What is this bot doing?

It’s probably looking for a vulnerability or way of doing email spam. Waste of time to try and figure out why you get attacked, frequently you’re just crawled because you are a website, along with thousands or millions of others. If you don’t like bots hitting that URL, put it in your Wordfence “Immediately block IP’s that access these URLs” and use it as a honey trap. Fun to watch over coffee as the bots get blocked (though it’ll make you wonder how they get to you in the first place, as such bots should be blocked as part of the Wordfence network). Am pretty sure you’d put it in to the “Immediately block…” as /*/?share=email&nb=1

MTN

Thanks. I don’t even care why, I just was curious as to what it was doing or if it was a specific known attack. It’s been about 12 hours and it’s still at it. Blocked but still trying.

There are thousands and thousands of attack vectors that bots test, most are “known,” that’s often why they are attacking that specific URL. In fact, if you see a weird bot attack you can pretty much figure what you are looking at is a known vulnerability. I’ve found it’s worth the time to check server logs nearly every day and do “whack a mole” individual blocks, but one has to depend on plugins like Wordfence to do most of the work, as well as having WordPress and server as hardened as possible. After that, just do good backups. I do 6 different types of backups since an aggressive criminal can compromise backups as well, and some types of backups can just end up backing up what’s been destroyed and thus be useless, for example the “daily” backups stored on a server and touted by various hosting companies. Those are somewhat of a joke.

Wordfence appears to have gotten better at blocking attacks by virtue of the Wordfence “Real-Time WordPress Security Network.” This wasn’t all the good for a while, but in my case a lot less is slipping through than used to.

The goal here is “set and forget.” The day when those of us with high traffic websites and a fixed budget for bandwidth can actually go for several days in a row without looking at or tweaking anything to do with security. That day is not here, sadly, the criminals are ruling and everyone is just reacting to a seemingly endless series of threats.

MTN

Thanks. It’s been more than 2 days and they’re still going strong. They’re blocked but I still see the blocked hits every few seconds in Live Traffic. Also some bots from all over the world are now hitting my XML-RPC but I’m not too worried about that, since I have Wordfence and a plugin that disables the XML-RPC pingbacks. I wonder why they’re leaving my other WordPress blog alone so far. It’s on the same server and same shared hosting account but a separate domain name.

If you’re concerned about bandwidth due to being hit every few seconds, go one level higher with your blocking and do some IP blocks in your .htaccess file, or do them in your server firewall. As for why they hit one website and not another, you’ll have to visit Ukraine and meet up with the head hacker in a coffee shop and quiz him about why (smile). MTN