Andreas Grabner About the Author

Andreas Grabner has been helping companies improve their application performance for 15+ years. He is a regular contributor within Web Performance and DevOps communities and a prolific speaker at user groups and conferences around the world. Reach him at @grabnerandi

Make PHP requests “Sleep” to stop bad behavior. Smart or not?

In our previous post where we showed how we hooked up our blog’s WordPress application with the new Compuware APMaaS offering. Since WordPress is a PHP application we use PurePath for PHP to monitor it. We highlighted that we got an alert about a response time violation on some of our blog posts – which is shown on the following screenshot.

Dynamic Baselining detect a significant violation of the baseline during a 4.5 hour period last night

Dynamic Baselining detect a significant violation of the baseline during a 4.5 hour period last night

In this follow-up post I want to show you how we get to the root cause of this problem which turns out to be a 3rd-party WordPress PHP plugin that detects Bad Requests including requests from Bots that try to put spam messages in blog comments.

Step 1: See PHP Performance Hotspots

For the selected timeframe, we open the Response Time Hotspot dashboard. This shows which layer of the PHP Application has the highest performance contribution.

The high-level performance hotspot shows that most of the time is spent in core PHP functionality.

The high-level performance hotspot shows that most of the time is spent in core PHP functionality.

Step 2: Pinpoint the problematic method

A click on the PHP layer shows us that the Sleep function is the biggest contributor to this performance hotspot:

Turns out it is the Sleep function that gets called from one of the plugins we use to identify Bad Requests.

Turns out it is the Sleep function that gets called from one of the plugins we use to identify Bad Requests.

Step 3: Identify the actual request

Let’s have a look at one of the transactions where we get to see where the sleep method is actually called:

We see where the plugin detects the bad behavior and also the log message it writes to MySQL.

We see where the plugin detects the bad behavior and also the log message it writes to MySQL.

We also get access to the web request details such as IP Address, User Agent or actual URL and Query String:

The details show origin information about this bad request, e.g: IP, User Agent, URL and Query String

The details show origin information about this bad request, e.g: IP, User Agent, URL and Query String

Analysis: Lots of Bad Requests reduces WordPress performance

The Bad Behavior Plugin does a good job in preventing these bots to post spam messages. What’s interesting though is their approach of putting the request to sleep for 2 seconds. If we have a lot of parallel bad requests we have a lot of threads that are blocked in wait. This will impact “real” users that want to access the blog as the web server might not have any available active threads.  A different approach would help. If you have a suggestion for a better way to handle bad requests to avoid the blocked threads issue, let us know in the comments.

If you want to know more about performance management for PHP check out the blog from Klaus on Exploring the PHP World with PurePath Technology. If you are an existing Compuware APM Customer check out our dynaLearn Webinar on First Steps with PurePath for PHP.

Comments

*


nine − = 8