Summary about the "WordPress account brute-force protection" feature.
Server admin can enable an option to prevent access to WordPress accounts with well-known (trivial) passwords. When the option is enabled, all end-users that are trying to log into the admin account with weak/trivial or well-known passwords from the dictionary used by brute-forcers will be taken to the special alert page with an appeal to change their current password.
This feature can be enabled by setting
true in MOD_SEC config file section.
This feature is implemented via ModSec rule and could be partially disabled on a per-domain basis (the rule id is 33355).
The alert page supports localization and is displayed in the language of the browser (on an external Imunify domain).