Apache Error Log Security Report

Executive Summary

Total Log Entries

1,308

Across 28 files (Jan 31 – Feb 28)

AH01276 Errors

1,300

autoindex:error — directory index forbidden

AH01630 Errors

8

authz_core:error — client denied

Unique Client IPs

96

Distinct external addresses

Unique Dirs Probed

105

Distinct WordPress paths triggered

Peak Day

Feb 22

205 entries — multi-IP coordinated scan

Peak Hour

20:00

155 entries in one hour (JST midnight)

PHP / Fatal Errors

0

No PHP errors detected in logs

Key Finding: 100% of all log entries are directory enumeration events. External crawlers/bots are systematically requesting WordPress directories (/wp-includes/, /wp-admin/, /wp-content/) without an index file, causing Apache's autoindex module to block and log the attempt. The pattern is consistent with automated WordPress reconnaissance tooling.

Security Alert: 8 IPs were explicitly denied access to /wp-content/plugins/akismet/ (AH01630). These IPs attempted to directly access a plugin directory blocked by server configuration — indicative of targeted plugin enumeration.

No PHP Execution Attacks: No PHP Fatal errors, SQL injection payloads, eval() calls, base64-encoded payloads, xmlrpc.php exploitation, .env/.git probing, or directory traversal (../) patterns were found in these error logs. Attacks are reconnaissance-phase only.

1. Daily Error Count (by Log File)

File (Date)	Day	Lines (file)	Actual Date Entries	Volume
error_log.20260201.gz	Sun	97	12 (Feb 01) + 90 (Jan 31 overflow)	High
error_log.20260202.gz	Mon	23	40 (actual Feb 02 total)	Low
error_log.20260203.gz	Tue	28	23	Low
error_log.20260204.gz	Wed	30	34	Low
error_log.20260205.gz	Thu	21	122	High
error_log.20260206.gz	Fri	124	17	High
error_log.20260207.gz	Sat	17	21	Low
error_log.20260208.gz	Sun	32	26	Low
error_log.20260209.gz	Mon	23	16	Low
error_log.20260210.gz	Tue	20	23	Low
error_log.20260211.gz	Wed	17	61	Med
error_log.20260212.gz	Thu	53	28	Med
error_log.20260213.gz	Fri	32	68	Med
error_log.20260214.gz	Sat	64	3	Low
error_log.20260215.gz	Sun	3	2	Min
error_log.20260216.gz	Mon	2	33	Min
error_log.20260217.gz	Tue	33	11	Low
error_log.20260218.gz	Wed	11	6	Min
error_log.20260219.gz	Thu	6	38	Min
error_log.20260220.gz	Fri	42	28	Med
error_log.20260221.gz	Sat	24	45	Med
error_log.20260222.gz	Sun	86	205	PEAK
error_log.20260223.gz	Mon	178	70	High
error_log.20260224.gz	Tue	63	82	High
error_log.20260225.gz	Wed	75	17	High
error_log.20260226.gz	Thu	17	106	Low
error_log.20260227.gz	Fri	128	56	High
error_log.20260228.gz	Sat	59	25	Med
TOTAL	—	1,308	1,308

Note: "Lines (file)" = lines in the .gz file (may contain previous day overflow). "Actual Date Entries" = entries with that calendar date inside the log content. Feb 01 file contains 90 Jan 31 entries.

Actual daily entry counts from log content (by calendar date):

Jan 31

90

Feb 01

12

Feb 02

40

Feb 03

23

Feb 04

34

Feb 05

122

Feb 06

17

Feb 07

21

Feb 08

26

Feb 09

16

Feb 10

23

Feb 11

61

Feb 12

28

Feb 13

68

Feb 14

3

Feb 15

2

Feb 16

33

Feb 17

11

Feb 18

6

Feb 19

38

Feb 20

28

Feb 21

45

Feb 22

205

Feb 23

70

Feb 24

82

Feb 25

17

Feb 26

106

Feb 27

56

Feb 28

25

2. Error Type Distribution

Apache module:level breakdown

[autoindex:error]

1,300

[authz_core:error]

8

Apache error code breakdown

AH01276

1,300

Cannot serve directory (no index)

AH01630

8

Client denied by server config

AH01276 is triggered when a bot/crawler requests a directory URL and the server has neither a DirectoryIndex file nor Options +Indexes enabled. This means the WordPress site's directory listing is correctly blocked — but the volume indicates systematic enumeration of the entire WP directory tree.

