Anyone, please help
hello,
It’s weird but it seems that this user has code injection, can you cat index.php please
You can also track the process with the following command cat /proc/$proid/environ or cmdline you can see more documentation on how to track it here
If you give me more information I can help you
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
the index.php file looks healthy, check the other files associated with wordpress, this is to rule out vulnerability, another option is that you have a bottleneck and you must adjust variables to generate cache… you can use mysqltunner for this, however first that nothing is to see the content of the entire installation, please send a capture of the ls -lha in the path /home/user/
I think I misexplained the ls -lha send it to the root of the user that has the bit of threads index.php I want to see what you have here /home/dainikbabomb.com/ and in /home/dainikbabomb.com/public_html
what you sent me is the content of the root, so that you are in context in the htop that you passed you can see that the user with problems that the daini8801 reflects you if we know that it is running there we can decipher what happens
I recommend you deactivate the waf plugin that plugin consumes a lot it is only activated in case of emergency if you need security you can use wpcore or wpscan or sucurisitecheck it is possible that the failure is mostly due to poor performance, it would be a question of seeing more thoroughly but no looks like something from cyberpanel
what do you have in the .htaccess??
order deny,allow
deny from all
allow from 162.158.162.56
allow from 134.209.153.180
Require ip 162.158.162.56 134.209.153.180
# END GOTMLS Patch to Block XMLRPC Access
BEGIN WordPress
The directives (lines) between “BEGIN WordPress” and “END WordPress” are
dynamically generated, and should only be modified via WordPress filters.
Any changes to the directives between these markers will be overwritten.
RewriteEngine On RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]END WordPress
Wordfence WAF
php_value auto_prepend_file '/home/dainikbombabomb.com/public_html/wordfence-waf.php' php_value auto_prepend_file '/home/dainikbombabomb.com/public_html/wordfence-waf.php' Require all denied Order deny,allow Deny from allEND Wordfence WAF
How strange but I don’t see this directive in the .htaccess of your domain, to be honest I would have to see more in depth or in detail the behavior of the system.
You see something of sysadmin at the backend performance level, it doesn’t look ugly but I can’t guarantee anything. I would like more information
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
If you are using wordfence, please disable it. Wordfence consumes hell lot of server resources making the server always busy.
can you paste here what is your plugin 
the active one
i use tagdiv newspaper too…