TL;DR: Have a look at the error log and then to the violated rule.

Suddenly, I started to get 418 errors on one of my sites. I'd just get 418 from the source and as they say: that was that. Normally, I don't even notice such errors, but this one broke a bunch of pages.

The 418 errors look in general like this:

[Thu Sep 06 04:07:00 2018] [error] [client xxx.xxx.xxx.xxx] ModSecurity: \
  Access denied with code 418 (phase 1). \
  Pattern match "^Mozilla/5.0 \\\\(Windows NT 6.1; WOW64; rv:40.0\\\\) \
  Gecko/20100101 Firefox/40.1$" at REQUEST_HEADERS:User-Agent. \
  [file "/dh/apache2/template/etc/mod_sec2/99_dreamhost_rules.conf"] \
  [line "345"] [id "1990098"] [msg "Malicious Bot UA"] \
  [hostname "my.site.com"] [uri "/wp-login.php"] [unique_id "..."]

Now, this translates to an rule for mod_sec2. To fix, you need to go to the file referred by the error, at the specific line and see what is all about. Most errors are legitimate.

In my original case, I had a 418 translating to basically access denied because I tried to access /wp-login uri more than the allowed frequency because I mistyped the password several times. All I had to do was to stop trying and wait until the mesaured time had elapsed (60 seconds).

In summary, the process is:

  1. ssh onto the account to look at the logs
  2. Go to ~/logs/site/http and look at error.log
  3. Identify the 418 errors
  4. Look at the violated rule identified by the file and line components of the log entry

Main credit goes to Duncan Lock although the only thing I had to do to fix it was to just wait a few minutes.

HTH,