@westonruter created this [1] on Sep 30, 2017.
The changes described there were —by his own words— “[to] cache oEmbeds in an oembed_cache custom post type instead of postmeta when there is no global $post”.
oEmbed [2] is a protocol for site A (such as your blog) to ask site B (such as YouTube) for the HTML needed to embed content from site B. oEmbed was designed to avoid the need to copy and paste HTML from the site hosting the media you wish to embed. It supports videos, images, text, and more.
If you are embedding content from any of these sites [3] then you have oEmbed Cache in your database.
———————————————————————
Now, in order to understand what is happening here, you have to know how WordPress executes scheduled tasks (also known as cronjobs). WordPress doesn’t installs any system-level script to monitor and/or execute the scheduled tasks, instead, it uses the website traffic to determine which tasks need to run at that moment.
If you have a WordPress job scheduled to run every hour, it may —theoretically— run every hour if, and only if, there is constant web traffic for that time. However, if your website is never visited for, let’s say, one month, then none of the scheduled tasks will run for that month. This also includes visits to the administration dashboard.
———————————————————————
Back to the main issue, what I think is happening here is, someone from Russia (or someone using a VPN located in that country) sent one or more HTTP requests to your website. This traffic triggered the execution of a scheduled task designed to clear the oEmbed Cache.
why would this and other IPs be “requesting WordPress to clear the oEmbed cache”?
As explained before, that’s how WordPress works ¯\_(ツ)_/¯
Is there any harm in this?
I wouldn’t worry about it, but don’t take my word for granted. If you have more information about these requests we can take a look and determine if it’s really harmful or not. If you don’t expect traffic from Russia, for example, then that’s something to be wary of.
Why am I only seeing this on one of my three sites on the same server?
Maybe the other sites don’t have oEmbed Cache.
Does this indicate that the site has been compromised in any way?
It’s not possible to say “yes” or “no” without more information.
The logs show a normal behavior of WordPress when the someone is making use of oEmbed. If none of the admins or authors have created posts or pages with embedded content, then maybe the logs are hinting to a “Page Infection” where the attacker is injecting Spam (in the form of text or links) to attract people to other websites with other malicious intents.
[1] https://core.trac.ww.wp.xz.cn/changeset/41651
[2] https://codex.ww.wp.xz.cn/Embeds
[3] https://codex.ww.wp.xz.cn/Embeds#Okay.2C_So_What_Sites_Can_I_Embed_From.3F
