Wow, it's the site's 42 millionth hit. As usual, these "hits" aren't a measure of humans visiting pages; that count would be much lower. It's just requests to the website: every time a robot visits some page, the count goes up. If a human views a page that contains a dozen graphics, those graphics cause another dozen hits. So "a million hits" isn't as impressive as it sounds. But hits are easy to measure so that's what I measure. We can take a look at the log:
193.142.146.226 - - [20/Nov/2023:23:17:39 +0000] "GET /wp-content/plugins/core-plugin/include.php HTTP/1.1" 404 1441 "www.google.com" "Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36".
This user is finding out that my web site doesn't have a /wp-content/plugins/core-plugin/include.php page. Looking through yesterday's logs, I see this user tried about 3000 pages with addresses like /wp-something/something/something.php, none of which existed. This was an automated bot looking to hack into my site, trying various WordPress PHP pages with known security problems. This is a little silly, since my web site, like about half of all web sites, isn't a WordPress site at all.
I guess if you're a hacker writing a bot to exploit 3000 known bugs in WordPress plugins, it's easier just to try to exploit all the bugs than to figure out whether the target web site uses WordPress at all. A lot of web sites use WordPress. Pretty easy to try all 3000 exploits on all web sites; computing time is cheap these days. And if you're a hacker, you probably stole that computing time anyhow.
Hmm, bots aren't so interesting. Would you be more interested to know that some human was looking at photos of physical tables used by actuaries that I snapped at the Smithsonian Museum of American History many years back? That human came along at about the same time as the hackerbot.
