WordPressサイトへの攻撃対象にされたURL一覧
WordPress のシェアが多いので、それを狙ったら不正アクセスも多いです。
当サイトに悪意を持ってアクセスしてきた URL をまとめてみました。
プラグイン系
A
/wp-content/plugins/accessally/resource/backend/css/accessally-manage.css
/wp-content/plugins/akismet/akismet.js
B
/wp-content/plugins/batchmove/js/batch.js
/wp-content/plugins/blnmrpb/log.txt
C
/wp-content/plugins/cardoza-facebook-like-box/cardoza_facebook_like_box.php
/wp-content/plugins/codecanyon-157782-video-gallery-wordpress-plugin-w-youtube-vimeo-/upload.php
/wp-content/plugins/contus-hd-flv-player/uploadVideo.php
D
/wp-content/plugins/delucks-seo/modules/professional/breadcrumbs/assets/css/frontend.css
/wp-content/plugins/dzs-portfolio/upload.php
E
/wp-content/plugins/easy2map/scripts/jquery.xml2json.js
/wp-content/plugins/easy-wp-smtp/js/script.js
F
/wp-content/plugins/font-uploader/font-upload.php
/wp-content/plugins/formcraft/file-upload/server/content/upload.php
/wp-content/plugins/formidable/css/frm_fonts.css
G
/wp-content/plugins/google-maps-by-daniel-martyn/inuse.php
/wp-content/plugins/google-maps-builder/README.txt
H
/wp-content/plugins/hybrid-composer/style.css
I
/wp-content/plugins/insert-php/admin/assets/js/tag-it.js
/wp-content/plugins/ithemes-sync/js/settings-page.js
M
/wp-content/plugins/mm-forms-community/includes/doajaxfileupload.php
P
/wp-content/plugins/page-google-maps/pr.php
/wp-content/plugins/php-event-calendar/server/file-uploader/
R
/wp-content/plugins/responsive-coming-soon/templates/template1/assets/css/style.css
/wp-content/plugins/revslider
/wp-content/plugins/rich-reviews/css/rich-reviews.css
S
/wp-content/plugins/sharexy/ajaxresponder.php
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php
/wp-content/plugins/simple-dropbox-upload-form/dragup/
/wp-content/plugins/simple-fields/js/chosen/chosen.css
/wp-content/plugins/strong-testimonials/templates/modern/content.css
T
/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php
U
/wp-content/plugins/uploader/uploadify/uploadify.php
V
/wp-content/plugins/visualizer/js/media.js
W
/wp-content/plugins/wordpress-database-reset/assets/css/bsmselect.css
/wp-content/plugins/wp-db-ajax-made/wp-ajax.php
/wp-content/plugins/wp-handy-lightbox/begin.php
/wp-content/plugins/wp-inventory-manager/themes/css/default-theme.css
/wp-content/plugins/wp-live-chat-software-for-wordpress/plugin_files/js/livechat.js
/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
/wp-content/plugins/wpstorecart/php/upload.php
/wp-content/plugins/wpematico/app/js/wpe_hooks.js
X
/wp-content/plugins/xcalendar/data/
テーマ系
/wp-content/themes/classic/rtl.css
/wp-content/themes/Divi
/wp-content/themes/headway-163/style.css
/wp-content/themes/twentyeleven/readme.txt
/wp-content/themes/twentyten/images/wordpress.png
/wp-content/themes/twentyten/style.css
wp-config.php系
/wp-config.original
/wp-config.orig
/wp-config.old
/wp-config.save
/wp-config.bak
/wp-config-backup.txt
/wp-config.txt
uploadsフォルダ系
/wp-content/uploads/assignments/ch.php
/wp-content/uploads/assignments/ch.php.
/wp-content/uploads/file-manager/log.txt
wp-includes系
/wp-includes/js/scriptaculous/wp-scriptaculous.js
/wp-includes/js/tinymce/query.js.php
wp-contentフォルダ系
/wp-content/uploader.php
/wp-content/uploader.php.suspected
対応策
対応策としては、.htaccess に以下のような感じで記述したら、おkです。
RewriteRule ^wp-content/plugins/dzs-portfolio/upload.php - [F]
[F]で 403 エラーにしています。
同一ディレクトリの他のファイルにもアクセスしてくるようなら、以下のような感じにします。
RewriteRule ^wp-content/plugins/dzs-portfolio/(.*) - [F]
ファイル単体だけで良いなら、以下のような感じにします。
<Files "license.php">
order deny,allow
deny from all
</Files>
似たようなファイル名をまとめておきたいなら、以下のような感じにします。
<FilesMatch "^(htdocs\.zip|htdocs\.tar\.gz|htdocs\.sql)">
order allow,deny
deny from all
</FilesMatch>
備考
攻撃対象によくされるのが wp-content ディレクトリ下のプラグインの既知の脆弱性を狙ったものです。
なので、wp-content ディレクトリをデフォルトから移動させておくのも良いかも知れません。
【小技】wp-content ディレクトリをデフォルトから移動させる方法