Let us follow up on my decision to eschew Wordpress this time around by looking at a number of the most requested URLs on this site.

Hundreds of Requests

• /wp-admin/index.php
• /wp-login.php
• /wp-admin/plugins.php
• /wp-admin/edit.php
• /wp-admin/profile.php
• /.git/config

From this class, only /.git/config is not a Wordpress target.

Tens of Requests, but more than 50

• /info.php
• /wp-content/plugins/hellopress/wp_filemanager.php
• /admin.php
• /simple.php
• /file.php
• /wp-login.php
• /as.php
• /radio.php
• /alfa.php
• /chosen.php
• /edit.php
• /wp.php
• /wp-content/index.php
• /goods.php
• /wp-content/about.php
• /1.php
• /css.php
• /atomlib.php
• /wp-admin/
• /api/.env
• /index/function.php
• /dropdown.php
• /system_log.php
• /classwithtostring.php
• /wp-includes/about.php
• /wp-includes/blocks/about.php
• /403.php
• /k.php
• /f35.php
• /file2.php
• /install.php
• /lock360.php
• /autoload_classmap.php
• /wp-admin/admin.php but POST instead of GET
• /flower.php
• /makeasmtp.php
• /filemanager.php
• /g.php
• /404.php
• /mar.php
• /about/function.php
• /.git/HEAD
• /cgi-bin/../../../../../../../../../../bin/sh

Observations

• Far more bots try to access Wordpress administrative URLs than anything else.
• /alfa.php and some other paths seem to be attempts to probe if someone compromised the server.
• A very small portion of bots are trying to get a shell by exploiting a lack of URL sanitation, but they are out there. 51 attempts to POST to /cgi-bin/../../../../../../../../../../bin/sh is not nothing.