Title: Probing for vulnerable PHP code
Last modified: January 23, 2018

---

# Probing for vulnerable PHP code

 *  [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/)
 * I’m seeing quite a few of those in Activity dashboard.
    What’s weird, it’s locking
   out the server IP and the URL says “mydomain.com/wp-cron.php” Can you briefly
   explain how exactly the “Probing for vulnerable PHP code” functionality works?

Viewing 15 replies - 1 through 15 (of 18 total)

1 [2](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/page/2/?output_format=md)

 *  [frnkoc](https://wordpress.org/support/users/frnkoc/)
 * (@frnkoc)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9894751)
 * I’m having a similar issue. I use a php page to unsubscribe from our email.
    
   I’ve been getting this pages blocked for probing for vulnerable php code. How
   can i override or whitelist some pages?
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9901853)
 * More info on this.
 * Today I’m seeing a client’s IP being blocked for “Probing for vulnerable PHP 
   code”.
    URLs are domain.com/wp-admin/admin-ajax.php and domain.com/wp-admin/async-
   upload.php – so both legit. This client has Editor role, his IP didn’t change.
 * At the same time I do see malicious requests from other IPs (e.g. domain.com/
   wp-content/plugins/ubh/up.php and so on) that are being blocked. But why does
   it block the legit ones?
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9901880)
 * Also, I see broken images in Media Library, obviously resulting from the above.
 * The client was uploading an image with a strange name though – k0skf79wrp-1.jpg
   
   Maybe that’s the reason of traffic inspector triggering a block?
 *  Plugin Author [gioni](https://wordpress.org/support/users/gioni/)
 * (@gioni)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9901906)
 * That’s weird. Requests to wp-cron.php are not inspected on a normal WordPress
   installation. Traffic inspector blocks a request to a PHP script if the script
   doesn’t exist (physically on disk). Is your site on Windows/IIS hosting (server)?
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9901976)
 * No, it’s CloudLinux with cPanel, CageFS enabled. The website in question runs
   under PHP 7.2
    Cloudflare is being used too.
    -  This reply was modified 8 years, 3 months ago by [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/).
    -  This reply was modified 8 years, 3 months ago by [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/).
 *  Plugin Author [gioni](https://wordpress.org/support/users/gioni/)
 * (@gioni)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9902342)
 * Could you test out the development version: [https://my.wpcerber.com/downloads/wp-cerber.zip](https://my.wpcerber.com/downloads/wp-cerber.zip)
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9902720)
 * Installed 6.0.5 will keep an eye on it.
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9905129)
 * Same thing with 6.0.5 today.
    It keeps blocking the client’s IP for “Probing 
   for vulnerable PHP code”, URLs are: /wp-admin/admin-ajax.php /wp-admin/async-
   upload.php /wp-admin/media-new.php I think I’ll have to disable Traffic Inspector
   on that particular website because clients are complaining. Is there anything
   I can do to help troubleshoot this behavior while TI is still enabled?
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9905615)
 * Also, 6.0.5 is throwing the following error from time to time:
 *     ```
       [26-Jan-2018 12:34:42 UTC] PHP Fatal error:  Uncaught Error: Call to a member function fill_query_vars() on null in .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php:4769
       Stack trace:
       #0 .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php(4663): cerber_get_non_wp_fields()
       #1 .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php(4424): cerber_to_log(700, 302, 0)
       #2 .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php(4346): cerber_traffic_log()
       #3 .../public_html/wp-includes/class-wp-hook.php(286): {closure}('')
       #4 .../public_html/wp-includes/class-wp-hook.php(310): WP_Hook->apply_filters(NULL, Array)
       #5 .../public_html/wp-includes/plugin.php(453): WP_Hook->do_action(Array)
       #6 .../public_html/wp-includes/load.php(679): do_action('shutdown')
       #7 [internal function]: shutdown_action_hook()
       #8 {main}
         thrown in .../public_html/wp-content/plugins/wp-cerber/wp-cerber.php on line 4769
       ```
   
 *  Plugin Author [gioni](https://wordpress.org/support/users/gioni/)
 * (@gioni)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9906216)
 * Could you send me a content of the Server info section which is located on the
   Diagnostic page? Via [https://wpcerber.com/support/](https://wpcerber.com/support/)
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9908397)
 * Sent.
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9913126)
 * Just to note, 6.1 keeps blocking legit URLs for “Probing for vulnerable PHP code”.
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9917145)
 * Another update.
    On one of the sites Traffic Inspector keeps blocking the hosting
   server IP for “Probing for vulnerable PHP code” and URL is /wp-cron.php I examined
   the request and it’s a GET request like this: `.../wp-cron.php?_nonce=1cf7b0da30&
   doing_wp_cron=1516711060.2889339923858642578125&backwpup_run=runnow&jobid=1` 
   It’s coming from BackWPup plugin.
 *  Plugin Author [gioni](https://wordpress.org/support/users/gioni/)
 * (@gioni)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9917264)
 * Please check the .htaccess file in the root folder on your site for non-standard
   rewrite rules (other than added by WordPress).
 *  Thread Starter [Nazar Hotsa](https://wordpress.org/support/users/bugnumber9/)
 * (@bugnumber9)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/#post-9917364)
 * I have the following before standard WP rules:
 *     ```
       # Disable directory browsing
       Options -Indexes
   
       # Redirect http to https
       RewriteEngine On
       RewriteCond %{HTTPS} !=on
       RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R=301,L]
       ```
   
 * Do you think the http>https one can cause these issues?

Viewing 15 replies - 1 through 15 (of 18 total)

1 [2](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/page/2/?output_format=md)

The topic ‘Probing for vulnerable PHP code’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wp-cerber_77a9bf.svg)
 * [WP Cerber Security, Anti-spam & Malware Scan](https://wordpress.org/plugins/wp-cerber/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-cerber/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-cerber/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-cerber/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-cerber/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-cerber/reviews/)

 * 18 replies
 * 4 participants
 * Last reply from: [gioni](https://wordpress.org/support/users/gioni/)
 * Last activity: [7 years, 10 months ago](https://wordpress.org/support/topic/probing-for-vulnerable-php-code/page/2/#post-10493263)
 * Status: not resolved