That sounds like someone manually adding that string to test your security.

A regular user won't know to use that for registering on your site.

The only reasons a regular user would register on a site would be to comment on an article, which only happens if there is a permission role set up for that.

If the site doesn't have comments or articles, then that's even more evidence that someone was manually testing your security.

1. Could be someone who is bored.
2. Could be a competitor.
3. Could be someone with malicious intent.

It's unlikely to be a regular user with innocent intentions.

I was wondering if maybe there's some obscure browser addon that purports to save commenters one step, on the blithe assumption that all websites use WP. But on further investigation I found the same behavior a few times last summer, following-up on the same legitimate page (one that has a LOT of images, which exasperates me), from the identical UA (FF/52, which is a bit retro but still used by humans) and IP. And the IP is Portlane, which is probably dispositive.

So it's a robot allaying suspicion by requesting supporting files, acting on scripts and even sending cookies, just like a human. (Was the preceding page request precisly so they could pick up a legitimate cookie? Huh.)

I don't run any WP sites and I block all requests for any WP related URIs.

I get a lot of requests for wp-login.php from IPs all over the world, mainly tier 3 countries. I believe these requests come from infected personal hardware.

All requests have exactly the same FF40 based UA. The bot requests the homepage, then requests wp-login.php.

Easy to block because the FF version in the UA is not legitimate.

The bot requests the homepage, then requests wp-login.php.

Yeah, I found a lot of those while looking up this particular request in logs.

I used to return a manual 404 on any request in .php, but with header-based access controls, non-blocked requests are so rare it's not worth the bother. (Because the server has to backtrack and evaluate conditions to eliminate a few URLs that really do end in php.) Matter of fact I still do this for requests beginning in wp; I'd forgotten until I checked. That means the server doesn't have to go looking for the file, but can say upfront “sorry, can’t find it” like a good butler telling unwanted callers you’re not home.

the FF version in the UA is not legitimate.

Huh. I never realized that; I though it was just archaic.
:: repeat visit to logs ::
Oh, right. This is the one that gets a 418 (mod_security) response:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
--where the overwhelming majority of requests are the root-plus-wp-login duo. Guess that means it's unambiguously bogus, or they wouldn't block it at the server level.

Looks like a common string of bot requests, a script of try this, try that if:then stuff. Look for a "POST" effort in there. I use wp-login.php on non-wp sites to catch those bots.

Look for a "POST" effort in there.

I found a few while scanning logs, but overall they're surprisingly rare. I get more requests for POST to my contact form, for all the good it does them. As ClosedForLunch described, the normal pattern is just root + wp-login.php. The particular request that triggered my original question was different. (Brr. I really don't like intelligent robots. Fortunately they are vanishingly rare.)

wp-login.php?action=register is specifically only for WP sites. I've never seen this for any other piece of software. This is the string to ask the webmaster for increased privilege. In WP you could, ill advised, allow people to auto-register and automatically grant them some level of authentication access other than the standard anonymous. WP also has the feature to allow people to register, after which the owner can grant access. Frankly I would not trust WP with this.

Once registered a user can use this account as a vector to hack the site. It would be much easier if you are authenticated, as you've passed at least a the server and initial WP security.