I have a small cPanel server running some Wordpress sites, today I’ve noticed there is an IP attempting to log in. I’ve done a quick block for the IP in ConfigServer Firewall, but I can still see login attempts. If I try to ping the ip, it’s actually being blocked, not sure why is not working the other way.
Francisco has some in-house coded protection against this. Maybe ask him for help.
Litespeed has protection against wordpress bruteforce, not sure how effective.
Imunify360 has some ModSecurity rules that trigger a captcha if someone attemts to login many times. You can pay for Imunify360, or run their trial and then find the rule that they use, and adapt it to your own solution.
I have a global rule that catches for requests to those pages and then injects my click-thru page in between.
Nothing stops you from just adding a wordpress.conf file in /etc/apache2/conf.d/ that does some basic rewrites to catch the request and do whatever you want.
For my Centmin Mod LEMP stack wordpress auto installer, wp-login.php and xmlrpc.php files are automatically setup with rate limiting at nginx level IIRC it’s like 1 request every 3 seconds it works out to be.
Of course this all only works if you fix your Cloudflare real IP pass through to your web server first so that web server log files see visitor’s real IP.
There’s also WP plugin for limiting logins failures too.