AH01630 is triggered when a request is blocked by an explicit Deny or Require all denied rule. All 8 instances target /wp-content/plugins/akismet/ — suggesting the server has an .htaccess rule blocking direct plugin access, and bots are hitting it.

3. Top 20 Client IP Addresses

#	IP Address	Hits	Unique Dirs Probed	Days Active	AH01630	IP Range / Notes	Risk
1	`20.89.235.135`	70	52	1 (Feb 05, 4-min burst)	—	Microsoft Azure (US East)	HIGH
2	`104.46.216.98`	63	48	2 (Feb 22–23)	—	Microsoft Azure (US East)	HIGH
3	`20.78.146.86`	60	32	5 (Feb 20–24)	—	Microsoft Azure (SE Asia)	HIGH
4	`52.141.18.191`	55	40	3 (Feb 22–24)	—	Microsoft Azure (US East2)	HIGH
5	`40.115.138.121`	55	15	5 (Feb 01,03,23,24,27)	—	Microsoft Azure (AU East)	MED-HIGH
6	`20.219.8.79`	49	28	5 (Jan 31, Feb 01,04,07,25,26)	—	Microsoft Azure (India)	MED-HIGH
7	`20.151.107.14`	47	39	1 (Feb 27)	—	Microsoft Azure (US South)	MED-HIGH
8	`172.213.144.131`	47	39	1 (Feb 26)	—	Microsoft Azure (US East)	MED-HIGH
9	`20.194.29.45`	45	28	4 (Jan 31, Feb 05,06,22)	—	Microsoft Azure (SE Asia)	MED-HIGH
10	`20.89.40.149`	39	32	2 (Feb 21–22)	—	Microsoft Azure (US East)	MED-HIGH
11	`20.78.169.245`	31	—	2 (Feb 17,19)	—	Microsoft Azure (SE Asia)	MED
12	`91.239.130.201`	30	—	1 (Feb 22)	YES (1)	Non-Azure — Europe (suspicious)	HIGH
13	`20.78.152.240`	30	9	1 (Jan 31)	—	Microsoft Azure (SE Asia)	MED
14	`188.95.65.43`	30	—	1 (Feb 16)	YES (1)	Non-Azure — Europe (suspicious)	HIGH
15	`185.193.157.211`	30	—	1 (Feb 05)	YES (1)	Non-Azure — Europe (suspicious)	HIGH
16	`149.88.19.87`	30	—	1 (Feb 13)	YES (1)	Non-Azure — CDN/VPN range	HIGH
17	`138.199.19.178`	30	—	2 (Feb 26–27)	YES (1)	Non-Azure — Hosting/VPN	HIGH
18	`20.197.58.121`	25	—	3 (Feb 22–24)	—	Microsoft Azure (SE Asia)	MED
19	`20.212.209.31`	24	—	3 (Feb 02–04)	—	Microsoft Azure (AU East)	MED
20	`20.89.52.173`	21	—	3 (Feb 25–27)	—	Microsoft Azure (US East)	MED

Total unique IPs seen: 96. The majority fall in Microsoft Azure IP ranges (20.x, 40.x, 52.x, 104.x, 13.x, 172.x). Non-Azure IPs with AH01630 denials are particularly suspicious.

4. Top Accessed Directories / Paths (AH01276 targets)

105 unique WordPress paths were probed in total. All paths are under /home/c3605507/public_html/security-blog-it.com/

