Unoptimized; DoS risk.

  • allocatedspace

    (@allocatedspace)


    1 year, 11 months ago

    This plugin struggles with scalability issues, particularly noticeable when managing a sizable number of events. Its performance suffers due to inefficient database queries, largely stemming from the lack of proper indexing and the storage of date fields as strings instead of numbers.

    Without indexes on date fields, the DATETIME typecasting, and with every date-related query requiring the database to scan through all records, even basic operations can take several seconds. For instance, rendering event views can be sluggish, sometimes taking up to 8 seconds on a site with very many events.

    Examining the database structure reveals the absence of indexes for efficient lookups, amplifying the performance problems. Queries like event views further exacerbate the issue by lacking optimization, often necessitating the conversion of VARCHAR strings to DATETIME (integers) types in real-time for each record, because they are used in the query where clause.

    This plugin isn’t suitable for sites expecting significant event traffic. Even a modest number of events can strain server resources. To mitigate these issues, the plugin should ideally store date fields as DATETIME types, utilize appropriate indexing, and optimize queries accordingly—a practice notably absent in its current implementation.

    The lack of optimization and potential for creating a Denial of Service (DoS) risk is very concerning. The more events you have, the slower each event query will take, consuming a high amount of CPU time in the database server, making CPU time less available for other operations.

    You likely won’t notice a load increase in your database server if you don’t have many events. But if you have many events, even with relatively low traffic, if your calendar pages get that traffic, like from search engine bots, your database server will require disproportionally high resources (CPU). If to bots aggressively crawl these URIs, while you have many events, you will likely experience noticable CPU load in your DB server: ^/(all-events|events-all|events|calendar)/

    1. Event View Query:

    SELECT wp_posts.ID
    FROM wp_posts JOIN wp_tec_occurrences
    ON wp_posts.ID = wp_tec_occurrences.post_id
    WHERE 1=1
    AND wp_posts.post_type = 'tribe_events'
    AND ((wp_posts.post_status = 'publish'
    OR wp_posts.post_status = 'acf-disabled'
    OR wp_posts.post_status = 'tribe-ea-success'
    OR wp_posts.post_status = 'tribe-ea-failed'
    OR wp_posts.post_status = 'tribe-ea-schedule'
    OR wp_posts.post_status = 'tribe-ea-pending'
    OR wp_posts.post_status = 'tribe-ea-draft'
    OR wp_posts.post_status = 'private')))
    ORDER BY wp_posts.post_date DESC
    LIMIT 0, 15

    There is no index on wp_tec_occurrences.post_id, so this JOIN is not efficient. To satisify this join, every record in the wp_tec_occurrences table must be read by the databserver to determine selection candidacy.

    1. Date-related Query:

    SELECT wp_posts.ID, CAST( wp_tec_occurrences.start_date AS DATETIME ) AS event_date, CAST( wp_tec_occurrences.duration AS DECIMAL ) AS event_duration
    FROM wp_posts JOIN wp_tec_occurrences
    ON wp_posts.ID = wp_tec_occurrences.post_id
    WHERE 1=1
    AND wp_posts.post_type = 'tribe_events'
    AND ((wp_posts.post_status = 'publish'
    OR wp_posts.post_status = 'private'))
    AND (( TIMESTAMPDIFF ( SECOND, wp_tec_occurrences.start_date, '2024-05-06 23:59:59' ) >= 2
    AND TIMESTAMPDIFF ( SECOND, '2024-04-01 00:00:00', wp_tec_occurrences.end_date ) >= 2 ))
    GROUP BY wp_tec_occurrences.occurrence_id
    ORDER BY wp_tec_occurrences.start_date ASC, wp_tec_occurrences.duration ASC, wp_posts.menu_order ASC

    There is no index on wp_tec_occurrences.post_id, so this JOIN is not efficient. Additionally, to satisify the criteria, every record in the wp_tec_occurrences table must be read because of the type casting of wp_tec_occurrences.start_date, which is a VARCHAR (string), to a DATETIME, which is an integer. This latter operation also requires CPU cycles. The complexity of this query scales up with the number of events.

    1. Another Query:
      SELECT wp_posts.ID, CAST( wp_tec_occurrences.start_date AS DATETIME ) AS event_date
      FROM wp_posts JOIN wp_tec_occurrences
      ON wp_posts.ID = wp_tec_occurrences.post_id
      WHERE 1=1
      AND wp_posts.post_password != ''
      AND wp_posts.post_type = 'tribe_events'
      AND ((wp_posts.post_status <> 'trash'
      AND wp_posts.post_status <> 'auto-draft'))
      GROUP BY wp_tec_occurrences.occurrence_id
      ORDER BY wp_tec_occurrences.start_date ASC, wp_posts.post_date ASC
      LIMIT 0, 15
    1. Another:

