[wp-trac] [WordPress Trac] #47945: http status 500 returned when hacker accesses /wp-includes/session.php directly

WordPress Trac noreply at wordpress.org
Thu Aug 29 02:21:13 UTC 2019 

#47945: http status 500 returned when hacker accesses /wp-includes/session.php
directly
-------------------------+------------------------
 Reporter:  flymike      |       Owner:  (none)
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  General      |     Version:  5.2.2
 Severity:  normal       |  Resolution:  duplicate
 Keywords:               |     Focuses:
-------------------------+------------------------
Changes (by SergeyBiryukov):

 * status:  new => closed
 * resolution:   => duplicate
 * milestone:  Awaiting Review =>


Old description:

> Some hacker has discovered many of the WordPress files containing calls
> to _deprecated_file() and is inundating my server with direct GET
> requests to them.
> Because that function is not defined in Wordpress, Apache returns status
> 500 and - because, as an administrator, I want to be informed of status
> 500 - my inbox is deluged with alerts.
> I would block the originating IPs but they'e all different, so coming
> from spambots. And the advantage to the hacker eludes me completely - but
> it is what it is, and I have to deal with it.
> Couldn't Wordpress handle calls to deprecated files/functions a little
> more elegantly? Like it does with direct calls to other files which
> should not be accessed directly - with status 200 and zero bytes?

New description:

 Some hacker has discovered many of the WordPress files containing calls to
 _deprecated_file() and is inundating my server with direct GET requests to
 them.
 Because that function is not defined in WordPress, Apache returns status
 500 and - because, as an administrator, I want to be informed of status
 500 - my inbox is deluged with alerts.
 I would block the originating IPs but they'e all different, so coming from
 spambots. And the advantage to the hacker eludes me completely - but it is
 what it is, and I have to deal with it.
 Couldn't Wordpress handle calls to deprecated files/functions a little
 more elegantly? Like it does with direct calls to other files which should
 not be accessed directly - with status 200 and zero bytes?

--

Comment:

 Hi @flymike, welcome to WordPress Trac! Thanks for the ticket.

 As #35835 is essentially the same issue and already has some comments,
 it's better to keep the discussion in one place.

 If there's consensus that it should be reconsidered, the ticket can be
 reopened and marked as an enhancement. Let's continue there?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/47945#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list