The IP is a MSFT server that is one I block with 52.160.0.0/11

They may have set up a series of security probes that are scripted to default redirect (302/temporary) to a list of sites they are trying to explore for WP vulnerabilities. (?) I can't guess how else you would see a 302, but I do not know this for a fact. A 404 would be more useful.

You could add a 302 error document to htaccess that sends a 403 (or a 404 error page if you prefer) unless you are using 302s for temporary changes.

Thank you for the hint - this makes sense. Especially because it comes (seemingly) from Microsofts IP range - I knew that..

I do not use 302 (temporary redirection) for anything, AFAIK. Will double check it.

Another idea: Since I they nearly always try to exploit WordPress (the main reason I decided not tu use it) I also could create a fail2ban filter triggering on the string 'wp-content'. Nearly all attacks I see try to exploit this...

The fail2ban using 'wp-content' sounds like the simplest response and it would handle any other similar snooping around. Sounds good.

I've been feeding 404 to all wp (and other assorted word fragments) for years. Keeps things nice and quiet (other than the horrific number of 404s in my logs. :(

Easy to filter out, of course.

BTW, Peregrinus, Welcome to Webmasterworld!

They may have set up a series of security probes that are scripted to default redirect (302/temporary) to a list of sites they are trying to explore for WP vulnerabilities. (?) I can't guess how else you would see a 302, but I do not know this for a fact. A 404 would be more useful.

You could add a 302 error document to htaccess that sends a 403 (or a 404 error page if you prefer) unless you are using 302s for temporary changes.

I don’t understand this. How can a 302 originate anywhere but the host site (the site receiving the request)? In any case you can’t send an error document with a 300-class response; they’re for 400- and 500-class errors.

:: detour to Apache docs [httpd.apache.org] (fragment link to #errordocument may get eaten) to make sure I’m not talking out of my hat ::

Peregrinus, are you on shared hosting? It’s also possible that your host has set up something creative in the config file. But where are they being 302 redirected to? Presumably not somewhere else on your site, or you’d be seeing a second request. Not all malign robots follow redirects, but some do.

Matter of fact, you could be sending a 302 by mistake. If an ErrorDocument directive contains a full URL, like

ErrorDocument 403 https://www.example.com/forbidden.html

then it turns into a redirect, whether you want it to or not. And I'm pretty sure it would be a 302, not a 301, though docs don't spell it out.

If you don't have any files or directories in the requested format, you could choose to return a manual 404. (For example, mod_rewrite flag [R=404].) This is less work for the server than letting it happen naturally, because it doesn't have to go look for the file. And it conveys no information to the unwanted visitor, while a 403 tends to say “I’m onto you, you thieving scum.”