You would need to find out what they are posting to your index.php, and one possible solution for that is to enable logging in index.php, that there's a posted content, save it into a file, with the browser agent and the referrer included. An another way would be ton run a packet monitor and keep it running until such a request comes up, and examine the data.

It could be because of numerous reasons, someone is doing brute-force attack on a login system (if there's any), or you get hits from an another website, or the competitor tries to break down your webserver (joking), and there can be many other explanations, without examining the post data you will not be able to figure it out.

Hi,

Thanks for your reply. After a bit of trial and error I'm managing to send a 403 to these requests, and the server has quietened down significantly.

I have a copy of the site on a local server which got hit the same way, so I'll get that online and redirect to it for a while. Would Wireshark or similar give me the info I'm after, or do I need something more specific?

Final question for now - is it better to send 403 or 404? Is there a 'best practice' for this?

Thanks again,

Martin.

403 Access Denied is the proper response, because this is what you are doing, denying access to those bots.

Thanks for that - 403 it is!

Martin.

Wireshark, or anything similar will do it indeed. If you happen to know the originating ip address, then make it filtered on that, so you don't get all requests, only the relevant ones.