It would be helpful if I could get a suggestion for real world resource limits that are sufficient for most use cases. I am mainly referring to cgroup such as cpu time, io and in addition apache evasive. I’d be interested in the various limits you and others set for different plans.
Those defaults are designed to be a sufficient baseline. What issues are you experiencing that prompted this question?
I was having issues with a plugin called “Support Candy”, it was causing one of my sites to hit the evasive limits. I had to change the page-count to 150 to fix it. I have since discontinued using it as it seemed to be coded poorly.
Some of my sites the cpu time uses close to half the allotted of 2000. Just curious what you recommend for this setting. Haven’t had issues with io yet.
I did run across false malware detection for some plugins though. I tried to whitelist it but didn’t seem to work.
cpcmd scope:set virus-scanner.signature-whitelist ‘Sanesecurity.Foxhole.JS_Zip_4.UNOFFICIAL(1829b7dc5d10c1b499908ba612be78f5:1605286)’
I ended up just uploading the files thru sftp, would be curious of a workaround for when false detection occur. I tried following your docs and it didn’t seem to work.
signature-whitelist shows these:
{HEX}Sanesecurity.Foxhole.JS_Zip_16
{HEX}Sanesecurity.Foxhole.JS_Zip_13
{HEX}Sanesecurity.Foxhole.JS_Zip_4
Sanesecurity.Foxhole.JS_Zip_16
Sanesecurity.Foxhole.JS_Zip_13
Sanesecurity.Foxhole.JS_Zip_4
Sanesecurity.Foxhole.JS_Zip_12
Anything standing out to you?
Ideally, a plugin should minimize requests so as to minimize the resource burden a page request produces. Each separate request has to boot up WordPress core, initialize plugins, etc before fulfilling the request, so yep - bad programmers beget bad code.
CPU time is relative to processor performance. A quiesced Threadripper will result in lower CPU seconds consumed for the same parcel of work than a noisy Core i5 processor that is heavily subscribed with competing work. If your CPU time is ~50% then your typical worst case is median usage, which makes it easier to discover outliers.
Be careful with the timestamp from the logfile. It’s possible for a specimen to match multiple signatures, so further whitelisting may be necessary.
Default whitelist includes additional signatures that are always listed without the hex nor status.