TOP 25 MOST PROBED PATHS

#	Relative Path	Hits	Category
1	`/wp-content/uploads/`	77	uploads
2	`/wp-includes/PHPMailer/`	69	library
3	`/wp-includes/`	68	core
4	`/wp-includes/images/`	57	assets
5	`/wp-includes/assets/`	57	assets
6	`/wp-includes/html-api/`	49	core
7	`/wp-includes/ID3/`	46	library
8	`/wp-includes/fonts/`	44	assets
9	`/wp-includes/css/`	38	assets
10	`/wp-includes/SimplePie/`	32	library
11	`/wp-includes/customize/`	31	core
12	`/wp-includes/block-patterns/`	31	core
13	`/wp-content/languages/`	31	content
14	`/wp-content/upgrade/`	25	sensitive
15	`/wp-includes/rest-api/`	24	API
16	`/wp-includes/certificates/`	23	sensitive
17	`/wp-admin/images/`	22	wp-admin
18	`/wp-includes/block-supports/`	20	core
19	`/wp-includes/pomo/`	18	library
20	`/wp-includes/IXR/`	18	XML-RPC lib
21	`/wp-admin/css/colors/ectoplasm/`	18	wp-admin
22	`/wp-includes/js/codemirror/`	17	assets
23	`/wp-includes/theme-compat/`	16	core
24	`/wp-includes/js/dist/`	16	assets
25	`/wp-includes/Text/`	16	library

PATHS BY CATEGORY BREAKDOWN

/wp-includes/*

~940

/wp-content/*

~286

/wp-admin/*

~74

SENSITIVE PATHS TARGETED

/wp-content/uploads/ (77 hits) — Probing upload directory; attackers look for writable/executable files left by previous compromise or misconfiguration.

/wp-content/upgrade/ (25 hits) — WordPress update staging directory. May contain old WP archives or temp files.

/wp-includes/certificates/ (23 hits) — Contains SSL/TLS CA bundles used by WordPress HTTP API. Probed for cert data.

/wp-includes/IXR/ (18 hits) — XML-RPC library directory. Attackers correlate this with xmlrpc.php availability probing.

/wp-content/upgrade-temp-backup/ — Seen in logs; contains backup snapshots of plugins/themes during upgrades.

/wp-includes/rest-api/ (24 hits) — REST API directory probing. Often precedes authentication bypass or enumeration attempts via the REST API endpoint.

ALL UNIQUE PATHS (105 total) — grouped

/wp-admin/css/
/wp-admin/css/colors/  (blue, coffee, ectoplasm, light, midnight, modern, ocean, sunrise)
/wp-admin/images/
/wp-admin/includes/
/wp-admin/js/
/wp-admin/js/widgets/
/wp-admin/maint/
/wp-content/languages/
/wp-content/languages/plugins/
/wp-content/languages/themes/
/wp-content/plugins/contact-form-7/
/wp-content/themes/twentytwentyfour/
/wp-content/themes/twentytwentythree/
/wp-content/themes/twentytwentythree/patterns/
/wp-content/upgrade/
/wp-content/upgrade-temp-backup/
/wp-content/uploads/  (+ yearly: 2021,2022,2023,2024,2025,2026; monthly: 02/)
/wp-includes/  (root)
/wp-includes/ID3/
/wp-includes/IXR/
/wp-includes/PHPMailer/
/wp-includes/Requests/
/wp-includes/Requests/library/
/wp-includes/SimplePie/
/wp-includes/Text/
/wp-includes/Text/Diff/
/wp-includes/Text/Diff/Engine/
/wp-includes/Text/Diff/Renderer/
/wp-includes/assets/
/wp-includes/block-bindings/
/wp-includes/block-patterns/
/wp-includes/block-supports/
/wp-includes/blocks/  (block, button, code, comments, file, loginout, more, post-author, shortcode)
/wp-includes/certificates/
/wp-includes/css/
/wp-includes/css/dist/  (block-library, edit-widgets, preferences, widgets)
/wp-includes/customize/
/wp-includes/fonts/
/wp-includes/html-api/
/wp-includes/images/
/wp-includes/images/crystal/
/wp-includes/images/media/
/wp-includes/images/smilies/
/wp-includes/interactivity-api/
/wp-includes/js/
/wp-includes/js/codemirror/
/wp-includes/js/crop/
/wp-includes/js/dist/
/wp-includes/js/jquery/
/wp-includes/js/jquery/ui/
/wp-includes/js/plupload/
/wp-includes/js/thickbox/
/wp-includes/js/tinymce/  (plugins, skins, themes, utils)
/wp-includes/l10n/
/wp-includes/php-compat/
/wp-includes/pomo/
/wp-includes/rest-api/
/wp-includes/rest-api/endpoints/
/wp-includes/rest-api/fields/
/wp-includes/rest-api/search/
/wp-includes/sitemaps/
/wp-includes/sitemaps/providers/
/wp-includes/sodium_compat/
/wp-includes/sodium_compat/src/
/wp-includes/style-engine/
/wp-includes/theme-compat/
/wp-includes/widgets/

5. PHP Errors

No PHP errors detected. Zero entries containing PHP Fatal error, PHP Warning, PHP Notice, or any PHP-related error messages were found across all 1,308 log entries. These Apache error logs do not capture PHP runtime errors unless configured with php_flag log_errors On and ErrorLog routing.

