Hi @drewdrewchristophercom,
The bot is hitting a /wp-includes file that exists, but it isn’t meant to be loaded on its own. This is the cause of the WP_Widget error. Our “Immediately block IPs that access these URLs” feature requires WordPress to have started normally, which it hasn’t here.
We experienced a test site recently with noise in the logs from bots very similar to this. If you’re running Apache, the following can be used in .htaccess to block direct access to many of the PHP files without breaking anything in WordPress. Some /wp-admin files need to be accessible.
<IfModule mod_rewrite.c>
RewriteEngine On
# Block access to .php files in wp-includes
RewriteCond %{REQUEST_URI} ^/wp-includes/.*\.php$ [NC]
RewriteRule .* - [F,L]
# Block access to .php files in wp-admin/includes
RewriteCond %{REQUEST_URI} ^/wp-admin/includes/.*\.php$ [NC]
RewriteRule .* - [F,L]
</IfModule>
The hits with those fatal errors probably weren’t directly related to the downtime as the rest of WordPress doesn’t load when this happens. If the database doesn’t get connected and no other PHP files are loaded, these hits fail very quickly. There were likely other hits that were reaching URLs that do get loaded by WordPress if the downtime was caused by excess resource usage.
Many thanks,
Peter.
