[wp-trac] [WordPress Trac] #47945: http status 500 returned when hacker accesses /wp-includes/session.php directly

WordPress Trac noreply at wordpress.org
Wed Aug 28 14:07:10 UTC 2019


#47945: http status 500 returned when hacker accesses /wp-includes/session.php
directly
-------------------------+-----------------------------
 Reporter:  flymike      |      Owner:  (none)
     Type:  enhancement  |     Status:  new
 Priority:  normal       |  Milestone:  Awaiting Review
Component:  General      |    Version:  5.2.2
 Severity:  normal       |   Keywords:
  Focuses:               |
-------------------------+-----------------------------
 Some hacker has discovered many of the WordPress files containing calls to
 _deprecated_file() and is inundating my server with direct GET requests to
 them.
 Because that function is not defined in Wordpress, Apache returns status
 500 and - because, as an administrator, I want to be informed of status
 500 - my inbox is deluged with alerts.
 I would block the originating IPs but they'e all different, so coming from
 spambots. And the advantage to the hacker eludes me completely - but it is
 what it is, and I have to deal with it.
 Couldn't Wordpress handle calls to deprecated files/functions a little
 more elegantly? Like it does with direct calls to other files which should
 not be accessed directly - with status 200 and zero bytes?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47945>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list