All log entries are exclusively Apache module errors (autoindex, authz_core). PHP errors would appear if php_error_log pointed to this error log file — they do not in this configuration.

6. AH01630 — Client Denied by Server Configuration (All 8 Entries)

All 8 denials target the same path: /home/c3605507/public_html/security-blog-it.com/wp-content/plugins/akismet/. The Akismet plugin directory has an explicit access restriction (likely Options -Indexes + Require all denied in .htaccess or VirtualHost). Each denial represents a bot attempting direct HTTP access to the plugin directory — a standard WordPress fingerprinting technique.

Timestamp	Client IP	IP Type	Target Path
Sat Jan 31 07:20:52 2026	`13.75.54.243`	Azure AP	`/wp-content/plugins/akismet/`
Mon Feb 02 01:18:12 2026	`20.63.209.182`	Azure US	`/wp-content/plugins/akismet/`
Mon Feb 02 11:36:05 2026	`104.211.72.80`	Azure IN	`/wp-content/plugins/akismet/`
Thu Feb 05 12:43:23 2026	`185.193.157.211`	Non-Azure EU	`/wp-content/plugins/akismet/`
Fri Feb 13 09:52:00 2026	`149.88.19.87`	Non-Azure	`/wp-content/plugins/akismet/`
Mon Feb 16 04:21:54 2026	`188.95.65.43`	Non-Azure EU	`/wp-content/plugins/akismet/`
Sun Feb 22 00:42:36 2026	`91.239.130.201`	Non-Azure EU	`/wp-content/plugins/akismet/`
Thu Feb 26 18:04:31 2026	`138.199.19.178`	Non-Azure	`/wp-content/plugins/akismet/`

7. Security-Relevant Analysis

7a. Attack Pattern Summary

Attack Vector	Count	Found?
Directory traversal (`../`)	0	NONE
WordPress xmlrpc.php attacks	0	NONE
wp-login.php brute force	0	NONE
SQL injection patterns	0	NONE
File inclusion attempts	0	NONE
.env / .git probing	0	NONE
phpMyAdmin access	0	NONE
base64 / eval() payloads	0	NONE
Shell/webshell paths	0	NONE
Directory enumeration (AH01276)	1,300	ACTIVE
Plugin dir access (AH01630)	8	ACTIVE
wp-admin dir probing	~74	ACTIVE
WordPress structure mapping	105 paths	ACTIVE
Multi-day persistent scanners	11 IPs	ACTIVE

7b. Suspicious / Non-Azure IPs (Priority Block List)

IP	Hits	AH01630	Pattern
`91.239.130.201`	30	YES	29 dir probes + 1 denied; Feb 22 burst
`188.95.65.43`	30	YES	29 dir probes + 1 denied; Feb 16 burst
`185.193.157.211`	30	YES	29 dir probes + 1 denied; Feb 05 burst
`149.88.19.87`	30	YES	29 dir probes + 1 denied; Feb 13 burst
`138.199.19.178`	30	YES	29 dir probes + 1 denied; Feb 26–27
`23.100.90.148`	15	—	Azure-adjacent; brief scan session
`4.204.195.211`	14	—	Non-Azure 4.x; dir scan
`68.221.137.26`	8	—	US ISP range; scan activity
`213.35.118.50`	3	—	European IP; small scan footprint

Pattern of concern: The non-Azure IPs (91.239.x, 188.95.x, 185.193.x, 149.88.x, 138.199.x) all show the same signature: exactly 29–30 hits with the 30th being an AH01630 akismet denial. This uniform behavior across different IPs on different days suggests a coordinated botnet or shared scanning tool with identical WordPress fingerprinting methodology.

