Creepy Crawlers: Hunting Those Who Hunt For WordPress Plugins

GreyNoise observed ~40K unique WordPress plugin enumeration events over 92 days, revealing coordinated and persistent scanning from multiple ASNs (notably UCLOUD HK, Akamai/Linode) including 91 single-plugin specialists focused on the post-smtp plugin, a large Sri Lanka Telecom-driven spike scanning 334 plugins in two days, and weekend-biased automated scanning; the report ties scanning activity to published CVEs for targeted plugins (e.g., post-smtp account-takeover CVE) and recommends tagging, JA4-based alerting, weekend monitoring, and patching high-risk plugins.