I’m getting several email an hour from DirectAdmin saying that my system load is too high. This is causing extremely slow loading speeds and sometimes my website doesn’t load at all. I asked my host about this, and he informed that wp-login.php and xmlrpc.php are visited a lot.
I’ve enabled OWASP Slr Et WordPress Attacks in the Firewall settings, use a plugin to change the login URL wp-login.php preventing access to wp-login.php page and wp-admin directory while not logged-in, and blocked access to xmlrpc.php in my .htaccess file. All without result.
Can I set specific Firewall Rules or Page Rules to block all these requests to these URLs from countries that normally don’t even visit my local Dutch site?
What’s a lot of visits and what is Cloudflare Analytics saying?
You can create a similar Firewall rule to block everyone from reaching your origin and add more as needed.
(http.request.uri.path contains “/wp-admin” and ip.src ne YourIP) or (http.request.uri.path contains “wp-login.php” and ip.src ne YourIP)
In my opinion, the best approach to protect these assets (/wp-login.php, /wp-admin, /xmlrpc.php etc) is to create Access Policies for them. You can set authentication based on Google, Facebook, GitHub etc. You can create Access Groups with the emails of every member. All they have to do is to authenticate that they are actually the ones who have that email account.