Our site runs on WordPress, which isn’t a huge mystery to anyone who’s even slightly savvy with the ol’ computer. When we recently changed our domain name from mediumrarenyc.com to mediumrareinc.com, I installed the 404 Redirected plugin to manage redirects from the old site to the new, and also to capture any missed URLs from when we launched the new site. An interesting side effect has been that I can now see all of the 404 errors (that’s the “page not found” error for all you non-techie folks) that are generated when someone tries to access a non-existant page on the site.
What I found was very interesting: almost all of the errors we’ve had have been from automated crawlers looking for insecure software installations. phpmyadmin, sqlmanager, cpanel and other software was all targeted by the automated scripts. They were looking for screwups like leaving the “install” file in place after installation was complete, a common error when setting up software on a server.
While I’ve long known that hackers use automated scripts to phish for vulnerabilities on servers, I’d never seen one in action before. I regularly harp on the subject of maintaining basic security practices to our clients, so this should serve as additional reinforcement that security needs to be a constant. There were 23 pages of errors – at 25 listings per page. That’s over 550 ways that bad people are probing your site via automated scripts, without even lifting a finger.