meditatingsurgeon Yes, IOPS, it's butter smooth no nasty spikes now.
Like @twest says, do try and catch what's going on so you can be sure what's causing it, for me it was package restriction with some mysql calls on a not so well optimised database. Removing IOPS restrictions seemed to clear my issue, but I knew it was PHP processes for certain websites causing the spikes (using netdata, before the change). In fact PHP memory was ballooning and then hitting swap, causing more IO issues. The only system restrictions I have per package now, are Memory and Harddisk Quota.
Wordfence is a great little tool, you could try RKHunter or something besides ClaimAV to check the server, but honestly a modern rootkit could install itself and not be easily found. True server checks come down to tight use of AIDE or Tripwire to hash all files from the start and check for changes, that said it's a lot more work to manage and check, every update gives false positives and you need to rehash all files again.
I don't know if netdata has stoped it's community edition, have a look you might be able to still selfhost a control panel. Else Muin was useful within cpanel, maybe you can selfhost that?
