PHP Files Appearing in Next.js 14 App Logs

I found some PHP files listed in the logs of my Next.js 14 app. Has anyone encountered something like this before? I’m wondering what these files are, as the project has never used PHP.

Nov 30 03:22:19.23

GET200

www.site.name

/xmlrpc.php

Nov 30 03:22:17.83

GET200

www.site.name

/wp-login.php

Nov 30 03:22:16.88

GET200

www.site.name

/xmlrpc.php

Nov 30 03:22:15.64

GET200

www.site.name

/wp-login.php

Nov 30 03:03:11.00

GET200

www.site.name

/xmlrpc.php

Nov 30 03:03:09.91

GET200

www.site.name

/wp-login.php

Nov 30 03:03:08.71

GET200

www.site.name

/xmlrpc.php

Nov 30 03:03:05.06

GET200

www.site.name

/wp-login.php

Hi,

It sounds like malicious traffic or bot attack. You could try using Vercel WAF, specifically setting up:

• IP blocking: Learn how to configure IP blocking
• Custom rules: Learn how to configure custom rules for your project
• Managed rulesets: Learn how to enable managed rulesets for your project (Enterprise plan)

Hi, @dmproj!

The resources @swarnava shared are great.

I also recommend checking out this post shared by @earlrobb, may be helpful for you!

Hi there, I would like to mention that the posting stripped out the escape character in the regular expression. So you need to backslash the periods in the expression.

Here is some feedback on what I have been seeing.

requestPath–>matchesPath–> .php$|.php7$|.php8$|.aspx$|.ini$|.exe$

–blocks approximately 1,000 to 2,000 malicious requests a day.

(wp-admin|wp-login|wp-includes|wp-content|wp-trackback|search|chosen|wp_admin|wp_login|wp_includes|wp-feed|cgi-bin|wordpress|old$|backup|home$|home/|new$|new/|main$|main/|.env$|.git|.vscode)

–Blocks about 100 Requests a day

(/wp$|/wp/|uploads|jquery|vendor|login|assets|includes|templates|gallery|blog|admin|/bk$|/bk/|/bc$|/bc/|.ascx$|.asmx$|.ashx$|.suspected$|test|.well-known/$|.well-known$|.well-known/setup|.well-known/about|.well-known/init)

–Blocks about 50 requests a day.

I don’t know if these long regular expressions have any sort of performance impact on the website. I am thinking I am going to consolidate the 3 Rule Slots into 1 Rules slot regular expression and eliminate some of parts of the expression that don’t seem to block very much. /gallery for example is not getting attacked but maybe 4 times a day so its only denying 100 requests a month. I’m not sure its worth the overhead to block it as opposed to serving a 404. If I find that long expressions in the WAF doesn’t affect performance I will probably just keep them all. I just havent had the chance to test if there are any performance impacts using such long expressions. I have not noticed any performance impact just casually browsing the site.

Thanks,
Earl

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.