There are multiple web application security scanning tools (vulnerability scanners) available, each will leave a trail in your logs. Knowing what they are doing is critical, these tools are available to both good and bad actors. This means that what might seem as a benign scan could be a bad actor looking for a vulnerability to exploit.

We recommend blocking this type of activity unless you have an internal team performing these actions, and in those instances you should whitelist their environment to perform the scan and block the rest of the world.

In this article, we will dive into what the WPScan scanner is doing and provide a series of logs that you can use to update your defense posture.

This test uses the WPScan tool in its default configuration. We use it to scan one of our honeypot domains. Note that vulnerability scanners can be very noisy. Against a vanilla WordPress instance, with a default theme, it generated over 10,000 requests (10,000 logs).

192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /.wp-config.php.swp HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config HTTP/1.1" 404 162 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /backup.wp-config.php HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /.wp-config.swp HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /.wp-config.php.swo HTTP/1.1" 404 660 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /%23wp-config.php%23 HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config_backup HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config%20-%20Copy.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config%20copy.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config_good HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup.txt HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup1.txt HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-sample.php.bak HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-sample.php~ HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config.backup HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-sample.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-good HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.save HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.tar HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.prod.php.txt HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.temp HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.txt HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:03 +0000] "HEAD /wp-config.zip HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:03 +0000] "HEAD /wp-configbak HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:03 +0000] "HEAD /wp-config~ HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)" ...

As shown in the logs above, WPScan aggressively probes for variations of the wp-config.php file — the core configuration file in WordPress that contains sensitive database credentials and other critical settings. While none of these attempts succeeded (as indicated by the 404 responses), the sheer volume and variety of the requests highlight a key risk: even small misconfigurations or forgotten backup files can expose a site to compromise.

What These Logs Tell You

Each log entry gives us insight into what WPScan (or a malicious user mimicking WPScan) is searching for:

• Files with common backup extensions like .bak, .swp, .txt, or .zip
• Improperly named or duplicated config files such as wp-config-good, wp-config_backup, or wp-config~
• Misconfigured access to system-generated files that should never be web-accessible

How to Use This Information Defensively

Here are some concrete steps you can take to harden your environment:
1. Monitor for Similar Patterns: Set up detection rules to alert and/or block when these types of requests are made.
2. Block and Rate-Limit Known Scanners: If you’re not actively using WPScan or other scanners, consider blocking their user agents, IPs, or even entire ASN ranges.
3. Harden Your WordPress Installation:

• Never leave backup files in the web root
• Restrict access to sensitive files via .htaccess or NGINX rules
• Use strong file permissions (e.g., 600 for wp-config.php)
• Keep your WordPress core, themes, and plugins updated

4. Whitelist Your Internal Scans: If you conduct internal scans, whitelist your scanner IPs and label them clearly in logs.

Pro Tip: Threat Intel Integration

If your web logs are piped into a SIEM like Trunc (good one I heard), Splunk, ELK, or Wazuh, enrich these logs with threat intel data (e.g., AbuseIPDB, ThreatFox) to quickly identify if the scanning IP is associated with malicious behavior.

The presence of WPScan logs in your web server access logs isn't inherently bad — it's a reminder that your public-facing application is always under scrutiny. While WPScan is a legitimate tool, it's freely available and often used by attackers looking for low-hanging fruit.

Use logs like these not only to detect suspicious activity but to improve your site's overall security posture. Knowing what attackers look for helps you build smarter defenses and reduce your attack surface.