[wp-trac] [WordPress Trac] #47945: http status 500 returned when hacker accesses /wp-includes/session.php directly
WordPress Trac
noreply at wordpress.org
Wed Aug 28 14:07:10 UTC 2019
#47945: http status 500 returned when hacker accesses /wp-includes/session.php
directly
-------------------------+-----------------------------
Reporter: flymike | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.2.2
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
Some hacker has discovered many of the WordPress files containing calls to
_deprecated_file() and is inundating my server with direct GET requests to
them.
Because that function is not defined in Wordpress, Apache returns status
500 and - because, as an administrator, I want to be informed of status
500 - my inbox is deluged with alerts.
I would block the originating IPs but they'e all different, so coming from
spambots. And the advantage to the hacker eludes me completely - but it is
what it is, and I have to deal with it.
Couldn't Wordpress handle calls to deprecated files/functions a little
more elegantly? Like it does with direct calls to other files which should
not be accessed directly - with status 200 and zero bytes?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47945>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list