cellio: (Default)
Monica ([personal profile] cellio) wrote2022-01-05 11:30 pm
  • Add Memory
  • Share This Entry
Entry tags:

scanning for Wordpress?

Every now and then I remember to look at my web site's traffic. Every month my site produces a few hundred "URL not found" errors, and almost all of them are related to Wordpress -- wp-login.php, xmlrpc.php, and wlwmanifest.xml (tried at a bunch of entry points, each exactly 30 times in the last 30 days, presumably a daily probe).

I don't run Wordpress -- never have. But I guess it's popular enough, and has bugs or security holes, that people find it worthwhile to send their bots to look for it on every web site they can find?

Threaded | Flat
madfilkentist: (Default)

[personal profile] madfilkentist 2022-01-06 09:29 am (UTC)(link)
WordPress is by far the most popular platform for websites, and especially for self-hosted sites, which often have miserable security. It's even used for sites that could be served as plain HTML, which is vastly more secure.

WordPress, like any software, has bugs, though the developers are good at finding and fixing them. The attackers are going after a few different things, including:

  • Sites running outdated versions with known bugs.
  • Plugins with security holes of their own (and outdated versions of them).
  • Admin accounts with weak passwords.
  • Sites with publicly readable configuration files (the equivalent of leaving the key under the doormat).


Most of these sites have little valuable content, but they can be hacked into for botnets, cryptomining, etc.

(Anonymous) 2022-01-06 09:42 am (UTC)(link)

Yes. Actually, an up to date installation of Wordpress (as in, the core application itself and nothing more) is fairly secure (certainly no worse than any other extremely widely used, relatively complex piece of software sitting out in the open on the unprotected Internet, although it can be configured in more or less secure ways), but there's a cottage industry of security vulnerabilities in the form of third-party plugins and themes.

Unfortunately, since core Wordpress is fairly bland, people tend to look for third-party plugins and themes; and especially when you go with just the free stuff, odds are stacked against you that you'll end up with something that still is and remains reasonably secure and you need to be really vigilant in what you choose to install. Now add to this that people don't always update those third-party add-ons promptly when new versions are released even with security fixes and, well, there's a problem in the making...

/The Dog

outofwater: Me outside St John's before my confirmation at the Easter Vigil 2016 (Default)

[personal profile] outofwater 2022-01-06 11:28 am (UTC)(link)

I think another thing WordPress has "going for it" (from the point of view of people looking to exploit security holes) is that it is also something commonly installed by people with little/no experience in server administration and may often be left running for years with few (if any) upgrades applied.

richardf8: (Default)

[personal profile] richardf8 2022-01-07 04:09 am (UTC)(link)
Thanks. I just dumped a wordpress installation that I had mostly forgotten about because of your post.
Threaded | Flat