apache error log

tail /var/log/apache2/error.log

mysql error log

tail /var/log/mysql/error.log

user authentications, including possible attacks

tail /var/log/auth.log

look up where an IP address is coming from

geoiplookup THE.IP.ADD.RE.SS

check existing iptables filters

iptables -L

use iptables to filter IP addresses

iptables -A INPUT -s THE.IP.ADD.RE.SS -j DROP

remove comments from a wordpress site

mysql>USE database;
mysql>DELETE FROM wp_comments WHERE comment_approved = '0';

mysql running out of memory in minutes http://brunzino.github.io/blog/2016/05/21/solution-how-to-debug-intermittent-error-establishing-database-connection/ https://www.linode.com/docs/websites/apache-tips-and-tricks/tuning-your-apache-server

added the following lines

  #trying to fix mysql memory leak, which is possibly linked to an attack ?
   <files xmlrpc.php>
          order allow,deny
          deny from all
    </files>

to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to block possible xmlrpc attack. In /etc/apache2/access.log grep for this

POST /xmlrpc.php HTTP/1.1

installed lynx and added the following lines:

<Location /server-status>
  SetHandler server-status
  Order Deny,Allow
  Deny from all
  Allow from localhost
</Location>

to all /etc/apache2/sites-available/domain.com configuration files which host a WordPress, to enable lynx analytics report, which clearly showed many xmlrpc requests in seconds.

run

lynx http://localhost/server-status

to see statistics

Solved the memory issue by blocking the ip that was sending xmlrpc requests (iptables drop) after geoiplocating it in lithuania

consider also this: http://www.blogtips.org/block-wordpress-brute-force-attacks-via-xmlrpc-php/

also, dataclub.biz domain appears in other brute-force attacks