Active requests are increase drastically on Nginx with php-fpm

Question

Suddenly, today around 10 am, The number of active client requests of Nginx are increase drastically.

http://gyazo.com/a34263e00065b2c52d03b0c295b5cfa3

As increase of active requests, cpu usage of the server increases and returns bad response.

http://gyazo.com/28ff3e4cfe73ebbc76eb74f225d91d3d

Please teach me what's happen in my environment.

My environment is blelow:

Amazon ELB <-> Nginx(ver.1.4.3) <-> php-fpm(ver.5.4.23) <-> WordPress(ver.3.9.2) <-> MySQL(ver.5.5.31)

/etc/nginx/conf.d/default.conf:

server {
    listen      80 default;
    server_name example.com;
    root        /var/www/vhosts/example;
    index       index.html index.htm;
    charset     utf-8;

    access_log  /var/log/nginx/access.log  main;
    error_log   /var/log/nginx/error.log;

    include     /etc/nginx/drop;

    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    set $mobile '';

    location ~* ^/wp-(content|admin|includes) {
        index   index.php index.html index.htm;
        if ($request_filename ~ .*\.php) {
            break;
            proxy_pass http://backend;
        }
        include /etc/nginx/expires;
    }

    location / {
        if ($request_filename ~ .*\.php) {
            break;
            proxy_pass http://backend;
        }
        include /etc/nginx/expires;

        set $do_not_cache 0;
        if ($http_cookie ~* "comment_author_|wordpress_(?!test_cookie)|wp-postpass_" ) {
            set $do_not_cache 1;
        }
        if ($request_method = POST) {
            set $do_not_cache 1;
        }
        proxy_no_cache     $do_not_cache;
        proxy_cache_bypass $do_not_cache;

        proxy_redirect     off;
        proxy_cache        czone;
        proxy_cache_key    "$scheme://$host$request_uri$mobile";
        proxy_cache_valid  200 0m;
        proxy_pass http://backend;
    }
}

server {
    listen      unix:/var/run/nginx-backend.sock default;
    server_name _;
    root        /var/www/vhosts/example;
    index       index.php index.html index.htm;

    access_log  /var/log/nginx/backend.access.log backend;

    keepalive_timeout 25;
    port_in_redirect  off;

    gzip              off;
    gzip_vary         off;

    include /etc/nginx/wp-multisite-subdir;
}

/etc/php-fpm.d/www.conf:

[www]
listen = /var/run/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0666

user = nginx
group = nginx

pm = dynamic
pm.max_children = 15
pm.start_servers = 1
pm.min_spare_servers = 1
pm.max_spare_servers = 4
pm.max_requests = 200

rlimit_files = 131072
rlimit_core = unlimited

request_terminate_timeout = 90
request_slowlog_timeout = 60

slowlog = /var/log/php-fpm/www-slow.log

php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_admin_value[upload_max_filesize] = 64M
php_admin_value[post_max_size] = 64M
php_admin_value[max_execution_time] = 60

Server spec:

$ uname -a
Linux ip-172-31-1-34 3.4.82-69.112.amzn1.x86_64 #1 SMP Mon Feb 24 16:31:21 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/system-release
Amazon Linux AMI release 2013.09

Answer 1

It looks like it's getting a lot more hits, this could be caused by something like a search engine crawling your site(s) or potentially an attack. It would be worth checking out the log files to see if there's been a drastic increase in access and which files are being accessed.

If it is an attack it could be worth looking into something like fail2ban to automatically block any dodgy connections You should also make sure that WordPress and plugins is kept up to date for security patches (you say you're using v3.9.2 when v4 is available)