There are multiple web application security scanning tools (vulnerability scanners) available, each will leave a trail in your logs.
Knowing what they are doing is critical, these tools are available to both good and bad actors. This means that what might seem as a benign scan could be a bad actor looking for a vulnerability to exploit.
We recommend blocking this type of activity unless you have an internal team performing these actions, and in those instances you should whitelist their environment to perform the scan and block the rest of the world.
In this article, we will dive into what the WPScan scanner is doing and provide a series of logs that you can use to update your defense posture.
This test uses the WPScan tool in its default configuration. We use it to scan one of our honeypot domains. Note that
vulnerability scanners can be very noisy. Against a vanilla WordPress instance, with a default theme, it generated over
10,000 requests (10,000 logs).
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /.wp-config.php.swp HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config HTTP/1.1" 404 162 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /backup.wp-config.php HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /.wp-config.swp HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /.wp-config.php.swo HTTP/1.1" 404 660 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:39 +0000] "HEAD /%23wp-config.php%23 HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config_backup HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config%20-%20Copy.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config%20copy.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config_good HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup.txt HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-backup1.txt HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-sample.php.bak HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-sample.php~ HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config.backup HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-sample.php HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:18:40 +0000] "HEAD /wp-config-good HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.save HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.tar HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.prod.php.txt HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.temp HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:02 +0000] "HEAD /wp-config.txt HTTP/1.1" 404 5076 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:03 +0000] "HEAD /wp-config.zip HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:03 +0000] "HEAD /wp-configbak HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
192.46.219.xx - - [14/Sep/2022:18:30:03 +0000] "HEAD /wp-config~ HTTP/1.1" 404 321 "http://example.com" "WPScan v3.8.22 (https://wpscan.com/wordpress-security-scanner)"
...
As shown in the logs above, WPScan aggressively probes for variations of the wp-config.php
file — the core configuration file in WordPress that contains sensitive database credentials and other critical settings. While none of these attempts succeeded (as indicated by the 404 responses), the sheer volume and variety of the requests highlight a key risk: even small misconfigurations or forgotten backup files can expose a site to compromise.
.bak
, .swp
, .txt
, or .zip
wp-config-good
, wp-config_backup
, or wp-config~
.htaccess
or NGINX rules600
for wp-config.php
)
The presence of WPScan logs in your web server access logs isn't inherently bad — it's a reminder that your public-facing application is always under scrutiny. While WPScan is a legitimate tool, it's freely available and often used by attackers looking for low-hanging fruit.
Use logs like these not only to detect suspicious activity but to improve your site's overall security posture. Knowing what attackers look for helps you build smarter defenses and reduce your attack surface.
We love logs. In this section we will share some articles from our team to help you get better at logging.
Logging for fun and a good night of sleep.
Latest articles from our learning center.
Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org
14 days free trial. No credit card required.