Excessive resource usage: wp-toolkit

Operating System & Version
Centos 7
cPanel & WHM Version


Well-Known Member
Aug 3, 2016
cPanel Access Level
Root Administrator
Hello team

I am using CSF and WP Toolkit - recently getting a lot of the following emails for one specific user.

After looking into that user, it appeared they had been hacked. The WordPress site was deleted 100% and then rebuilt from scratch with new WP installation and replaced plugins etc. After various scans and checks, the site is 100% clean now and using Cloudflare with various WAF lockdowns in place.

However, I am still getting the following email notification every hour - can you help me identify what is happening? There are multiple accounts on the server - only getting notifications for this one user.

lfd on root@example: Excessive resource usage: wp-toolkit

Time: Sun Jul 9 19:01:06
Account: wp-toolkit
Resource: Process Time
Exceeded: 178799 > 15600 (seconds)

Executable: /usr/bin/timeout
Command Line: timeout 60 /usr/local/cpanel/3rdparty/wp-toolkit//bin/wpt-panopticon -user example123 -operation run-wp-cli -work-dir /home/example123/public_html -php-max-execution-time 60 -- instance info --format=json --check-updates=true
PID: 6766 (Parent PID:6048)
Killed: No

I am also getting this every hour:

Email Subject: lfd on root@example: Excessive resource usage: example123 (6711 (Parent PID:67113))
Time: Sun Jul 9 19:01:06
Account: example123
Resource: Process Time
Exceeded: 178798 > 15600 (seconds)
Executable: /opt/cpanel/ea-php80/root/usr/bin/php
Command Line: /opt/cpanel/ea-php80/root/usr/bin/php -r require '/usr/local/cpanel/3rdparty/wp-toolkit/plib/vendor/wp-cli/wpt-wp-cli.php'; -d safe_mode=off -d display_errors=on -d opcache.enable_cli=off -d open_basedir= -d error_reporting=341 -d max_execution_time=60 --no-header -- --no-color --path=/home/example123/public_html instance info --format=json --check-updates=true
PID: 6774 (Parent PID:6767)
Killed: No

Is there any chance it is related to this thread?
Last edited:


Staff member
Mar 13, 2018
cPanel Access Level
Root Administrator

Is there any chance it is related to this thread?

Yes, the panopticon process is the one mentioned in that thread. You can take the same steps mentioned in the thread to disable the process if it's causing CPU problems on your server. That said, the CSF alerts you provided are triggered because the processes have been running for a long time. We've found that when malicious code is injected into a WordPress installation, it can cause issues similar to the one you reported:

WP Toolkit processes are not timing out and resulting in server load

Part of the issue appears to be that CentOS 7 cannot kill off these processes properly, and moving to a newer Operating System could help. If you're still experiencing these issues and are confident the site is clean, I recommend opening a ticket with our team so we can take a closer look.