Exploring the goal of common WordPress and PHP attack paths.

After checking the access logs for any suspicious activity on the server, I noticed some common paths that seemed to come up a lot.
Checking about them through Gemini AI and online searches provided the following information:


Here’s a breakdown of the listed paths and why some are likely attacks:

Likely Attacks:

  • /wp-content/uploads/wp-casper.php: This file is not a standard WordPress file and likely a malicious script for uploading malware or exploiting vulnerabilities.
  • /wp-content/uploads/uploads.php: Uploading functionality is typically handled by WordPress core, not a separate script in the uploads folder. This suggests a potential attempt to bypass security measures.
  • /wp-content/uploads/wso112233.php: This filename format (wsoXXXX) is commonly associated with webshell tools used for gaining unauthorized access.
  • /wp-content/uploads/2023/wp-signup.php: While a legitimate signup script could exist in this location for some plugins, it’s uncommon. The presence of a year in the path makes it more suspicious.
  • /wp-includes/css/wp-config.php: This is a highly critical configuration file storing database credentials. Accessing it via a HTTP request is a clear attack attempt.

Suspicious but require further investigation:

  • /vendor/phpunit: PHPUnit is a legitimate testing framework used by developers. However, if you are not actively running tests or expecting PHPUnit usage, unknown access to this folder could be suspicious.
  • /vendor/bin/test.php: Similar to the above, this could be a legitimate testing script but requires verification of its purpose.
  • /wp-content/uploads/2022/themes.php”: Themes are usually stored in the /wp-content/themes folder. Having a themes.php script in the uploads folder is suspicious, especially with a year in the path.
  • /wp-content/uploads/2020/09/themes.php: Similar to the above, the presence of a themes.php script in the uploads folder with a date path is suspicious.

After searching online further, I found a long list of paths that shows common paths that are attacked:

https://www.luszcz.de/widwsisw/i/i0004en.php

WordPress paths and .env paths come up a lot!

Also, the reasoning for searching for phpunit, might be answered by the following article: https://thephp.cc/articles/phpunit-a-security-risk

It seems there has been a file included in it that can be exploited.
As usual, it is best to be careful to not include development code in production and also not expose dependency areas such as vendor publicly.

WordPress public routes, both API and standard routes

I wanted a list of public WordPress routes for quickly finding routes to test and check security issues, so I generated a list using Bard AI.

My first attempt only provided the API routes. They can be seen below:

===

The following is a list of all routes a site on WordPress can be publicly accessed from by default:

  • /wp-json/ – The root of the WordPress REST API.
  • /wp-json/wp/v2/ – The namespace for the WordPress core REST API.
  • /wp-json/wp/v2/posts/ – A route for managing posts.
  • /wp-json/wp/v2/posts/{id}/ – A route for managing a specific post, where {id} is the post ID.
  • /wp-json/wp/v2/pages/ – A route for managing pages.
  • /wp-json/wp/v2/pages/{id}/ – A route for managing a specific page, where {id} is the page ID.
  • /wp-json/wp/v2/categories/ – A route for managing categories.
  • /wp-json/wp/v2/categories/{id}/ – A route for managing a specific category, where {id} is the category ID.
  • /wp-json/wp/v2/tags/ – A route for managing tags.
  • /wp-json/wp/v2/tags/{id}/ – A route for managing a specific tag, where {id} is the tag ID.
  • /wp-json/wp/v2/users/ – A route for managing users.
  • /wp-json/wp/v2/users/{id}/ – A route for managing a specific user, where {id} is the user ID.
  • /wp-json/wp/v2/media/ – A route for managing media.
  • /wp-json/wp/v2/media/{id}/ – A route for managing a specific media item, where {id} is the media item ID.
  • /wp-json/wp/v2/comments/ – A route for managing comments.
  • /wp-json/wp/v2/comments/{id}/ – A route for managing a specific comment, where {id} is the comment ID.
  • /wp-json/wp/v2/settings/ – A route for managing settings.
  • /wp-json/wp/v2/search/ – A route for searching.

In addition to these default routes, WordPress also allows plugins and themes to register their own custom routes.

It is important to note that the WordPress REST API is exposed by default, but it can be disabled in the WordPress admin settings.

===

I tried again asking for non-API routes, and got a list of important standard routes:

===

The following is a list of all non-API routes a site on WordPress can be publicly accessed from by default:

  • / – The home page of the site.
  • /about/ – The about page of the site.
  • /contact/ – The contact page of the site.
  • /blog/ – The blog page of the site.
  • /category/{slug}/ – A page for displaying all posts in a specific category, where {slug} is the category slug.
  • /tag/{slug}/ – A page for displaying all posts in a specific tag, where {slug} is the tag slug.
  • /archives/{year}/{month}/ – A page for displaying all posts published in a specific year and month.
  • /author/{author_name}/ – A page for displaying all posts published by a specific author, where {author_name} is the author’s name.
  • /wp-login.php – The WordPress login page.
  • /wp-register.php – The WordPress registration page.
  • /wp-admin/ – The WordPress admin dashboard.

In addition to these default routes, WordPress also allows plugins and themes to register their own custom routes.

It is important to note that the WordPress admin dashboard is not publicly accessible by default, but it can be made publicly accessible by changing the WordPress admin settings.

===

This is sufficient for me now, but please note, this is probably not an extensive list.
For an extensive list, please check the official WordPress documentation.