Welcome to WebmasterWorld Guest from 35.172.100.232

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

wp-login.php

     
9:05 pm on Jan 13, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15804
votes: 845


Quick question for anyone who speaks WordPress:

:: ostentatiously not looking at not2easy::

Are there any circumstances where a request for
wp-login.php?action=register
on a non-WP site could be legitimate? I've always associated it with malign robots, but recently found it accompanying a to-all-appearances-legitimate human visit.
9:28 pm on Jan 13, 2019 (gmt 0)

Moderator from US 

WebmasterWorld Administrator martinibuster is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 13, 2002
posts:14922
votes: 491


That sounds like someone manually adding that string to test your security.

A regular user won't know to use that for registering on your site.

The only reasons a regular user would register on a site would be to comment on an article, which only happens if there is a permission role set up for that.

If the site doesn't have comments or articles, then that's even more evidence that someone was manually testing your security.

1. Could be someone who is bored.
2. Could be a competitor.
3. Could be someone with malicious intent.

It's unlikely to be a regular user with innocent intentions.
10:00 pm on Jan 13, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15804
votes: 845


I was wondering if maybe there's some obscure browser addon that purports to save commenters one step, on the blithe assumption that all websites use WP. But on further investigation I found the same behavior a few times last summer, following-up on the same legitimate page (one that has a LOT of images, which exasperates me), from the identical UA (FF/52, which is a bit retro but still used by humans) and IP. And the IP is Portlane, which is probably dispositive.

So it's a robot allaying suspicion by requesting supporting files, acting on scripts and even sending cookies, just like a human. (Was the preceding page request precisly so they could pick up a legitimate cookie? Huh.)
10:49 pm on Jan 13, 2019 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Sept 26, 2018
posts:76
votes: 20


I don't run any WP sites and I block all requests for any WP related URIs.

I get a lot of requests for wp-login.php from IPs all over the world, mainly tier 3 countries. I believe these requests come from infected personal hardware.

All requests have exactly the same FF40 based UA. The bot requests the homepage, then requests wp-login.php.

Easy to block because the FF version in the UA is not legitimate.
11:17 pm on Jan 13, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15804
votes: 845


The bot requests the homepage, then requests wp-login.php.
Yeah, I found a lot of those while looking up this particular request in logs.

I used to return a manual 404 on any request in .php, but with header-based access controls, non-blocked requests are so rare it's not worth the bother. (Because the server has to backtrack and evaluate conditions to eliminate a few URLs that really do end in php.) Matter of fact I still do this for requests beginning in wp; I'd forgotten until I checked. That means the server doesn't have to go looking for the file, but can say upfront “sorry, can’t find it” like a good butler telling unwanted callers you’re not home.

the FF version in the UA is not legitimate.
Huh. I never realized that; I though it was just archaic.
:: repeat visit to logs ::
Oh, right. This is the one that gets a 418 (mod_security) response:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
--where the overwhelming majority of requests are the root-plus-wp-login duo. Guess that means it's unambiguously bogus, or they wouldn't block it at the server level.
2:09 am on Jan 14, 2019 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4454
votes: 330


Looks like a common string of bot requests, a script of try this, try that if:then stuff. Look for a "POST" effort in there. I use wp-login.php on non-wp sites to catch those bots.
4:20 am on Jan 14, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15804
votes: 845


Look for a "POST" effort in there.
I found a few while scanning logs, but overall they're surprisingly rare. I get more requests for POST to my contact form, for all the good it does them. As ClosedForLunch described, the normal pattern is just root + wp-login.php. The particular request that triggered my original question was different. (Brr. I really don't like intelligent robots. Fortunately they are vanishingly rare.)
12:27 pm on Jan 14, 2019 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts:570
votes: 56


wp-login.php?action=register is specifically only for WP sites. I've never seen this for any other piece of software. This is the string to ask the webmaster for increased privilege. In WP you could, ill advised, allow people to auto-register and automatically grant them some level of authentication access other than the standard anonymous. WP also has the feature to allow people to register, after which the owner can grant access. Frankly I would not trust WP with this.

Once registered a user can use this account as a vector to hack the site. It would be much easier if you are authenticated, as you've passed at least a the server and initial WP security.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members