7c. Persistent Multi-Day Scanners (Highest Priority)

IP	Total Hits	Days Active	Date Range	Notes
`40.115.138.121`	55	5	Feb 01, 03, 23, 24, 27	Azure AU; systematic 7-dir batches each visit
`20.219.8.79`	49	5	Jan 31, Feb 01, 04, 07, 25, 26	Azure India; distributed scan over full month
`20.78.146.86`	60	5	Feb 20, 21, 22, 23, 24	Azure SE Asia; concentrated late-Feb activity
`20.194.29.45`	45	4	Jan 31, Feb 05, 06, 22	Azure SE Asia; sporadic throughout month
`40.113.19.56`	18	4	Feb 07, 09, 13, 24	Azure; lower volume persistent
`20.212.209.31`	24	3	Feb 02, 03, 04	Azure AU; consecutive day scanning
`52.141.18.191`	55	3	Feb 22, 23, 24	Azure US; concentrated burst
`20.197.58.121`	25	3	Feb 22, 23, 24	Azure; concurrent with Feb 22 spike

7d. Feb 22 Coordinated Spike Analysis (205 entries — highest single day)

On February 22, 2026, a coordinated multi-IP scan hit the site with 205 log entries — nearly double any other day. Five distinct IPs contributed:

104.46.216.98 — 59 hits (10:10 UTC burst, 43 hits in ~60 seconds)
52.141.18.191 — 45 hits (10:26 UTC burst)
91.239.130.201 — 30 hits (00:41 UTC + 1 akismet denial at 00:42)
20.89.40.149 — 26 hits
20.78.146.86 — 26 hits (spread across 00:08–15:12 UTC)
20.194.29.45 — 14 hits
20.197.58.121 — 5 hits

The concurrency of Azure and non-Azure IPs scanning simultaneously suggests botnet coordination or a shared C2-driven scanning campaign.

8. Apache Module Breakdown

Module	Error Level	Count	Error Code	Description
`autoindex`	error	1,300	`AH01276`	mod_autoindex: Cannot generate directory listing — no DirectoryIndex found and Options -Indexes enforced
`authz_core`	error	8	`AH01630`	mod_authz_core: Client denied access — explicit Require/Deny rule matched the request

Modules NOT present in logs: php, auth_basic, auth_digest, ssl, rewrite, proxy, cgi, fcgid. No web application firewall (WAF/mod_security) entries detected.

autoindex module: mod_autoindex is responsible for generating HTML directory listings when a directory is accessed and no index file is present. When Options -Indexes is set (as here), it logs AH01276 instead of serving a listing. The site's configuration is correct — but the high volume of these errors indicates bots are systematically requesting every known WordPress subdirectory.

authz_core module: mod_authz_core handles Require directives. AH01630 fires when a request matches a Require all denied or similar rule. The Akismet plugin directory appears to have such protection, which is good practice.

9. Time-of-Day Error Distribution (UTC)

60

00

56

01

49

02

51

03

60

04

11

05

34

06

49

07

23

08

77

09

122

10

43

11

53

12

13

27

14

115

15

25

16

22

17

58

18

60

19

155

20

61

21

49

22

36

23

Numbers = log entries per hour (UTC). Darker red = higher volume.

Hour (UTC)	Count	JST (UTC+9)	Level
00:00	60	09:00	Med
01:00	56	10:00	Med
02:00	49	11:00	Med
03:00	51	12:00	Med
04:00	60	13:00	Med
05:00	11	14:00	Low
06:00	34	15:00	Low
07:00	49	16:00	Med
08:00	23	17:00	Low
09:00	77	18:00	High
10:00	122	19:00	PEAK
11:00	43	20:00	Med
12:00	53	21:00	Med
13:00	12	22:00	Low
14:00	27	23:00	Low
15:00	115	00:00 next day	PEAK
16:00	25	01:00	Low
17:00	22	02:00	Low
18:00	58	03:00	Med
19:00	60	04:00	Med
20:00	155	05:00	PEAK #1
21:00	61	06:00	Med
22:00	49	07:00	Med
23:00	36	08:00	Low

Three distinct peaks identified:

20:00 UTC (05:00 JST) — 155 entries. Highest hour. Early morning Japan time when site owner is asleep. Dominated by Feb 05 20:33–20:36 burst from 20.89.235.135 (70 hits in 4 minutes).
10:00 UTC (19:00 JST) — 122 entries. Evening Japan time. Dominated by Feb 22 10:10 burst from 104.46.216.98 (43 hits in ~60 seconds).
15:00 UTC (00:00 JST) — 115 entries. Midnight Japan time. Driven by Feb 26–27 activity from 172.213.144.131 and 20.151.107.14.

