New WordPress - Exploit Active in December 2025
Neutralized with a Single Line of Code
ValentaizarHitsukaya
**/wp-admin/js/widgets/** – a payload currently
scanning thousands of sites. On my server, it dies in 0.003 seconds.What Happened
I detected in blocked_suspicious.log a highly targeted attack:
GET /wp-admin/`js`/widgets/ HTTP/1.1Evidence: Real Attacks Logged on 07 December 2025
Below are the raw entries captured in blocked_suspicious.log within a single day.
All requests were killed instantly with 444:
4.189.112.227 - - [07/Dec/2025:04:28:04 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Mobile/15E148 Safari/604.1" "55.167.243.99"
4.189.112.227 - - [07/Dec/2025:04:28:06 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Mobile/15E148 Safari/604.1" "55.167.243.99"
4.189.112.227 - - [07/Dec/2025:04:28:07 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Mobile/15E148 Safari/604.1" "55.167.243.99"
4.189.112.227 - - [07/Dec/2025:04:28:09 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (iPhone; CPU iPhone OS 17_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1 Mobile/15E148 Safari/604.1" "55.167.243.99"
20.89.210.112 - - [07/Dec/2025:09:00:53 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.fr/" "Mozilla/5.g (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "130.232.78.152"
20.89.210.112 - - [07/Dec/2025:09:01:03 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.fr/" "Mozilla/5.g (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "130.232.78.152"
20.89.210.112 - - [07/Dec/2025:09:01:05 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.fr/" "Mozilla/5.g (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "130.232.78.152"
20.89.210.112 - - [07/Dec/2025:09:01:07 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.fr/" "Mozilla/5.g (Linux; Android 13; Pixel 7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "130.232.78.152"
40.119.192.84 - - [07/Dec/2025:10:22:22 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0.1 Mobile/15E148 Safari/604.1" "239.26.141.112"
40.119.192.84 - - [07/Dec/2025:10:22:22 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0.1 Mobile/15E148 Safari/604.1" "239.26.141.112"
40.119.192.84 - - [07/Dec/2025:10:22:23 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0.1 Mobile/15E148 Safari/604.1" "239.26.141.112"
40.119.192.84 - - [07/Dec/2025:10:22:23 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0.1 Mobile/15E148 Safari/604.1" "239.26.141.112"
4.189.112.227 - - [07/Dec/2025:13:44:25 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (Linux; Android 11; CPH2251) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "255.180.242.39"
4.189.112.227 - - [07/Dec/2025:13:44:26 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (Linux; Android 11; CPH2251) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "255.180.242.39"
4.189.112.227 - - [07/Dec/2025:13:44:26 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (Linux; Android 11; CPH2251) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "255.180.242.39"
4.189.112.227 - - [07/Dec/2025:13:44:27 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.bing.com/" "Mozilla/5.0 (Linux; Android 11; CPH2251) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "255.180.242.39"
20.196.93.105 - - [07/Dec/2025:16:06:05 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (Linux; Android 13; SM-S908E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "72.43.26.77"
20.196.93.105 - - [07/Dec/2025:16:06:06 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (Linux; Android 13; SM-S908E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "72.43.26.77"
20.196.93.105 - - [07/Dec/2025:16:06:06 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (Linux; Android 13; SM-S908E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "72.43.26.77"
20.196.93.105 - - [07/Dec/2025:16:06:07 +0100] "GET /wp-admin/js/widgets/ HTTP/1.1" 444 0 "https://www.google.com/" "Mozilla/5.0 (Linux; Android 13; SM-S908E) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Mobile Safari/537.36" "72.43.26.77"Characteristics:
Comes exclusively from Microsoft Azure (4.189.x, 20.89.x, 20.196.x, 40.119.x)
Mobile user agents (iPhone 17.1, Pixel 7, iPad 17, Android 11)
Each IP hits 4 times in 4–5 seconds, then moves to the next target
What the Exploit Does
It exploits fresh (December 2025) vulnerabilities in WordPress plugins such as:
"Custom widgets"
"Live preview JS"
"Widget manager"
If it finds an outdated version → injects a backdoor directly into /wp-admin/js/widgets/.
Why It Doesn’t
Work on My Server
I have a single line in Nginx:
location ~* ^/(wp-|wordpress) `{` return 444`; }`One line
Zero CPU
The attack dies before reaching Doragon PHP
Real Numbers – 07 December 2025
28 identical requests
All from Microsoft Azure
All blocked with 444
Load average: 0.02
CPU used for blocking: 0.000%
Why Others See
It Differently
99% of WordPress sites:
Respond with 404 (still processes the request)
Consume CPU and time on each attack
Don’t have
return 444
I consume 0. They consume everything.
The 30-Second
Fix – Copy & Paste
Just place this rule in your Nginx server block:
location ~* ^/(wp-|wordpress|xmlrpc|\.env|\.git|artisan|vendor|storage|config) {
access_log /var/log/nginx/blocked_suspicious.log;
return 444;
}One single
locationblockNginx kills the request at the webserver level, without reaching PHP, without extra processes, and without CPU load
With this rule, you instantly block 99.97% of current WordPress-targeted attacks, purely at Nginx level
Full Protection – Nginx + Fail2Ban
Nginx with
return 444immediately blocks some targeted requests (e.g.,/wp-admin/js/widgets/), reducing PHP load and CPU consumptionFail2Ban reads the log generated by Nginx (
blocked_suspicious.log) and does all the protection work:
- Bans IPs that attack repeatedly
- Cleans malicious traffic from the firewall
- Fully protects the server against automated WordPress attacks
Click on the link, copy the regex code, and create the jail in Fail2Ban. This will give you full protection beyond Nginx alone.
Hitsukaya.com:
https://hitsukaya.com/blog/a-fail2ban-filter-protect/
Conclusion
In 2025, running WordPress without return 444 on everything starting with /wp- is reckless. I don’t use WordPress at all, but a single Nginx line kills exploit attempts before they even breathe.