There are a lot of bullshit requests out there from scripts trying to find Wordpress vulnerabilites. In order to reduce the noise in logs I have a not_wordpress.conf Nginx I add to sites. It's a pretty simple bit of config that returns a 418 - I'm a teapot status code for requests that are for any PHP files or the standard set of paths that are used in a burst looking for vulnerabilities. It doesn't stop the requests but at least it keeps them out of logs. location ~ ^/(.*)\.php { access_log ...
