I'm Glad I Don't Run Wordpress
Last week I spent some time monitoring my apache error logs to try to get rid of warnings from my website and see if there are any errors I need to fix. (Answer: yes, there were a few things I needed to fix, mostly due to changes in libraries since I wrote the pages in question.)The vast majority of lines in my error log, however, are requests for /wp-login.php or /xmlrpc.php. There are so many of them that they drown out any actual errors on the website. wp-login.php is obviously a Wordpress thing; not surprisingly, xmlrpc.php also is, and it's apparently something Wordpress users are advised to disable.
The attacks always come in double pairs and always for both files at more or less the same time: a given IP will try /wp-login, then /xmlrpc.php, then /wp-login again, then /xmlrpc.php again. I can't find any differences between the requests that might explain why each host makes two tries for each file; if there's a difference, it's at a level that doesn't show up in apache logs.
The IP addresses are all over the map, so I'm guessing they're mostly Windows zombies with malware.
Anyway, I got curious and wrote a little Python program to analyze the current error log and tell me about the requests for these two files. Here are the results from my own little website:
Apache log entries trying to get /wp-login.php or y/xmlrpc.php: Total tries: 574 in 18 hours 12 minutes Average time between tries: 113.7 seconds or 1.9 minutes Total number of unique IPs: 151
Wow. I'm glad I'm not a Wordpress user. With this many attacks, I'd be constantly paranoid about keeping up to date on security fixes, and worried about missing a zero-day exploit. In my case, they're all just 404 errors because I don't have those files.
[ 10:28 Apr 13, 2023 More tech/web | permalink to this entry | ]