    SELECT SQL_CALC_FOUND_ROWS wp_posts.ID, CAST( wp_tec_occurrences.start_date AS DATETIME ) AS event_date
    FROM wp_posts JOIN wp_tec_occurrences
    ON wp_posts.ID = wp_tec_occurrences.post_id
    WHERE 1=1
    AND ( CAST(wp_tec_occurrences.start_date_utc AS DATETIME) > '2024-04-25 00:00:00' )
    AND wp_posts.post_type = 'tribe_events'
    AND ((wp_posts.post_status = 'publish'
    OR wp_posts.post_status = 'private'))
    GROUP BY wp_tec_occurrences.occurrence_id
    ORDER BY wp_tec_occurrences.start_date ASC, wp_posts.post_date ASC
    LIMIT 0, 15

    Structures, as the plugin creates them:

    CREATE TABLE wp_tec_events (
    event_id bigint(20) UNSIGNED NOT NULL,
    post_id bigint(20) UNSIGNED NOT NULL,
    start_date varchar(19) COLLATE utf8mb4_unicode_520_ci NOT NULL,
    end_date varchar(19) COLLATE utf8mb4_unicode_520_ci DEFAULT NULL,
    timezone varchar(30) COLLATE utf8mb4_unicode_520_ci NOT NULL DEFAULT 'UTC',
    start_date_utc varchar(19) COLLATE utf8mb4_unicode_520_ci NOT NULL,
    end_date_utc varchar(19) COLLATE utf8mb4_unicode_520_ci DEFAULT NULL,
    duration mediumint(30) DEFAULT '7200',
    updated_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    hash varchar(40) COLLATE utf8mb4_unicode_520_ci NOT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci;

    ALTER TABLE wp_tec_events
    ADD PRIMARY KEY (event_id),
    ADD UNIQUE KEY post_id (post_id);

    CREATE TABLE     wp_tec_occurrences (
    occurrence_id bigint(20) UNSIGNED NOT NULL,
    event_id bigint(20) UNSIGNED NOT NULL,
    post_id bigint(20) UNSIGNED NOT NULL,
    start_date varchar(19) COLLATE utf8mb4_unicode_520_ci NOT NULL,
    start_date_utc varchar(19) COLLATE utf8mb4_unicode_520_ci NOT NULL,
    end_date varchar(19) COLLATE utf8mb4_unicode_520_ci NOT NULL,
    end_date_utc varchar(19) COLLATE utf8mb4_unicode_520_ci NOT NULL,
    duration mediumint(30) DEFAULT '7200',
    hash varchar(40) COLLATE utf8mb4_unicode_520_ci NOT NULL,
    updated_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci;

    ALTER TABLE wp_tec_occurrences
    ADD PRIMARY KEY (occurrence_id),
    ADD UNIQUE KEY hash (hash),
    ADD KEY event_id (event_id);
Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Gustavo Bordoni

    (@bordoni)

    1 year, 11 months ago

    Hi @allocatedspace,

    Thank you for the detailed report you provided us here, some of these issues we were fully aware just didn’t prioritize the work correctly, one of the hardest problems to solve when dealing with a lot of different types of customers is that certain decisions to tackle Problem A or B end up being that we don’t to all the important problems like this one.

    We have improved scalability of certain things but 100% in agreement here with you that the issues you are pointing out need to addressed as a priority, and our team has looked at what you have posted and a couple of other changes that will improve the Scalability and Performance of the plugin.

    We have an outlined internal plan to tackle the problem you have reported.

    I also can see that you have spent a significant amount of time on your discovery and we would love to see if the changes we will make do actually create significant improvements for your usage, let me know if you are up to that and we can talk more about how we can do that.

    Thank you,

    Thread Starter allocatedspace

    (@allocatedspace)

    1 year, 11 months ago

    Hi Gustavo Bordoni (@bordoni),

    Nice, that sounds great.

    Sure, just let me know when you’ve made any changes, and I’ll update and note the update time accordingly. I’ll keep an eye on CPU usage for multiple sites by monitoring a database CPU utilization histogram to determine if there is a noticeable difference. Each site has a few thousand tribe_event records.

    If your update adds an index to the joining columns (wp_tec_occurrences.post_id) and handles dates and times as DATETIME types rather than VARCHAR, it should improve performance because of fewer table scans for joins and less effort (CPU time) in queries that were type casting VARCHAR to DATETIME, especially where the type casting of VARCHAR to DATETIME was occurring in the WHERE clause (which also causes another table scan, since that column as a VARCHAR cannot benefit from an index in the way it’s being used, whereas DATETIME data is stored as 8 bytes, with the first four representing the date, and the last four representing the time, and this format can benefit from a B-Tree index, allowing efficient lookups based on datetime using MySQL’s date and time functions (or LT and GT operators). It’s likely to make a noticeable difference. Looking forward to it.

    Plugin Author Gustavo Bordoni

    (@bordoni)

    1 year, 11 months ago

    For sure, @allocatedspace someone from our team will ping you once we got some that done, we need to make sure the changes don’t break for any customers before we push it to production.

    Most likely the first few changes will be the table structure updates to include indexes, set types and some smaller query changes.

    If you come back here and this thread is closed, feel free to reach out to me on the WordPress.org Slack and I will be more than glad to share updates.