Quiet period: 05:00–08:00 UTC (14:00–17:00 JST) consistently has the lowest attack volume. This is the Western hemisphere working hours / Asian afternoon — possibly when scanning infrastructure is tasked elsewhere.

Automated bot behavior confirmed: The burst patterns (e.g., 43 hits in 60 seconds from one IP, 70 hits in 4 minutes from another) are mechanically consistent with scripted directory enumeration tools, not human browsing. All hits are spaced at nearly equal sub-second intervals.

10. Notable Anomalies and Key Findings

Anomaly 1 — Feb 22 Coordinated Multi-IP Scan (205 entries)
The single largest day in the dataset saw 7 distinct IPs scanning within the same calendar day — including simultaneous Azure (104.46.216.98 at 10:10 UTC) and non-Azure (91.239.130.201 at 00:41 UTC) activity. The fact that both classes of IPs show identical WordPress directory traversal patterns and the non-Azure IP also hits the Akismet deny rule suggests a shared scanning profile distributed across botnet nodes.

Anomaly 2 — Uniform Non-Azure Scanning Signature
Five non-Azure IPs (91.239.130.201, 188.95.65.43, 185.193.157.211, 149.88.19.87, 138.199.19.178) each generated exactly 30 log entries: ~29 AH01276 directory probes followed by 1 AH01630 akismet denial. This is a fingerprint of the same automated tool/script being run from different IPs on different dates — classic botnet rotation.

Anomaly 3 — Azure Infrastructure Dominance
Approximately 82% of all attacking IPs are in Microsoft Azure IP ranges (20.x, 40.x, 52.x, 104.x, 13.x, 172.x). This is atypical for legitimate scanning but common for attackers who abuse cloud provider free-tier or compromised VM accounts to conduct reconnaissance. Azure's IP reputation is generally trusted, which can bypass some IP-reputation-based firewalls.

Anomaly 4 — 20.89.235.135: 70 Hits in 4 Minutes (Feb 05, 20:33–20:36 UTC)
The top IP by total hits executed a complete WordPress directory scan of 52 unique paths in approximately 4 minutes. Rate: ~17 requests/minute. This is the fastest single-session scan in the dataset and covered both /wp-admin/ and /wp-includes/ comprehensively including deeply nested paths like /wp-includes/js/tinymce/skins/lightgray/img/.

Anomaly 5 — /wp-content/uploads/ Is Most Probed Path (77 hits)
The uploads directory is the most frequently targeted path. Attackers probe this directory to: (a) confirm writable directory is accessible, (b) look for uploaded shells or malicious files from prior compromises, (c) enumerate uploaded file timestamps for intelligence. Combined with the /wp-content/upgrade-temp-backup/ probing, this suggests attackers are hunting for backup artifacts.

Anomaly 6 — /wp-includes/IXR/ Probed 18 Times
The IXR (Incutio XML-RPC) library directory is a component of WordPress's XML-RPC implementation. Probing this specific subdirectory (vs. xmlrpc.php directly) suggests the scanner tool is mapping WordPress version fingerprints via directory structure — IXR was removed from WordPress core in certain versions, so its presence/absence can reveal the WP version.

Notable Finding — No Access Log Correlation
These error logs contain ONLY AH01276/AH01630 events. The absence of PHP errors, 500 errors, authentication failures, or exploit attempt logs means either: (1) this is exclusively a reconnaissance phase with no exploitation yet, or (2) successful requests (200/301/302) appear in the access log only and would require separate analysis. Recommend cross-referencing with Apache access_log for complete picture.

Notable Finding — WordPress Directory Structure Fully Exposed to Scanners
The 105 unique directories probed represent a comprehensive map of this WordPress installation's structure. Scanners have enumerated: all wp-admin subdirectories, all wp-includes library paths (PHPMailer, SimplePie, ID3, IXR, Requests, Text/Diff, sodium_compat), plugin directories (Akismet, Contact Form 7), theme directories (TwentyTwentyThree, TwentyTwentyFour), and upload year directories (2021–2026). This gives attackers a detailed fingerprint for targeted follow-on attacks.

