Analyzing real WordPress hacking attempts

In my last few posts I’ve pondered the issue of how insecure WordPress installations have become. Here’s an interesting thing to try if you run a WordPress site; install the 404 to 301 plugin and in its settings check the “Email notifications” option and enter an email address in the “Email address” field. Now, whenever a nonexistent URL is requested, you’ll get notified and, at least for me, it’s been pretty interesting to see how hackers attempt to enter my WordPress installations. 

I installed this plugin on one of my projects, vaporregistry.org (it’s due for a major architectural refresh in the next few weeks), and I’ve been collecting these 404s, the majority of which are obvious hack attempts because they’re requests for resources that don’t exist on my site.

Now, this site is in startup mode; it’s a specialized product registry and doesn’t get a huge amount of traffic yet, but in addition to the thousands of normal requests there were 2,250 failed requests in the 90 days between January 22 and April 18. Each of these events were recorded in an email with a date and time stamp, an IP address, and the requested resource. 

I’d set up a Gmail filter to label these messages so I used Google’s Takeout service to download them in mbox format. Mbox is a  simple text only format so I opened the file in MS Excel and sorted the entire file alphabetically. I then found the block of content I wanted, which looked like this:

Related Posts