    Best Regards,

    Thread Starter allocatedspace

    (@allocatedspace)

    1 year, 9 months ago

    Hi,

    Any updates?

    It’s causing CPU issues. The WordPress database shown below has 2,128 tec_occurences records.

    The issue was resolved by disabling The Events Calendar plugin and terminating the two persistent tec_occurences MySQL queries, as shown below:

    While server-side full-page caching dos help, it only does so conditionally, and so it’s not a final solution in reducing the high CPU usage caused by inefficient The Events Calendar table scans.

    • This reply was modified 1 year, 9 months ago by allocatedspace.
    • This reply was modified 1 year, 9 months ago by allocatedspace. Reason: formatting
    wort

    (@wort)

    1 year, 6 months ago

    I also would like to know if there is any new status on this. I’m seeing 6 to 10 second queries – some reading 50000 rows and returning 1. Once we get a bunch of bots looking at calendar events, the db is hard pressed to keep up – load average on the server goes from around 2 to over 170. Every entry in the mariadb.slow.log file is related to a tec table. Yep, I have caching on. Thanks for any info!

    ehehronn

    (@ehehronn)

    1 year, 6 months ago

    I concur. This plugin is a resource hog with any significant amount of events.

    The plugin implements multiple worst-case bad database practices that severely affect performance. When server-side caching isn’t properly throttling access to it, its impact on our otherwise stable systems is comparable to a worm infection or persistent DoS attack. These pages, including those with TEC calendar widgets, cause an excessive load on our databases due to inefficient table structures, missing indexes (causing table scans), and incorrectly chosen data types (VARCHAR[] rather than DATETIME). Query complexity increases proportionally to the size of the table (the total number of Event occurrences) due to VARCHAR-to-DATETIME typecasting in WHERE and table JOIN clause statements (each of which trigger additional full table scans to determine candidacy) and missing indexes on fields that are used as lookups (each of which trigger an additional full table scan, again, to determine selection candidacy).

    The plugin is demonstrably inefficient and any requests for improvement to the plugin developers, inevitably results in a loose promise to fix it with no action.

    huubl

    (@huubl)

    1 year, 4 months ago

    Any updates?

    dorgs04

    (@dorgs04)

    1 year, 4 months ago

    Hi,

    We are having the exact same issues with our server. Raised several tickets over several months and still no fix.

    Any help to resolve ASAP appreciated.

    Lee

    Benedikt Ledl

    (@benniledl)

    1 year, 4 months ago

    The company obviously does not monitor this old topic, so it won’t be helpful to continue posting here. You can contact them by starting a new thread or reaching out through their internal support channel. Alternatively, someone can implement a fix and submit a pull request on their GitHub: https://github.com/the-events-calendar/the-events-calendar/pulls.

    Feel free to reference this ticket, as it contains detailed technical analysis that could be valuable for the developers when addressing the issue.

    cc: @dorgs04 @huubl @ehehronn @wort @allocatedspace

    @bordoni should anyone start a new topic or reach you via other channels so can you pick this topic up again?

    Edit: by the way does this plugin help? https://wordpress.org/plugins/index-wp-mysql-for-speed/

    Plugin Author Gustavo Bordoni

    (@bordoni)

    1 year, 4 months ago

    @benniledl @dorgs04
    I get all notifications from this Topic, my bad on the delayed response.

    If anyone wants to do a Pull Request on this it would be amazing, it is always helpful and I will personally make sure someone on our Engineering team gets it to QA in the next Maintenance Release cycle.

    We have a couple of massive projects ending now before Black Friday, which will free up engineering to start looking at theses problems, we are hopeful to get at least a couple of Pull Requests to improve performance before the end of the year, but we need to make sure we properly QA before it goes out to users.

    Best Regards,

    dustycat

    (@dustycat)

    1 year, 2 months ago

    I am adding my urgent voice to the demand for this fundamental issue to be resolved.

    A website I run for a client which has a very complex structure with lots of different functionality, hence a huge database, has TEC installed. We have had huge issues over the last few days with TEC running extraordinarily long and complex queries that have completely used up all resources pushing the site into non-responsiveness.

    My client has spent a small fortune over the weekend on auto-scaling of their RAM and CPU trying to keep the site available. I am now having to deactivate the plugin to prevent further unnecessary expense.

    Clearly this issue has been around for some time, has been extensively documented and reported by numerous people.

    To find that months later, the developers are trying to get the fix done on “mates rates” rather than investing their own resources in getting their plugin properly coded is truly shocking, especially considering the licence fees charged for all addons and the pro version.

    If the basic, free code isn’t up to scratch then it should be fixed, otherwise every installation of TEC, whether free or pro and/or extended is having a detrimental impact and people who have purchased licences are not getting a fit for purpose plugin for their money.

    I will open a separate ticket to record the issues on my client’s website but wanted to ensure this ticket with so much valuable information in it remains top of mind with the developers.

Viewing 11 replies - 1 through 11 (of 11 total)

The topic ‘Unoptimized; DoS risk.’ is closed to new replies.