If you want something easy and fast to setup, go for WHMCS.
I personally prefer Blesta because you have control with the code (most of the code is unencrypted) and their API is fully documented with the models, etc.
I see you're storing MD5 passwords into the database, and then verifying them by a query.
You can easily use password_hash and then password_verify it when logging in (if PHP 5 >= 5.5.0), else use https://github.com/ircmaxell/password_compat.
Do you actually go and check each VPS for updates, etc?
I was thinking of creating a management (admin) portal that connects to all virtual servers via a SSH Key inserted into the template (with the user's permission), and can execute commands to multiple servers, monitor servers, configure...
I'm not sure about CSF. However, this mod_security rule might help. After multiple failed log ins in 3 minutes, they should receive a 401 Unauthorized error page.
# WordPress Bruteforce Protection