Getting 200 Response from weird links like /?up_auto_log=true, /?3x=3x etc

No one else answered yet, waiting on my own post to get answered, I figured I’d share my 2 cents.

What you are seeing is Bots trying well known exploits on your site to see if your site is vulnerable. So those urls you see in the log entries might have worked on a vulnerable website, but hopefully not on your site (most likely not, since Wordfence caught it). Revolution slider, for example, is/was a plugin that has/had tons of security holes in it. Hence Bots like to try if you happen to have it (the revslider_show_image part in your logs).

It is just an attempt, it does not say anything about your site itself. Those ajax calls responding with a 200 is pretty normal (the bot probably only gets a “0” as response, most of the time) and the 301’s are probably just WordPress redirecting the user to another page (in some cases, if you make a typo in your url, wordpress wont give you a 404, but redirects you to the url closest to a working url instead), usually the homepage.

Thus far I don’t see anything to be concerned about. Just a bunch of bots feeling around blindfolded (obviously this was already happening without wordfence) and getting kicked out by wordfence and reported.

Hope this was helpful!

Hi @bri23ghts091unnyd23ay10, thanks for your message.

It can be frustrating after installing Wordfence to realize how many login or strange access attempts are happening to your site, especially if there seems to be no logical reason, but this is actually quite a normal occurrence.

You might find the following blog post interesting: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

Wordfence, as an endpoint firewall cannot stop a bot or human from trying to visit your website altogether, but rather deal with the visits appropriately when they happen. Some of the query strings you see may be used by some of your installed plugins legitimately, but something like admin-ajax.php?action=revslider_show_image&img=../wp-config.php looks like an attempt to test if there’s a vulnerability to serve an important PHP file by an image slider plugin. Usually attacks such as this are done with no prior knowledge of the plugins or platform you’re running and are done in a hit-and-hope manner. However, always making sure your plugins, themes, and WordPress itself are the latest version should limit the chance of one of these succeeding.

It is also common when one of these query strings do nothing to serve the normal content of your site, or a home/search page if your site redirects 404s – so these will appear to come across as successful 200 requests. Make sure to set IP block times in your Rate Limiting or Brute Force settings temporarily to 5 minutes if you decide to follow any of these links to test the outcome yourself, in case Wordfence is blocking any of them. Once the time has elapsed, you should be able to access your site again.

I hope that helps you out!
Peter.