One of the ways we keep track of vulnerabilities in WordPress plugins that we should warn customers of our service about is monitoring requests sent to our own websites. This has led to us discovering many serious vulnerabilities in plugins. It also leads to us seeing a lot of odd actions. Say, hackers trying to exploit vulnerabilities that were fixed years ago, in WordPress plugins with tens of installs, and trying to exploit them in a way that will never succeed.

Seeming to fall in to that latter category, recently we have seen quite a few requests from what appears to be a hacker being sent where the HTTP referer is set to anonymousfox.co. The HTTP referer is intended to “[contain] an absolute or partial address of the page making the request“. Currently, that domain is not registered. What makes this seem so odd is that it would be very easy security products and services to block requests that have that as the HTTP referer. So why would the hacker announce themselves like that? [Read more]