Moderator
t-p
(@t-p)
Are you referring to WPMobile.App — Android and iOS Mobile Application ? If yes, I recommend asking at it dedicated support.
If not, where did you acquire this iOS app?
As Christopher2wp mentioned above, the iOS WordPress app generates enough traffic to trigger a DoS attack alarm. My web hosting company, WEBGO, based in Hamburg (Germany), automatically blocks the IP address associated with such incoming URL requests to prevent potential DoS attacks.
This effectively makes the iOS WordPress app unusable for me. I’m curious—has no one else encountered this issue?
Is there a reasonable explanation for this app behavior?
exactly like @testwart states. It is the official app from the iOS store. I have several sites, and only one fails. The issue is with the site hosted by SelfHost.de
one page i host myself behind a sharp setup ubiquiti DreamMachine with IDPS turned on fully, no issues.
there is a third page hosted with a different company, need to chechvwhichvit is. Also there no issues.
And it recently also worked with SelfHost. I think there is a situation that I can cause, and the app goes crazy? Eventually the app tries to re-do something repetitive? So if anybody tells me how to get on debug logs I think i can reproduce the situation
Hi there! Thanks for the data here – I lead the WP apps team, and we’re aware of this issue.
First off – to see the logs, you can go to Me > Help & Support > Logs, so hopefully that’s helpful.
In terms of requests to your site, that’s a tricky thing – we don’t want to overwhelm your site, but when the app is opened we want to make sure your data is up-to-date. For instance, we want to answer questions like:
- Are there new posts you wrote on the web that the app doesn’t know about?
- Are there any new comments?
- Can we still reach the site?
We use this information to update the UI, and that requires sending a few requests.
We’re working to migrate away from XMLRPC to the WordPress.org REST API – this should reduce the number of requests we need to send, but it won’t solve the issue entirely. I’m surprised that your host would see 5 requests per second as a DOS attack – that’s a very sensitive trigger (without any other traffic it would be 0.6 requests per second in a one-minute timeframe). Can you ask your host if they send HTTP 429 responses? The app should respect those (and if not that’s a bug we’ll try to address) and send requests more slowly.
We can probably add a bit more logging to our HTTP requests, making it easier to see exactly when the app is sending data to the server – we’ll look into that soon.
To not get in the danger of blocking my IP again and again we installed an XMLRPC plugin, which disables it. But the website still is reachable. Mine is https://tierwohl-an-der-unstrut.de
i asked my hosting provider for the HTTP 429 replies, will inform you once they answer.
regarding the posts, yes it might be that there were different updates open, because when the provider blacklists me, the app can no longer reach the site. And if i switch to GSM it just tries to catch up. For now I deleted the site from the app. Will try again once I know more from my webhost.
Also i hope my webhost is a little impressed by other webhosts where the issue never came up.
i use the web app since years and it never failed in this way on another host.
what would you say is a „normal“ frequency of this XMLRPC calls?
what would you say is a „normal“ frequency of this XMLRPC calls?
I wish there were a simple answer to this question – it really depends what the user is doing!
When the app first starts up (or when you navigate to your site root – the area that lists comments, pages, posts, etc) we’ll fetch the latest comments, posts, pages, etc. These are usually 1 call each.
Then if you were reviewing comments, we’d re-fetch the state of each comment as you navigate to it (maybe someone else approved it before you pulled it up – we want to make sure you have the latest data). That’s 1 call per comment.
If you’re writing a post, you might want to insert an image – at that point, we’d do another call to fetch your media library (if you have a large library it’d be 1 call per ~10-25 images, depending on a few factors). When you save the post we’ll have 1 call per new media item, then one to save the text of the post.
So there isn’t really a clear-cut answer for this – we try to find the right balance between keeping the data on your device fresh as you browse while minimizing traffic to your server (the fewer requests we make, the better for your device’s battery too).
Hopefully this gives you a better idea what’s happening under the hood though – please let us know if you have any other questions!
I checked with our webhost, and they confimred that there is http 429 sent. Eventually there are situations in the app, that maks it attempt mutliple different updates at once, so getting above the very small ammount of allowed connects? I will try to setup the app on the iPhone fresh again. See what happens if I just connect the page fresh. Let’s see if that already creates to many conects and the IP gets blocked. Unfortunatly the webhost blocksfor 1 day, … so that is really bad to check without them, I always need to inform them, that they unblock my IP :-/
I reproduced the issue today. I uninstalled the wordpress app from iOS, also the jetpack app, just to be sure. I uninstalled the Jetpack plugin fomr my webpage. I disabled the XML blocker plugin. I reinstalled WordPress after a iOS reboot. The page could not be added, it already got blocked during this attempt. To get hand on the logs, I added another page, so I now can access the logs. Where should I send the log? And what especailly can I ask my webhost?
Hey @christopher2wp – could you first send us the logs at mobile-support+jetpackapp@automattic.com? Please also include a link to this thread. Once we receive the logs, we’ll review them and get back to you.
