I seem to get a continual stream of sites trying to set a http POST to a particular admin file for WordPress. I have a locked down wp-admin area on my WordPress sites to stop hackers trying to brute force guess passwords to the admin area. So anyone trying to access my admin pages will get a http error
403 - Denied.
What is interesting is how many people are trying to access
with a http POST. Even googlebot has a good try getting something useful from the URL.
I have checked webmaster console it my site crawl looks ok, so the googlebot entries have me confused. The rest are just hackers I think.
Here are some examples
88-106-75-24.dynamic.dsl.as9105.com - - [01/Mar/2016:07:18:59 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/articles/cleansers" "Mozilla/5.0 (iPad; CPU OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1"
cpe185933f89386-cm185933f89383.cpe.net.cable.rogers.com - - [01/Mar/2016:07:19:02 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/favourite-over-the-counter-treatments.html" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"
194-83-93-28.qmu.ac.uk - - [01/Mar/2016:07:19:09 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/eucerin-redness-relief-licochalcone.html" "Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1"
crawl-66-249-75-233.googlebot.com - - [01/Mar/2016:07:22:09 -0600] "POST /wp-admin/admin-ajax.php HTTP/1.0" 403 48 "https://rosacea-support.org/soolantra-before-and-after-pictures.html?relatedposts_hit=1&relatedposts_origin=5174&relatedposts_position=0" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
It seems that this script is being used for heartbeat polling by wp-admin scripts to lock edit pages, synchronise draft saving etc. So I need it when I am logged in, but why are all those sites trying to heart beat poll me ?
[update] From Brute Force Attacks
If your theme or plugins use AJAX, you will most likely need to add an additional group of settings to your .htaccess so that functionality continues to work:# Allow access to wp-admin/admin-ajax.php <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
Save the file and upload it to your wp-admin folder.
So something in my theme or plugins needs an ajax call to the admin area it seems. If I could easily change my IP address I could use Chrome’s console to see who is asking for the POST request but at the moment I have no idea. The log file is nice an green now though so that bit is fixed.