why are the spammers identifying as WordPress?

Maybe just to bypass unwanted UA blocks? Anyone can make up a UA and dump log spam. Do they all share an IP?

They all have unique IPs. There are dozens of them.

I stumbled across something else: None of them have Javascript enabled. I'm currently capturing the screen size of all my mobile visitors with JS/Ajax (so I can decide what font size to use on a map I'm drawing), and *none* of the Wordpress visitors are getting recorded in the database.

I'd use a UA block for any WordPress UA, it won't block any legitimate visitors, but deliver a 403 (or a 404 - your choice) to all of them. There is an old template that might helpif you're unfamiliar with the "how": [webmasterworld.com...]

I know how to block, the question is, what the heck is a WordPress user agent? I know that anyone can define a user agent string as anything, but why are so many of them choosing WordPress?

It looks like they are interested in spamming for WP related sites/services, so maybe that suggested the UAs? When the WP UA hits a brick wall, they'll maybe try something different. I have no other theory, sorry.

I can't help thinking this must be something created by WP as a misguided service to users. But still, block away! I'm assuming they request only pages, not supporting files; that's the pattern for the ones I’ve seen.

WordPress does not have a crawler, there is some built-in access for updates which is controlled by the user. Since the site in question is not using WP, the UAs are way off base.

:: repeat visit to logs ::

Oh, gosh, that takes me back further than I thought. I haven’t seen them since 2019, but it’s always the pattern in OP:

WordPress/{number in form 1.2.3}; http://example.com/

where “example.com” means some other site, not mine.

Now, 19 times out of 20 it could be dismissed as a variation on referer spam--but way back in 2016 I do see one naming a legit site that has actually sent me the occasional visitor. And, crucially, they requested the specific page that the site in question links to. I don’t know if that site used WP in 2016; quick look into their page source tells me they’re currently using Adobe PageMill. (Could be worse.)

Does WP have a link-checking plugin maybe?

WP doesn't do plugins per se, they curate an assortment of plugins that people can install, but they don't offer a WP branded plugin. There is a link in the WP forum Charter [webmasterworld.com] here to search for a link checker, that's about it.

Thanks for the ideas. Normally I don't bother blocking but this looks to be about 43% of my (7400) daily page requests.

Did you say forty-three percent?! That's a serious invasion, and definitely worth blocking. Thoughtful of the robot to come in with a consistent, readily identifiable UA, I must say :)

Incidentally, I was mistaken in thinking I hadn't seen the UA since 2019. I checked a different way, and found scads of them--all blocked*, hence out of sight out of mind. But almost all of the recent ones name a site that, again, has sent the occasional human to the specific page they requested; I remember looking it up the first time I found it as a referer. All (the robots, not the humans) from the same IP--in India, which I very much doubt is where the linking site is hosted. But, as a further bit of plot-thickening, the site in question does use WP's nameservers and is in fact a WP site, if I’m parsing the html correctly.

Hmmmmmm.

* Embarrassingly, I’d simply forgotten that somewhere along the line I set WordPress as bad_agent. But there’s also another header deficit.

Yep, "grep WordPress access.log" returned 2500 results when I ran it, and the day wasn't even over.

I guess it doesn't matter much what these requests are, since they're certainly not legitimate (again, they're certainly automated because they don't support Javascript), but I'm just really curious as to what they are.

I checked the database at UserAgents.io but it says only "This user agent belongs to WordPress. wordpress.org developed this Bot," without any more detail. The answer seems like it's AI that's just guessing.

Maybe just to bypass unwanted UA blocks?

Most use a generic user-agent anyway. I was surprised to see so many hits using a common user-agent that were not web browsers at all. My fingerprinting strings look like w10D1250161-ogdbzhuHUhuq09p-FB64Mo01250W64001111011000000003W0DmG1250 so when i see a long string of 00000000000000s I know it is suspect. For example a Curl request will look like CurS77618-odgbp-cB0000000000000000000010000000000

I have always blocked requests for SEO spy-ders because my traffic is not the business of competitors. But there is nothing to stop their spy-ders from using a common user-agent after failed requests.

WordPress has a feature (Pingbacks or Trackbacks) that notifies other blogs when you link to them, which can trigger HTTP requests.

Ya, the pingback and trackback stuff will be in your wp_comments table. check the Settings > Discussion the option to allow link notifications from other blogs to see them.

btw: Akismet can help filter out spammy pingbacks and trackbacks so you wont see them but in logs.


When WordPress performs a pingback XML& RPC request to another site, it will set the User-Agent field by combining the default HTTP client’s user agent with the site’s WordPress version, formatted like this:

WordPress/6.5 -- WordPress/6.5

[developer.wordpress.org...]

I wouldn't be surprised if some of that activity is from a WordPress plugin . It may not have been published but could have been developed for private use.

WP plugins are easy to create. Most cannibalise other plugins or hire a freelancer.

I can see how a plugin that scrapes articles from a target site and then posts them on their own site could be useful to some.