mr buffy, try to temporary rename htaccess file to .backup.htaccess and try load site couple of the times. Basically I get 500 only when I have messed up htaccess. Those specs on your server are good.
Or check your htaccess - this one is mine but its really pretty standard. (im also running debian here)
I have several websites hosted on 2 VPS’s (one is Linode, the other is an OpenVZ type with tmzVPS) Both have been experiencing downtime issues. I am a relative newbie with unmanaged VPS hosting.
How can I determine if my sites are been attacked of hacked?
[fcgid:warn] mod_fcgid: process graceful kill fail, sending SIGKILL
This usually means the scrip reached max timeout (i think by default is 45sec) and it was killed. Pretty often you can see this happening with WP. While increasing “FcgidIOTimeout” to 90 (some people suggest 300-500+) i would rather like to suggest you to try to find what script/code in WP is causing this. It could be a leaking theme or plugin e.g. bad code.
Another reason for you problem could be bad MySQL config or MySQL is still working with default settings and probably is not enough anymore. Both cases are asking to fine tune your MySQL and Apache settings. Because there is no one settings for everyone its hard to recommend anything without looking at your server. If you lack in knowledge with MySQL and Apache best would be to leave this task for someone who knows.
How can I determine if my sites are been attacked of hacked?
There are few SSH commands you can use to see what is your traffic or check Apache access log for your domains. For example this command will show you in real time all incoming active connections (you can stop it with ctrl+c):
watch -d -n1 lsof -i
With WP there are few things you can do to prevent or at least limit bots and brute force attacks:
If you dont use JetPack use htaccess to completely block xmlrpc.php file.
If WP doesnt require others to login/register so its just you and/or your client use htaccess to protect with password WP login.
Install Fail2ban and use it to block IP after X amount of failed login attempts. There was a plugin to install with F2B filter.
Use well know free theme what is frequently updated or payed one. Remove all other themes including the WP default one.
Limit the plugins to minimal amount and uninstall everything else. Think if some “feature” is worth so much to increase the CPU and memory usage. If the answer is “you dont know” or “no” just uninstall it.