scanning for Wordpress?

[cellio]

Every now and then I remember to look at my web site's traffic. Every month my site produces a few hundred "URL not found" errors, and almost all of them are related to Wordpress -- wp-login.php, xmlrpc.php, and wlwmanifest.xml (tried at a bunch of entry points, each exactly 30 times in the last 30 days, presumably a daily probe).

I don't run Wordpress -- never have. But I guess it's popular enough, and has bugs or security holes, that people find it worthwhile to send their bots to look for it on every web site they can find?

Comments

[madfilkentist]

WordPress is by far the most popular platform for websites, and especially for self-hosted sites, which often have miserable security. It's even used for sites that could be served as plain HTML, which is vastly more secure.

WordPress, like any software, has bugs, though the developers are good at finding and fixing them. The attackers are going after a few different things, including:

• Sites running outdated versions with known bugs.
  
• Plugins with security holes of their own (and outdated versions of them).
  
• Admin accounts with weak passwords.
  
• Sites with publicly readable configuration files (the equivalent of leaving the key under the doormat).
  

Most of these sites have little valuable content, but they can be hacked into for botnets, cryptomining, etc.

[cellio]

Good points, thanks. And I hadn't thought about the "hack it for botnets/mining, not anything about the site itself" angle.

[(Anonymous)]

Yes. Actually, an up to date installation of Wordpress (as in, the core application itself and nothing more) is fairly secure (certainly no worse than any other extremely widely used, relatively complex piece of software sitting out in the open on the unprotected Internet, although it can be configured in more or less secure ways), but there's a cottage industry of security vulnerabilities in the form of third-party plugins and themes.

Unfortunately, since core Wordpress is fairly bland, people tend to look for third-party plugins and themes; and especially when you go with just the free stuff, odds are stacked against you that you'll end up with something that still is and remains reasonably secure and you need to be really vigilant in what you choose to install. Now add to this that people don't always update those third-party add-ons promptly when new versions are released even with security fixes and, well, there's a problem in the making...

/The Dog

[cellio]

Thanks. This makes sense -- that the plugins are a weak link even if Wordpress itself is solid (and even if people actually keep it up to date).

[outofwater]

I think another thing WordPress has "going for it" (from the point of view of people looking to exploit security holes) is that it is also something commonly installed by people with little/no experience in server administration and may often be left running for years with few (if any) upgrades applied.

[cellio]

Oh, good point. Now that you mention it, I wonder -- if I were using Wordpress, which I'm not -- what I'd be responsible for myself versus what my hosting platform would do for me. My hosting CPanel has a "Wordpress" link that I've never clicked; I assumed that means Wordpress is installed on the server and that's for me to turn it on, but do they keep it up to date if so? Or do I? (Idle question, since I'm not going to use it; if I were, I'd ask them that question.)

[richardf8]

Thanks. I just dumped a wordpress installation that I had mostly forgotten about because of your post.

[cellio]

Glad to help!