WordPress.org

Make WordPress Core

Opened 3 months ago

Closed 3 months ago

#47945 closed enhancement (duplicate)

http status 500 returned when hacker accesses /wp-includes/session.php directly

Reported by: flymike Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.2.2
Component: General Keywords:
Focuses: Cc:
PR Number:

Description (last modified by SergeyBiryukov)

Some hacker has discovered many of the WordPress files containing calls to _deprecated_file() and is inundating my server with direct GET requests to them.
Because that function is not defined in WordPress, Apache returns status 500 and - because, as an administrator, I want to be informed of status 500 - my inbox is deluged with alerts.
I would block the originating IPs but they'e all different, so coming from spambots. And the advantage to the hacker eludes me completely - but it is what it is, and I have to deal with it.
Couldn't Wordpress handle calls to deprecated files/functions a little more elegantly? Like it does with direct calls to other files which should not be accessed directly - with status 200 and zero bytes?

Change History (3)

#1 @henry.wright
3 months ago

This has been discussed previously in #35835

Last edited 3 months ago by SergeyBiryukov (previous) (diff)

#2 @flymike
3 months ago

It was discussed previously as a bug. This is an enhancement request, and I would like to see it discussed as such.

#3 @SergeyBiryukov
3 months ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi @flymike, welcome to WordPress Trac! Thanks for the ticket.

As #35835 is essentially the same issue and already has some comments, it's better to keep the discussion in one place.

If there's consensus that it should be reconsidered, the ticket can be reopened and marked as an enhancement. Let's continue there?

Note: See TracTickets for help on using tickets.