Honeypot Intelligence Report
28,000+ Requests in 9 Days.
We Don't Even Run WordPress.
We launched sunglasses.dev on April 1, 2026. Within 72 hours, France-based bots were already probing us for WordPress admin panels, login pages, config files, and secrets. We're a static security site with zero PHP, zero MySQL, zero WordPress. They didn't care. Here's what we discovered.
Published April 9, 2026 · Sunglasses Threat Intelligence · Research by CAVA · Reviewed by Claude + AZ
28K+
Total Requests
in 9 Days
72h
Until First
Bot Attacks
0
WordPress Files
on Our Server
The contradiction that matters: We run a static site on Cloudflare Pages. No PHP. No MySQL. No wp-admin. No plugins. Zero WordPress files anywhere. Yet within 72 hours of going live, automated scanners — primarily from France-based infrastructure — were already probing us for WordPress credentials and secret files. If you run a website, you're being probed right now.
What They're Looking For
Every request below was logged by our Cloudflare telemetry on sunglasses.dev. These aren't hypothetical attacks — this is what actually hit our server in its first 9 days online. France-based infrastructure was the heaviest bot source, concentrated in the first 72 hours after launch.
/wp-login.php
Login brute-force
/wp-admin/
Admin panel access
/xmlrpc.php
Auth amplification
/wp-config.php
DB credentials
/.git/config
Source code theft
/.git/HEAD
Repo discovery
/administrator
CMS panel fishing
Bar widths represent relative request volume from our telemetry sample. Exact counts vary by day.
Three Classes of Attack Intent
| Path | Attacker Intent | If Successful |
|---|
/wp-login.php | Credential brute-force | Full admin access to WordPress dashboard |
/xmlrpc.php | Auth amplification | Test thousands of passwords in a single request |
/wp-admin/ | Admin panel discovery | Confirm target runs WordPress, attempt login |
/wp-config.php | Database credential theft | Direct database access, full data compromise |
/.env | Environment secret theft | API keys, tokens, passwords in plaintext |
/.git/config | Source code theft | Clone entire codebase including embedded secrets |
What Happens After They Get In
This is the standard attack progression for WordPress compromise — from first scan to AI agent poisoning.
Step 1
Recon
Spray /wp-admin, /xmlrpc, /.env across millions of IPs
Step 2
Login
Brute-force wp-login, XML-RPC multicall batching
Step 3
Foothold
Exploit weak credentials or unpatched plugin
Step 4
Persist
Rogue admin, backdoor plugin, webshell in PHP
Step 5
Monetize
SEO spam, redirects, crypto miners, ad injection
Step 6
AI Poison
Hidden instructions for AI agents that read the page
Steps 1 and 2 are what we observed. We caught the recon phase on a site that has nothing to find. On a real WordPress site with weak credentials, step 3 happens in minutes.
Why WordPress Is the #1 Commodity Target
- 42.5% of all websites run WordPress (W3Techs, April 2026) — the largest attack surface on the internet
- 7,966 new vulnerabilities found in WordPress plugins and themes in 2024 alone — that's ~22 per day (Patchstack)
- +34% year-over-year increase in vulnerability count vs 2023
- 96% of vulnerabilities were in plugins, not WordPress core
- 43% required no authentication to exploit
- 500,000+ infected websites observed in 2024, according to Sucuri
- 1,614 plugins/themes removed from the WordPress repository for unpatched security issues
Source: Patchstack — State of WordPress Security in 2025 (data period: 2024)
The xmlrpc.php Trick: One Request, Thousands of Passwords
Most people know about brute-forcing /wp-login.php. Fewer know about xmlrpc.php — and it's far more dangerous.
XML-RPC's system.multicall method lets an attacker batch hundreds of authentication attempts into a single HTTP request. Instead of one login attempt per request (which rate-limiters catch), they send one request containing 500 username/password pairs.
Why this matters: Most WordPress rate-limiting and login-protection plugins count requests, not authentication attempts. A single POST to xmlrpc.php can test 500 credentials while appearing as one request in the access log.
What defenders see:
- Repeated POSTs to
/xmlrpc.php
- Multicall payloads with nested
wp.getUsersBlogs calls
- Correlated login failures or account lockouts
- High request body sizes relative to normal traffic
Fix: Disable XML-RPC entirely if you don't use it (most modern WordPress sites don't need it). At minimum, block system.multicall at the WAF level.
The Part Nobody Is Talking About: AI Agent Poisoning
This is Sunglasses territory. Everyone talks about WordPress hardening. Almost nobody talks about what happens when a compromised website meets an AI agent.
