I don’t run any client-side analytics on my site. Google doesn’t need my visitors’ data. All I can look at is server logs, as in which URLs have been requested.

So I set up a dashboard with Elasticsearch and Kibana and started poking around a few access logs.

According to my logs, people tried to navigate to /wp-login.php on my server several times. That URL leads to the admin login on a standard WordPress installation.

I have never run WordPress on this server. This looks like one of those attempts to find a vulnerable installation.

Weirdly, they tried to access /wp-content/plugins/wp-file-manager/readme.txt in particular. My best guess is that this plugin has a known vulnerability. Scanning for its README would tell them if I have that plugin installed.

Looking for a single file to learn that is WILD.

They also scanned for /actuator/health, which would tell them if I’m running Spring Boot.

Other requests would reveal Laravel, MySQL, Hudson, phpMyAdmin, or many others. It’s spread very far. Learning about my stack like that could tell them if I’m vulnerable to anything.

Of course, nobody is targeting my site specifically. This is an automated script that runs against all sites it can find and broadly scans for everything. This is much more interesting than it is threatening. I cannot wait to dig deeper into what is going on here.

If you’re running a WordPress installation, rename wp-login.php just in case. Don’t call it something obvious like “/admin.php”, because those scripts scan for those as well. Give it a name like “/pumpernickel.php”. The login will still work, but the scripts won’t find it.