Fake UserAgent visitor attack?

Every computer with a public IP gets this kind of attention permanently. There's nothing you can do to stop it (I once tried to complain to the provider owning the offender's IP, never got a reply and gave up). What you can do is to make sure you're well protected against a possible attack (this bot seemed to look for WordPress, but there are others looking for Apache, SSH, you name it). A few rules:

  • Expose as few services as possible. If you don't need SSH, FTP, etc., disable it.
  • For the services you expose (the web server in your case) make sure you install security patches regularly.
  • If your service has some form of authentication (like WordPress admin page), be sure to pick a strong random password. Online bots usually check for default passwords and extremely weak combinations like root/r00t, but I wouldn't risk using any dictionary word, or anything shorter than 12-16 characters.
  • If you want to stop wasting resources on people who try to guess your password (assuming you have a good password) you can install Fail2Ban which bans an IP address for 10 minutes after 6 failed login attempts, rendering password guessing scripts impractically slow. Of course, you can configure the ban delay and the number of attempts to your liking.
  • For services which are intended for a specific group of users (you, your company etc), you can also use other techniques like port knocking and limiting access to IP ranges you are likely to use to access your services (your country only, your ISP, your work ISP etc.).

As @william said, there is nothing to worry about if it's a bot (which it most probably is). If you would log also other traffic, you would also see many more bots trying to scan your server, connect via ssh, rdp... I am logging traffic on my ssh server, and each day I have hundreds of failed connection attempts from bots.

But if you notice also other suspicious activity that does not look that automated, you should look into the details.


It's just an automated bot trying to exploit vulnerable servers that run Wordpress. There's nothing to worry about and nothing to do about it, just make sure you're not running outdated services or one of them might find it like that.