{"id":2393,"date":"2015-05-22T09:40:00","date_gmt":"2015-05-22T06:40:00","guid":{"rendered":"http:\/\/dima.fi\/blog\/?p=2393"},"modified":"2026-01-10T22:57:42","modified_gmt":"2026-01-10T20:57:42","slug":"confused-wp-login-hackers","status":"publish","type":"post","link":"https:\/\/dima.fi\/blog\/confused-wp-login-hackers\/","title":{"rendered":"Confused wp-login.php hackers"},"content":{"rendered":"\n<p>A few days ago I&#8217;ve created a&nbsp;<a href=\"http:\/\/dima.fi\/blog\/web-devs\/wordpress-brute-force-attack\/\">solution to block&nbsp;<em>wp-login.php<\/em>&nbsp;bruteforce attacks<\/a>. After implementing it to the several sites the logs now are filled with a new phenomenon.<\/p>\n\n\n\n<p>Confused hackers, knowing that site is on the WordPress platform, try to find if this&nbsp;wp-login.php&nbsp;file is moved somewhere. And they actually scan all possible combination of paths on the site. Luckily this doesn&#8217;t affect the server&#8217;s resource as hard as a brute-force attack. It&#8217;s much easier to return 404 than to process erroneous credentials, which requires touching the database server.<\/p>\n\n\n\n<p>Here is a snippet from the log:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"apacheconf\" class=\"language-apacheconf\">50.63.54.154 - - [22\/May\/2015:09:22:10 +0300] \"GET \/tag\/therm-a-rest\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:11 +0300] \"GET \/tag\/therm-a-rest\/administrator\/index.php HTTP\/1.0\" 301 532 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:12 +0300] \"GET \/2015\/02\/winter-night-virginity\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:13 +0300] \"GET \/2015\/02\/winter-night-virginity\/feed\/administrator\/index.php HTTP\/1.0\" 301 551 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:14 +0300] \"GET \/2015\/02\/two-nights\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:15 +0300] \"GET \/2015\/02\/two-nights\/feed\/administrator\/index.php HTTP\/1.0\" 301 539 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:16 +0300] \"GET \/2015\/01\/no-ceiling\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:17 +0300] \"GET \/2015\/01\/no-ceiling\/administrator\/index.php HTTP\/1.0\" 301 534 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:18 +0300] \"GET \/category\/preparation\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:19 +0300] \"GET \/category\/preparation\/feed\/administrator\/index.php HTTP\/1.0\" 301 541 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:19 +0300] \"GET \/tag\/two-nights\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:20 +0300] \"GET \/tag\/two-nights\/feed\/administrator\/index.php HTTP\/1.0\" 301 535 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:21 +0300] \"GET \/tag\/kuopio\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:22 +0300] \"GET \/tag\/kuopio\/feed\/administrator\/index.php HTTP\/1.0\" 301 531 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:23 +0300] \"GET \/tag\/nilsia\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:24 +0300] \"GET \/tag\/nilsia\/feed\/administrator\/index.php HTTP\/1.0\" 301 531 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:25 +0300] \"GET \/tag\/mikkeli\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:25 +0300] \"GET \/tag\/mikkeli\/feed\/administrator\/index.php HTTP\/1.0\" 301 532 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:26 +0300] \"GET \/tag\/jetboil\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:27 +0300] \"GET \/tag\/jetboil\/feed\/administrator\/index.php HTTP\/1.0\" 301 532 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:28 +0300] \"GET \/tag\/stove\/feed\/wp-login.php HTTP\/1.0\" 404 24068 \"-\" \"-\"\n50.63.54.154 - - [22\/May\/2015:09:22:29 +0300] \"GET \/tag\/stove\/feed\/administrator\/index.php HTTP\/1.0\" 301 530 \"-\" \"-\"<\/code><\/pre>\n\n\n\n<p>This doesn&#8217;t have a strong affection on the server&#8217;s memory usage, which swaps many times under the hard attacks. Disk usage is still the same because of logging. But I want to believe that hackers, after the unsuccessful searching, will remove my server from their lists to limit their resource wasting. Then these logs will also come to an end.<\/p>\n\n\n\n<p>Hackers seem to have a script, that checks also for Joomla Administrator logins. The solution I wrote about in a&nbsp;<a href=\"http:\/\/dima.fi\/blog\/web-devs\/wordpress-brute-force-attack\/\">previous post<\/a>&nbsp;will work also for Joomla and other platforms, which have widely known paths to the logins.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A few days ago I&#8217;ve created a&nbsp;solution to block&nbsp;wp-login.php&nbsp;bruteforce attacks. After implementing it to the several sites the logs now are filled with a new phenomenon. Confused hackers, knowing that site is on the WordPress platform, try to find if this&nbsp;wp-login.php&nbsp;file is moved somewhere. And they actually scan all possible combination of paths on the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2430,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.unsplash.com\/photo-1519241047957-be31d7379a5d?ixlib=rb-1.2.1&q=80&fm=jpg&crop=entropy&cs=tinysrgb&w=1080&fit=max&ixid=eyJhcHBfaWQiOjF9","fifu_image_alt":"Confused wp-login.php hackers","footnotes":""},"categories":[133],"tags":[162,139,163,134,161],"class_list":["post-2393","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-web-devs","tag-brute-force","tag-dev","tag-joomla","tag-web","tag-wordpress","has-thumbnail"],"_links":{"self":[{"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/posts\/2393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/comments?post=2393"}],"version-history":[{"count":3,"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/posts\/2393\/revisions"}],"predecessor-version":[{"id":2429,"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/posts\/2393\/revisions\/2429"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/media\/2430"}],"wp:attachment":[{"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/media?parent=2393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/categories?post=2393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dima.fi\/blog\/wp-json\/wp\/v2\/tags?post=2393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}