Title: Rest API request cause over CPU usage
Last modified: October 30, 2021

---

# Rest API request cause over CPU usage

 *  Resolved [manukkd](https://wordpress.org/support/users/manukkd/)
 * (@manukkd)
 * [4 years, 7 months ago](https://wordpress.org/support/topic/rest-api-request-cause-over-cpu-usage/)
 * Hi,
 * My hosting provider warn me about over CPU usage and they have shared a Get request
   hitting to my server, I will share the request here hitting to my server. Is 
   there any relation to wordfence?. currently, I have disabled all Rest API requests
   by using a plugins. but still hitting the request and currently it’s accessible
   to public
 * some requests are as follows, it is hitting more than 300 requests per 15 minute
 * “GET /wp-json/wp/v2/posts?_embed&per_page=10 H TTP/1.0” 401 935 “-” “Mozilla/
   5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
   89.0.4389.114 Safari/537.36”
 * “GET /wp-json/wp/v2/posts?_embed&per_page=10 HT TP/1.0” 401 935 “-” “okhttp/4.9.2”
 * Any Solution on this?
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Frest-api-request-cause-over-cpu-usage%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [4 years, 7 months ago](https://wordpress.org/support/topic/rest-api-request-cause-over-cpu-usage/#post-15024942)
 * Hi [@manukkd](https://wordpress.org/support/users/manukkd/), thanks for reaching
   out to us.
 * For the benefits of anybody referencing this topic, these requests look like 
   the WordPress post embed system, introduced back in WordPress 4.4. This was introduced
   so that posts could be embedded into other WordPress sites: [https://wordpress.org/news/2015/12/clifford/](https://wordpress.org/news/2015/12/clifford/)
 * It is quite plausible that a site or bot is attempting to utilize this feature
   in some way, but despite the block put in place with your other plugins, they
   are still making the requests to your site. I tried manually and saw that this
   action was not permitted now without authentication.
 * Wordfence, as an endpoint firewall cannot stop a bot or human (as shown in my
   test) from _trying_ to make these requests altogether, but rather deal with the
   requests appropriately according to your settings when they happen. However, 
   if the quantity of requests are actually causing limits to be hit on your server
   this can be another issue as you mention.
 * Whilst manual blocking strategies are generally not recommended as they take 
   up your time, if these requests _are_ coming from a consistent IP or URL, you
   could block these before they reach your site (and therefore Wordfence) by using
   any server-side firewall or loadbalancer available on your hosting plan. This
   may ease the load as they are no longer allowed to load any content from your
   site at all.
 * Let me know how you get on,
 * Peter.
 *  Thread Starter [manukkd](https://wordpress.org/support/users/manukkd/)
 * (@manukkd)
 * [4 years, 7 months ago](https://wordpress.org/support/topic/rest-api-request-cause-over-cpu-usage/#post-15027897)
 * thank you for your help,
 * currently, the request from the unauthenticated users is protected with the help
   of Disable REST API Plugin and the request gets 401 for unauthenticated users.
   Now the server consuming fair resources. I think someone embeds my site to another
   WordPress website is the main cause of the issue.
 * I have bypassed the wordfence from the list Disable REST API Plugin
 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [4 years, 7 months ago](https://wordpress.org/support/topic/rest-api-request-cause-over-cpu-usage/#post-15029010)
 * Hi [@manukkd](https://wordpress.org/support/users/manukkd/),
 * Ultimately I think despite the REST API plugin dealing with the requests rather
   than Wordfence, the requests are still hitting your site and resulting in some
   data being transferred, even if it’s just a 401 message. They could still show
   in Live Traffic if you have reporting set to “ALL TRAFFIC” rather than “SECURITY
   ONLY”.
 * Hopefully this will reduce load on your server because a smaller amount of data
   is being sent back with the request, but utilizing any server-side firewall you
   may have could stop limits set by your host being hit altogether.
 * Thanks again,
 * Peter.
 *  Thread Starter [manukkd](https://wordpress.org/support/users/manukkd/)
 * (@manukkd)
 * [4 years, 7 months ago](https://wordpress.org/support/topic/rest-api-request-cause-over-cpu-usage/#post-15035435)
 * Finally, I have applied this code on function.php
    The hosting provider share
   this link to follow and apply to block unauthorized accces
 * [https://stackoverflow.com/questions/41191655/safely-disable-wp-rest-api](https://stackoverflow.com/questions/41191655/safely-disable-wp-rest-api)
 *     ```
       add_filter( 'rest_authentication_errors', function( $result ) {
           // If a previous authentication check was applied,
           // pass that result along without modification.
           if ( true === $result || is_wp_error( $result ) ) {
               return $result;
           }
   
           // No authentication has been performed yet.
           // Return an error if user is not logged in.
           if ( ! is_user_logged_in() ) {
               return new WP_Error(
                   'rest_not_logged_in',
                   __( 'You are not currently logged in.' ),
                   array( 'status' => 401 )
               );
           }
   
           // Our custom authentication check should have no effect
           // on logged-in requests
           return $result;
       });
       ```
   
 *  Plugin Support [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * (@wfpeter)
 * [4 years, 6 months ago](https://wordpress.org/support/topic/rest-api-request-cause-over-cpu-usage/#post-15077214)
 * Hi [@manukkd](https://wordpress.org/support/users/manukkd/),
 * I’m glad you were able to implement that code with the help of your hosting provider
   to hopefully achieve what you want. Provided you’re no longer hitting limits 
   on your hosting plan unintentionally due to the actions of bots/humans, that’s
   the main goal.
 * If you have further Wordfence questions in future by all means start up a new
   topic and we’ll always be glad to help out.
 * Peter.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Rest API request cause over CPU usage’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

 * 5 replies
 * 2 participants
 * Last reply from: [wfpeter](https://wordpress.org/support/users/wfpeter/)
 * Last activity: [4 years, 6 months ago](https://wordpress.org/support/topic/rest-api-request-cause-over-cpu-usage/#post-15077214)
 * Status: resolved