Opened 5 years ago
Closed 5 years ago
#47945 closed enhancement (duplicate)
http status 500 returned when hacker accesses /wp-includes/session.php directly
Reported by: | flymike | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 5.2.2 |
Component: | General | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
Some hacker has discovered many of the WordPress files containing calls to _deprecated_file() and is inundating my server with direct GET requests to them.
Because that function is not defined in WordPress, Apache returns status 500 and - because, as an administrator, I want to be informed of status 500 - my inbox is deluged with alerts.
I would block the originating IPs but they'e all different, so coming from spambots. And the advantage to the hacker eludes me completely - but it is what it is, and I have to deal with it.
Couldn't Wordpress handle calls to deprecated files/functions a little more elegantly? Like it does with direct calls to other files which should not be accessed directly - with status 200 and zero bytes?
Change History (3)
#1
@
5 years ago
#2
@
5 years ago
It was discussed previously as a bug. This is an enhancement request, and I would like to see it discussed as such.
#3
@
5 years ago
- Description modified (diff)
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
Hi @flymike, welcome to WordPress Trac! Thanks for the ticket.
As #35835 is essentially the same issue and already has some comments, it's better to keep the discussion in one place.
If there's consensus that it should be reconsidered, the ticket can be reopened and marked as an enhancement. Let's continue there?
This has been discussed previously in 35835