11. Security Recommendations

Immediate Actions

1. Rate-limit or block repeat scanner IPs
Block or rate-limit the top 20 IPs via .htaccess, fail2ban, or server firewall. Priority: the 5 non-Azure IPs with AH01630 signatures (91.239.130.201, 188.95.65.43, 185.193.157.211, 149.88.19.87, 138.199.19.178).

2. Implement fail2ban for AH01276 bursts
Configure fail2ban to auto-block any IP generating more than 10 AH01276 errors in 60 seconds. The burst pattern (40+ hits/minute) makes this highly effective without false positives.

3. Add rate limiting for directory requests
Use Apache mod_ratelimit or mod_evasive to throttle clients hitting directory paths repeatedly. This stops the 4-minute 70-hit bursts cold.

4. Verify /wp-content/uploads/ hardening
Ensure the uploads directory has Options -ExecCGI -Indexes and a rule preventing .php execution inside it (e.g., php_flag engine off or an .htaccess deny for *.php in uploads/).

Medium-Term Hardening

5. Block Azure cloud scanner ranges at firewall
If the site has no legitimate Azure-hosted visitors, consider blocking Azure IP ranges at the edge. Azure publishes its IP ranges at: https://www.microsoft.com/en-us/download/details.aspx?id=56519

6. Consider a Web Application Firewall (WAF)
No WAF/mod_security entries appear in these logs. Adding Cloudflare, Sucuri, or mod_security2 with the OWASP Core Rule Set would block these scans before they reach Apache, eliminating error log noise and reducing server load.

7. Protect wp-admin with IP allowlist
14 IPs accessed wp-admin subdirectories. If the site owner accesses wp-admin from a fixed IP, add an IP allowlist to the wp-admin .htaccess to deny all other sources.

8. Disable XML-RPC if not in use
The IXR directory probing (18 hits) suggests interest in XML-RPC. If not required (e.g., no Jetpack, mobile app publishing), add:

<Files xmlrpc.php>
  Require all denied
</Files>

9. Enable Apache mod_security or Cloudflare Bot Management
All current blocks (AH01276/AH01630) are passive — the server still processes the full request before rejecting it. Moving rejection to the firewall/WAF layer reduces CPU overhead and prevents information leakage via timing.

Appendix — Raw Data Summary

ALL 96 UNIQUE IPs (sorted by hit count)

