scanning for Wordpress?

[cellio]

Every now and then I remember to look at my web site's traffic. Every month my site produces a few hundred "URL not found" errors, and almost all of them are related to Wordpress -- wp-login.php, xmlrpc.php, and wlwmanifest.xml (tried at a bunch of entry points, each exactly 30 times in the last 30 days, presumably a daily probe).

I don't run Wordpress -- never have. But I guess it's popular enough, and has bugs or security holes, that people find it worthwhile to send their bots to look for it on every web site they can find?

Comments

[(Anonymous)]

Yes. Actually, an up to date installation of Wordpress (as in, the core application itself and nothing more) is fairly secure (certainly no worse than any other extremely widely used, relatively complex piece of software sitting out in the open on the unprotected Internet, although it can be configured in more or less secure ways), but there's a cottage industry of security vulnerabilities in the form of third-party plugins and themes.

Unfortunately, since core Wordpress is fairly bland, people tend to look for third-party plugins and themes; and especially when you go with just the free stuff, odds are stacked against you that you'll end up with something that still is and remains reasonably secure and you need to be really vigilant in what you choose to install. Now add to this that people don't always update those third-party add-ons promptly when new versions are released even with security fixes and, well, there's a problem in the making...

/The Dog

[cellio]

Thanks. This makes sense -- that the plugins are a weak link even if Wordpress itself is solid (and even if people actually keep it up to date).