Running quite a complex site with a lot of moving parts. Over the past month we have noticed a huge amount of requests from the servers IP to domain.com/.env, something is looking for an environment variables file. I know there are a lot of bots which scour the internet searching for exposed environment variables so they can access things like database credentials but this doesn’t seem to be the case because as I say; the requests are coming from the servers IP which would indicate a plugin or theme is making these requests. No errors in any logs. Only thing that’s detected is the requests themselves (a mixture of POST and GET), thousands every couple of minutes.
Our staging environment is fine, its an exact copy (albeit on a different host) and there are no such requests.
Our host has investigated and said beyond making sure the requests aren’t generated by them they understandably can’t do much else (besides take the hosting account down when CPU usage gets too high…)
This happens extremely intermittently, sometimes 3 days apart with the longest being 16 days until a reoccurrence. This makes it extremely hard to diagnose because it’s on a live site and not happening in staging so standard troubleshooting like disabling all plugins and removing all my custom code isn’t really an option. Eg we can’t remove all custom work and wait 16 days. It’s a busy marketplace.
I have checked all available logs (both in hosting control panel and manually via SSH) and cannot identify a cause. I’ve downloaded all files via ftp, opened the project in visual studio and ran a search for /.env and can find no reference to it. I’ve also run SQL queries to try and find any sign of it in the db but no hits. I’ve run malware scans at a wordpress and server level and nothing is found, i’ve also checked for any potentially malicious cron jobs (although this was a long shot because its very sporadic, not like every day at 6pm.) We arent using docker or anything else which makes use of environment variables.
Only way to workaround the issue I have found is to catch it happening before the host does and alter the config.php to break connection, then change it back to bring it back online. Only then do the requests stop (until some days later).
So my question is; How else can I track down what’s making these requests?