I apologize for the issues you're having on your VPS regarding our automated WordPress ModSecurity protection. I've gone ahead and disabled specific ModSecurity rules
for your websites that trigger our WordPress admin blocks.
I would recommend reviewing WordPress logins
on your server.
The problem isn't so much just that you need to use a strong WordPress password, but also that you're limiting access for malicious users to even attempt to guess your password in the first place.
Right now you have malicious users brute forcing
your WordPress admin login pages. Basically they are just guessing a password again and again till they get in.
I see that you have the WordFence
plugin installed, but it's important to note that in some instances because WordPress plugins have to rely on running PHP code, while under attack it can cause your server to spike, which you can take a look at using some advanced server load monitoring
Today you've had over (6,060) POST attempts to your wp-admin.php
script on your various WordPress sites, from (1,950) unique IP addresses. Of those (1,925) had fewer than 10 login attempts, so even if you were blocking unwanted users from your website
each time they had a failed login, you're going to quickly build up quite a large list of blocked users and all the while they are still going to have some successful attempts at guessing your WordPress login credentials
If you do something like password protect the WordPress wp-admin directory and wp-login.php
, then you'd be preventing all those bots from even having an attempt to open up a connection to your WordPress database to check for a valid user login at all.
Anyways, you shouldn't have our internal ModSecurity protection kick in again now on your VPS. I'd definitely recommend looking at implementing some form of manual .htaccess
protection if you notice your server usage climbs when under attack from using WordPress security plugins.