406.shtml Why…..

Hi @dhumeurvegetale, thanks for reaching out about this.

There are two possible reasons for this I can think of. The first is that it’s important to note that Live Traffic entries where specific filepaths/URLs are attempted don’t necessarily point to inside knowledge about your site. Often these are automated attacks that are just hit-and-hope in the search for vulnerable plugins or publicly visible files that shouldn’t be. 406.shtml might be a random page being attempted to learn more about your site/platform to see if anything can be exploited. Having a strong password, 2FA and having WordPress and its plugins up-to-date should be the best strategy to stick to.

The second is related to ModSecurity, an add on module for Apache servers, which is a WAF that attempts to protect your website from attacks. I’ve seen rules defined in /usr/local/apache/conf/mod_sec/mod_sec.hg.con that block certain requests to sites with a 406 status – where the error page it wants to show is 406.shtml. It’s slightly unusual to use that code rather than return a 403 or 500 but your host might be able to shed more light on this if they configure ModSecurity on your behalf.

I hope this helps you out,
Peter.

Hi @wfpeter and thanks for your explainations, It’s 62 times since the 08 of january and like you said it’s always bot requests from everywhere in the worl….. they are other attempts but that one for the 406.shtml file is often. thanks my friend and you doing a great job, i’m using the free version of your plugin because i don’t manage accounts and dont have payments and not open to comments, it’s only a showcase site. Have a great day.