like this:

today=date +%Y-%m-%d
echo $today
echo $today > /home/strider/scripts/emails.txt
for i in grep "R=send_via_sendgrid" /var/log/exim_mainlog | grep "$today" |cut -c21-36
     cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt
cat /home/strider/scripts/emails.txt |sort|uniq -c
echo cat /var/log/exim_mainlog|grep $i|grep "=>"|cut -d">" -f2|cut -d" " -f2>>/home/strider/scripts/emails.txt

MYSQL Commands

If you are using phpmyadmin, or have access to bash, here are some useful commands.
Remember always do a mysqldump first so you have a back up of your database.


When you have access to your database it is always a good ide to have a current backup before you do any work.
In bash you can run

mysqldump -uuser dbname -ppassword >todaysdate.sql

Now you can play and even make mistakes. But until you have done this some and feel confident only work on your own databases, not a production database.


Had an issue, I had just updated a website to my server, set up security and was moving them to https. Only to find out that the theme they were using was rather out of date and the ssl plugin could not edit the ‘meta_value’ in real time and replace http with https. This mean that the site was seen as insecure.

select * from tinkerwp_postmeta where meta_value like "%http:%";

Gave me a list of all the IDs with http: in the meta_value field, about 15 of them, so instead of indifivuallt going to each record and manually replacing http with https, I ran this command.

UPDATE tinkerwp_postmeta SET meta_value = REPLACE(meta_value, 'http:', 'https:');
Query OK, 15 rows affected (0.012 sec)
Rows matched: 3390 Changed: 8 Warnings: 0


Working with WordPress and MySQL

select option_id,option_name from wp_options where option_value like "%";

This gives us all the lines that use

select option_id,option_name from wp_options where option_value like "%";
select * from wp_options where option_id = 1;
| option_id | option_name | option_value           | autoload |
|         1 | siteurl     | | yes      |

This is what may look like.
Now we want to replace with

UPDATE wp_options SET option_value = REPLACE(option_value, '', '');

Useful Commands

show tables;

Let’s you see all the tables in the current database.

describe tablename;

This gives a description of all the fields and their type from the table selected.