  70  20.89.235.135        (Azure US East)
  63  104.46.216.98        (Azure US East)
  60  20.78.146.86         (Azure SE Asia)
  55  52.141.18.191        (Azure US East2)
  55  40.115.138.121       (Azure AU East)
  49  20.219.8.79          (Azure India)
  47  20.151.107.14        (Azure US South)
  47  172.213.144.131      (Azure US East)
  45  20.194.29.45         (Azure SE Asia)
  39  20.89.40.149         (Azure US East)
  31  20.78.169.245        (Azure SE Asia)
  30  91.239.130.201       *** Non-Azure EU ***
  30  20.78.152.240        (Azure SE Asia)
  30  188.95.65.43         *** Non-Azure EU ***
  30  185.193.157.211      *** Non-Azure EU ***
  30  149.88.19.87         *** Non-Azure ***
  30  138.199.19.178       *** Non-Azure ***
  25  20.197.58.121        (Azure SE Asia)
  24  20.212.209.31        (Azure AU East)
  21  20.89.52.173         (Azure US East)
  19  20.205.120.43        (Azure)
  18  40.113.19.56         (Azure)
  18  20.63.209.182        (Azure)
  18  20.223.168.28        (Azure)
  17  20.24.197.43         (Azure)
  16  20.48.177.128        (Azure)
  15  23.100.90.148        (Azure-adjacent)
  15  20.214.159.60        (Azure)
  14  4.204.195.211        *** Non-Azure ***
  14  20.220.8.221         (Azure)
  14  172.213.144.187      (Azure)
  14  13.75.54.243         (Azure AP)
  14  104.211.72.80        (Azure India)
  13  104.208.91.171       (Azure)
  10  20.196.204.231       (Azure)
  10  172.190.142.176      (Azure)
   9  20.213.25.204        (Azure)
   8  74.248.113.199       (non-Azure)
   8  68.221.137.26        *** Non-Azure US ***
   8  40.89.140.250        (Azure)
   8  20.63.0.10           (Azure)
   8  20.43.58.219         (Azure)
   8  20.234.88.224        (Azure)
   8  20.199.186.0         (Azure)
   8  20.100.190.151       (Azure)
   7  4.241.216.217        (non-Azure)
   7  20.78.129.228        (Azure SE Asia)
   7  20.46.176.183        (Azure)
   7  20.43.27.35          (Azure)
   6  20.203.180.35        (Azure)
   6  20.151.2.11          (Azure)
   6  172.213.161.82       (Azure)
   5  20.89.58.13          (Azure)
   5  20.69.252.116        (Azure)
   5  20.203.240.55        (Azure)
   5  20.123.25.77         (Azure)
   5  185.194.178.23       *** Non-Azure EU ***
   5  104.46.226.22        (Azure)
   5  104.211.88.54        (Azure India)
   4  52.169.5.4           (Azure)
   4  52.141.4.186         (Azure)
   4  51.13.121.91         (Azure EU)
   4  51.103.136.17        (Azure EU)
   4  40.83.92.30          (Azure)
   4  40.65.177.112        (Azure)
   4  20.24.82.132         (Azure)
   4  20.24.204.137        (Azure)
   4  20.223.211.237       (Azure)
   4  20.220.62.160        (Azure)
   4  20.214.157.214       (Azure)
   4  20.210.188.132       (Azure)
   4  20.111.18.181        (Azure)
   4  20.100.195.34        (Azure)
   4  132.164.252.220      (non-Azure)
   4  13.75.55.228         (Azure AP)
   3  4.194.217.214        (non-Azure)
   3  213.35.118.50        *** Non-Azure EU ***
   3  20.89.56.154         (Azure)
   3  20.42.209.0          (Azure)
   3  20.187.67.15         (Azure)
   3  20.151.220.171       (Azure)
   2  74.248.32.28         (non-Azure)
   2  40.89.135.33         (Azure)
   2  4.217.180.34         (non-Azure)
   2  20.65.47.129         (Azure)
   2  20.205.115.105       (Azure)
   2  20.122.194.178       (Azure)
   2  140.245.121.105      (non-Azure)
   1  52.169.148.186       (Azure EU)
   1  40.89.137.255        (Azure)
   1  20.27.221.169        (Azure)
   1  20.215.185.223       (Azure)
   1  20.214.137.92        (Azure)
   1  20.203.136.132       (Azure)
   1  20.100.184.236       (Azure)
   1  13.71.191.191        (Azure AP)

HOURLY DISTRIBUTION DETAIL

Hour  Count  Bar
00:00   60  ████████████████████████
01:00   56  ██████████████████████
02:00   49  ████████████████████
03:00   51  ████████████████████
04:00   60  ████████████████████████
05:00   11  ████
06:00   34  █████████████
07:00   49  ████████████████████
08:00   23  █████████
09:00   77  ██████████████████████████████
10:00  122  ████████████████████████████████████████████████
11:00   43  █████████████████
12:00   53  █████████████████████
13:00   12  █████
14:00   27  ██████████
15:00  115  █████████████████████████████████████████████
16:00   25  ██████████
17:00   22  █████████
18:00   58  ███████████████████████
19:00   60  ████████████████████████
20:00  155  ████████████████████████████████████████████████████████████
21:00   61  ████████████████████████
22:00   49  ████████████████████
23:00   36  ██████████████

ERROR CODE REFERENCE

AH01276 — autoindex:error
  "Cannot serve directory %s: No matching DirectoryIndex
   (%s) found, and server-generated directory index
   forbidden by Options directive"
  Module: mod_autoindex
  Severity: error
  Action: Returns 403 Forbidden to client

AH01630 — authz_core:error
  "client denied by server configuration: %s"
  Module: mod_authz_core
  Severity: error
  Action: Returns 403 Forbidden to client

FILE INFO

Location: /home/kali/Desktop/VScode/202602_error/
Files: 28 (.gz compressed)
Date range: error_log.20260201.gz — error_log.20260228.gz
Total lines: 1,308
Total unique IPs: 96
Total unique paths: 105
Error codes found: AH01276, AH01630
Modules: autoindex, authz_core
PHP errors: 0
Traversal attempts: 0
Exploit payloads: 0

Apache Error Log — Security Analysis Report