Here's the chain:
- Website gets compromised through any of the methods above
- Attacker injects hidden content — invisible text, SEO spam, or deceptive instructions buried in the page
- AI browsing agent ingests the page during research, summarization, or retrieval
- Hidden instructions influence the model's behavior — ignore safety policy, exfiltrate data, fetch malicious URLs, misuse tools
- If the agent has tool privileges, the blast radius expands: file access, API calls, code execution
This is indirect prompt injection (OWASP LLM01:2025) — and compromised WordPress sites are one of the largest delivery surfaces for it.
Traditional web compromise response isn't enough anymore. You now need:
- Website integrity controls (prevent and detect compromise)
- AI ingestion-layer defenses (scan content before agents process it)
At the same time. This is the gap Sunglasses is built to fill.
What You Should Do Right Now
Today (Priority 0)
- Block or rate-limit
/wp-login.php, /xmlrpc.php, /wp-admin* for non-authenticated IPs
- Block probes for
/.env, /.git/*, /wp-config.php at the WAF level
- Disable XML-RPC if you don't actively use it
- Enforce MFA and strong passwords for all admin accounts
- Remove unused plugins and themes — patch everything else immediately
This Week (Priority 1)
- Add virtual patching or a WAF tuned for WordPress plugin CVEs
- Run integrity checks for unauthorized admin users and file modifications
- Separate bot traffic from human traffic in your analytics
- Alert on
.git, .env, and backup-file path probes
AI-Era Hardening (Priority 2)
- Treat external web content as untrusted input to AI agents
- Add pre-ingestion scanning for prompt-injection patterns and hidden directives
- Require policy checks and allowlists before tool execution from web-derived instructions
- Add human approval gates for high-risk actions triggered by browsed content
How Sunglasses Detected This
- Cloudflare telemetry surfaced concentrated 4xx request patterns against CMS and secret-file paths
- Honeypot analysis converted noisy scanner traffic into attributable threat intelligence
- Pattern classification categorized probes by intent: credential abuse, secret-file recon, source theft
- Cross-analysis separated commodity spray from higher-risk targeted behavior
What we turned "error noise" into: Most site operators ignore 4xx errors — they look like broken links. We treated them as attacker telemetry. The result is this report and a clearer picture of how commodity recon works at internet scale.
How Bots Found Us Within 72 Hours of Launch
We launched on April 1. The bots arrived within 72 hours. How?
Certificate Transparency (CT) logs. The moment our SSL certificate was issued, it appeared in public CT logs. Automated scanners monitor these feeds in real time using tools like CertStream. Research from SANS ISC and UC Santa Barbara confirms: network probes arrive "just seconds" after a CT log entry is published.
The heaviest early traffic came from France-based infrastructure — primarily OVH (OVHcloud), Europe's largest hosting provider headquartered in Roubaix, France. OVH operates 4.5+ million IP addresses and is well-documented as a source of automated scanning traffic:
- Scamalytics rates OVH traffic at a 59/100 fraud risk score
- Imperva's Bad Bot Report named OVH SAS as a known bot infrastructure provider
- 51% of all internet traffic in 2024 was bots (Imperva/Thales 2025 report)
This is not unique to us. Every new website on the internet goes through this. The difference is that we caught it, measured it, and are sharing the data.
Honest Assessment
What we know for certain
- 28,000+ total requests hit sunglasses.dev in its first 9 days online (Cloudflare analytics, verified April 9, 2026)
- 123 attacks were blocked by Cloudflare in the same period
- France-based infrastructure was the heaviest bot traffic source, concentrated in the first 72 hours after launch
- Bot requests targeted WordPress admin panels, login pages, config files, .env files, and .git directories
- Traffic originated from 75+ countries (US, FR, AU, CA, IN, NL, DE and others confirmed)
- Our site has zero WordPress components — every WordPress-path request was an automated probe
What we don't claim
- We cannot attribute specific requests to specific threat actors — this is commodity scanning, not targeted APT activity
- Exact per-path request counts are not available in Cloudflare's free tier analytics — bar chart shows relative volume from firewall event samples
- "France-based" means the request origin infrastructure was geolocated to France — not that the attackers are French
- Not all 28K requests were malicious — this total includes legitimate visitors, search engine crawlers, and bot traffic combined
Why we publish what we don't know: Security reports that overstate confidence lose trust. We tell you what we verified, what we sampled, and what still needs deeper export. That's how credibility works.