client denied by server configuration

Those image files are used to check your Apache Modules and directives available on your website/server. The checks and 403 errors do not cause any performance issues for websites/servers.

Apache Modules|Directives|Backward Compatibility(Yes|No)|IfModule(Yes|No):
403: mod_access_compat is Loaded|Order, Allow, Deny directives are supported|IfModule: Yes
403: mod_authz_core is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
403: mod_authz_host is Loaded|Order, Allow, Deny directives are supported|BC: Yes|IfModule: Yes
200: mod_rewrite Module is Loaded|IfModule: Yes
403: mod_security2 Module is Loaded|Enabled|IfModule: Yes

Assuming all questions have been answered – the thread has been resolved. If the issue/problem is not resolved or you have additional questions about this specific thread topic then you can post them at any time. I still receive email notifications when threads have been resolved.

Ok we also see a lot of file does not exist, I installed wordfence to block referrers
but other things are looking in a subdirector of wp-admin or wp-includes
for a .php file but the error is file not found. I want to stop them from looking

i.e.
wp-admin/maint/wp-apsea.php

another is xmlrpc.php

also wp-config.php.bak

how can I harden ? thanks

You can’t stop someone from making Requests since they are making Requests from an external source. These types of hacker scans/probes are automated using a delivery system that uses bots to perform the Requests. The file names are on a list that the delivery system uses and the process is completely automated.

So since you cannot stop hackers and spammers from doing what they do then you can only block them from successfully probing your site or attacking your site.