Can't comment on the score - hacked Wordpress sites often have bits hosted in
* wp-admin * wp-content Pages within these directories are publicly accessible, but it is very unusual for a WP plugin to reference these URIs directly in outbound emails Paul On 19/10/2018, 14:38, "Alex" <mysqlstud...@gmail.com> wrote: Hi, Should we be adding 3 points for just this, or is there never a reason users should be using /wp-admin in their URLs? Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN ======> got hit: "/wp-admin/images/" The rule description says possible phishing, but how would an end-user be in a position to create a public link that involves their WP admin directory in the first place? -- Paul Stead Senior Engineer (Tools & Technology) Zen Internet