Wp-* jail break

I do not think this has anything to do with recent upgrades and could be just coincidental.

As many(some) may be aware I detest everything WP and on every Webmin have a jail specifically to trap any IP attempting to look for anything wp-* like. This has been running quite happily now for months (through numerous reboots, upgrades) with the occasional check on the jail to see them trapped.

today, nothing, and the attack has gone mad!

from yesterday:

Screenshot 2025-09-091360×183 43.8 KB

to:

Screenshot 2025-09-101561×230 118 KB

it only came to my notice after adding a new VS to the VM but cannot understand why that should have made any difference.

Can the domain name you added be popular and just drive a lot of traffic?

it could be though the tld is a bit less popular (.help) and I do not think these are just random pings they all seem to be wp-include wp-login wp-content xmlrpc etc

don’t really understand what you mean by “trap” and “jail ip”. (?)
are you not blocking those immediately(on 1st try) on firewall/web server/fail2ban/other?

yes the jail was set up months ago under Webmin → Networking → Fail2ban

this used to show quite a long list of banned ip in the wordpress jail

but now shows only a meagre 50 under “total failed”

jail status1385×604 33.8 KB

so either the jail has become broken or perhaps requires changing ?

they are still appearing in the access logs when they used to not do so

access_log1619×888 209 KB

Those attempted connections are returning a 404 not found error a quick search on google shows the regex for most wp jails look for a 200 code as a legitimate login to wordpress returns 302, if you want to ban on 404 code add a secondary regex to cover 404 codes as well

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.