Huge load with wpt-wp-cli.php for specific users

[Intekhab]

For 2 specific users I am seeing a huge load with multiple processes as:

/opt/cpanel/ea-php74/root/usr/bin/php -r require '/usr/local/cpanel/3rdparty/wp-toolkit/plib/vendor/wp-cli/wpt-wp-cli.php'; -d safe_mode=off -d display_errors=on -d opcache.enable_cli=off -d open_basedir= -d error_reporting=341 -d max_execution_time=60 --no-header -- --no-color --path=/home/user/public_html instance info --format=json --check-updates=true

Even if I kill the processes, they keep coming back.

Note that for both users, the wp installations repeatedly appear to get compromised. (Integrity fails)

 

[cPRex]

Hey there! Since you mentioned the users are being frequently compromised, that is almost certainly the root cause of the issue. Can you tell where specifically the compromise is happening - as in, are the same files being changed repeatedly on the account? If not, it would be best for anyone with access to the account to perform a malware scan of their local computers to ensure those are not infected as well, since keylogging tools are a common way to steal passwords.

 

[Intekhab]

I was not actually looking for a solution for malware here. I'll look into that. But as I see

 require '/usr/local/cpanel/3rdparty/wp-toolkit/plib/vendor/wp-cli/wpt-wp-cli.php

I assume it's related to wp-toolkit?

What is wp-toolkit doing here? Auto Malware/Integrity scan?
And how can I prevent it from doing that?

 

[cPRex]

You can't keep that from running unless it is totally removed from the system. WP Toolkit | cPanel & WHM Documentation