I see lots of 500 errors from bots that are apparently probing random files around my WordPress install that aren’t intended to be directly accessed. I’ve tested this on a brand new WordPress 6.6.1 install with no plugins or themes added and get the same result. Here’s some of the URLs and error messages I see a lot of:
/wp-includes/blocks/
Undefined constant “ABSPATH” in /var/www/html/wp-includes/blocks/index.php:8
Stack trace: 0 {main} thrown in /var/www/html/wp-includes/blocks/index.php on line 8
/wp-settings.php
Undefined constant “ABSPATH” in /var/www/html/wp-settings.php:33
Stack trace: 0 {main} thrown in /var/www/html/wp-settings.php on line 33
/wp-admin/includes/admin.php
Call to undefined function get_locale() in /var/www/html/wp-admin/includes/admin.php:16
Stack trace: 0 {main} thrown in /var/www/html/wp-admin/includes/admin.php on line 16
Now that I’m looking I see in the logs that bots hit all of the files like this throughout WordPress, but only some of them return 500 errors like above.
Is there any suggestion to block bots (and anybody else for that matter) from hitting urls that are not intended to be accessed directly? If there is a definitive list of files that aren’t supposed to be accessed directly I could probably handle this myself, but the lists I’ve found are not definitive and often not even correct.
btw the reason I’d like to block these is we have a system that emails us about fatal errors, notices and other types of errors. But also would like to harden against bots probing if possible.