If you are not using wp, then just block the request and don't worry about the ips. These are test probes to see what the domain is powered by...

... and if you don't have URLs--that is, visible URLs, not under-the-hood physical files--in .php, you can globally block all requests for .php, using {THE_REQUEST} or equivalent.

Many requests for wp files can safely be blocked even if you do use WP; just poke a hole for your own IP address. In this situation you may prefer to return a manual 404 so you're not giving the visitor any information.

The point of my post was not really about blocking, it was about the source of that particular bot-request. (in this case, a SpaceX / Starlink IP).

I really would like to know why "they" (who-ever "they" are) are using a botnet to check for the existence of those particular files. I'd also like to know what botnet is doing this, and how they got installed on the hardware behind the IP's I'm seeing making these requests.

It's like one day a few weeks ago they just started. It's been a while since I've seen requests for the pair wp-login.php + xmlrpc.php. For a long time I haven't seen junk requests like this from first-world residential ISP IP's - usually those IP's are pretty clean. But now I'm seeing more junk coming from them, the vast majority being requests for those 2 files. I like to have clean log files, and I hate to see that junk turn up there, which is why my router's IP blocking list is huge.

And - what's the point of blocking access to a file that you don't have? Technically that can't even be done. You want to block the requesting IP before it hits your web server, and you can't know that you want to block it until it makes a request for the file(s) in question. It's a circular argument.

These things come in cycles, shifting IPs all over the place. Since the files don't exist on my system I don't worry about it as it becomes a 404, though I routinely nuke the wp stuff with a 403 simply because that file is a whole lot smaller than my more informative 404. Saving bandwidth.

Reading my log files with the 403s filtered out makes it easier to identify other attack vectors that keep showing up. :)

Do the same with the other often requested intrusion requests, such as .php (don't use it) and get down to the real hits and then fine tune the bot activity.

As to why they do it, why not? Costs them "nothing", it is "automated" and if they can find a weak link out of 10,000 domains, gravy on their end.

I'm thinkin' cracker-owned routers.

Probing for wp-login.php and xmlrpc.php tells their script what to look for next. For example if wp-login.php exists it will then start probing for the existence of plugins that have known weaknesses to either retrieve user details, write to tables to add spam to web pages, or upload scripts that can be run for full control of the website.

WordPress is a prime target for exploit and the rules for writing plugins are now more strict than ever before. We currently have a new plugin in for review. First we submitted it based on procedures that we use in our other plugins only to be knocked back an almost everything with a list of recommended changes. We updated to those rules and then got knocked back again with a new list of changes. They cannot be too careful and what brings it all undone is the plugins that are available elsewhere that have not been secured.

How the hackers know what to target is easy to find because muppets promoting themselves as security experts publish those weaknesses to bignote themselves.

Anything popular, or "mainstream" is going to get hacked. WP is more profitable because of the many plugins that inadvertently weaken the overall security. That said WP ain't bad, just keep it right-and-tight!

Maybe some of those botnets are coming from the malware laden TV boxes out there: [webmasterworld.com...]