Support

It looks like you get hundreds of requests to static images which used to be hosted on the site. I can't really tell you what that traffic is. Some of it looks like search engine traffic, some of it looks like someone is spidering the site.

That has nothing to do with your client being blocked, in the sense that Admin Tools will obviously only block the IP address of an attacker, not some other, random IP. If you have not cleared "Email this address on blocked request" and / or "Email this address after an automatic IP ban" you may have your site try to send way too many emails which might explain why the server slowed down to the point your client complained; empty those two options in the Configure WAF page. If that's not the case, your client blocked themselves somehow. You need their IP address and search for it in the Blocked Requests Log page. Check the Target URL and Reason to find out why they got blocked.

So, to make sure that we are talking about the same thing. You unblocked your client's IP address because it was blocked due to 404Shield. If this is not the case, disregard the rest of this reply and tell me who those IP addresses belonged to.

If the IP was your client's, they are running something on their computer / network which tries to access their old site's images. Maybe they have some kind of web spider or SEO software they were previously using?

Is it possible that imported content from the old site is still referencing images from the old wp-content image location?

Then I don't know. You should look in the access log of the server to figure out what's making those requests. Hopefully it will have a sensible user-agent string which is recorded in the access log.

Ah, now it makes a lot more sense! This was previously a WordPress site and now it's a Joomla! site.

I cannot tell you for sure if disabling JetPack would do anything. The PDF you sent me does not show this to be an ongoing issue. Moreover, the previous person obviously confuses their WPEngine (hosting) account with the WordPress.com account used to manage JetPack. Not only they are not the same company, these two companies have been fighting each other in court for the past year and a half. You can't fix stupid, so there's that.

Now, the PDF you send me shows that a lot of external IPs are trying to access static media files on the previous WordPress site. You can't stop that. Even if you disable Admin Tools completely you won't really fix anything since all these URLs do not exist on your server, result in an HTTP 404 Not Found, therefore are handled by Joomla. Since Joomla takes hundreds of milliseconds and Megabytes of memory to render the 404 page, your server load increases. You can amend the .htaccess rule to include wp-content in it:

RewriteRule ^(moawp/)?(xmlrpc\.php|wp-login\.php|wp-admin|wp-includes|wp-content) - [G,NC,L]

This won't stop the requests, but instead of being handled through Joomla they will very quickly return an HTTP 401 Gone response. This will lighten the load on your server a bit. At least, that's the hope.

All those blocked request are significantly slowing the load speed of the backend, too. Under Tools in Admin Tools, will “Purge Sessions” remove all those?

I got that the first time.

I actually did reply to it.

No, it won't help.

This has nothing to do with session management.

It has also nothing to do with Admin Tools per se.

As I told you, the problem will persist even if you completely disable or even uninstall Admin Tools:

Even if you disable Admin Tools completely you won't really fix anything since all these URLs do not exist on your server, result in an HTTP 404 Not Found, therefore are handled by Joomla. Since Joomla takes hundreds of milliseconds and Megabytes of memory to render the 404 page, your server load increases.

Your problem is that you have a large number of external sources requesting static media files on the no longer existing WordPress paths.

All these requests result in an HTTP 404 Not Found each.

Joomla handles HTTP 404.

You MUST NOT remove Joomla's handling of 404 pages from the .htaccess file. That would be the WRONG solution as it WILL break Joomla SEF URLs.

Since Joomla takes a lot of time to process each 404 page, your server load increases.

Since your server load increases, your site gets slower – both frontend and backend.

Ideally, you want to stop these requests from happening.

This is objectively NOT under your or our control.

The second best option is to block these requests as quickly as possible, before they can reach Joomla.

This is what the amended .htaccess code does.

This might not be enough if you are receiving hundreds to thousands of them every day.

If this is the case, you need to stop these requests from hitting your server.

How can you stop a request from hitting your server if you have no control over the person or service making the request?

The answer is using something like CloudFlare CDN.

If you put the site behind CloudFlare CDN you can create a rule which matches all those /wp-* URL paths, with a block decision.

URLs blocked at the CloudFlare CDN level never reach your server.

However, I consider using CloudFlare CDN for this use case to be the last resort.

Let's see if the changes you made have an effect.

Keep monitoring your site for a few more days.