If in the Apache error log file you can see entries like:
[Mon Jan 04 11:18:06.482286 2021] [:error] [pid 13340:tid 47768530953948] [client 126.96.36.199:0] [client 188.8.131.52] ModSecurity: Access denied with redirection to https://imunify-alert.com/compromised.html?SN=example.com&SP=8443&RFR=&URI=/wp-login.php&cms_name=wordpress&version=1 using status 302 (phase 2). Matched phrase "/0000/" at TX:wp_passwd. [file "/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/002_i360_2_bruteforce.conf"] [line "97"] [id "33355"] [msg "IM360 WAF: WordPress login weak password||T:APACHE||NAME:user||User:user||"] [severity "NOTICE"] [tag "service_i360"] [hostname "example.com"] [uri "/wp-login.php"] [unique_id "X-LrXhEqW23wfUkXqwb@hgBBAA0"]
This means that WordPress Account Compromise Prevention is working for domain example.com hosted on the server.
The WordPress Account Compromise Prevention feature is intended to enforce password complexity for the WordPress user interface only.
1. Let's assume the customer created domain example.com and installed WordPress there. They used the following credentials to access the admin interface:
The credentials can be guessed easily, and this website will soon be compromised.
2. Once the WordPress Account Compromise Prevention feature is enabled, the password does not change automatically. However, the owner of the 'example.com' website, upon the attempt to log in with password 'qwerty', will be redirected to a separate page and advised to change the password.
To sum it up:
- The user will be aware that it is recommended to change the WordPress password.
- The password will not be changed automatically.
- The feature applies only to weak WordPress passwords. It does not track weak cPanel / FTP passwords.
You can find more information on the WP ACP setup here.