@andricor I apologize for the delay in responding, I only just now got all of WordPress’s notifications from the past 2 months. Yes, it would still add a strain on the server. My suggestion to block bots from hammering the form is to set up an http auth layer on wp-conifg.php, where you can put both the username and password into the popup box, something like this:
<Files wp-login.php>
AuthType basic
AuthName "WordPress login form protection, please enter 'human' as the username and 'password' as the password"
AuthBasicProvider file
AuthUserFile /home/username/.htpasswds/.htpasswd
Require valid-user
ErrorDocument 401 "WordPress login denied"
</Files>
You will need to create the .htpasswd file as well, which you can use this tool to do:
https://www.htaccesstools.com/htpasswd-generator/
Just make sure you match the path where you put the .htpasswd file. Then real users can read the title and reach the login form to log in to WordPress, whereas bots won’t. I have used this on multiple client sites and it is very effective. I would also recommend blocking all access to xmlrpc.php, aside from WordPress itself (Jetpack connects to the WordPress servers so they need to be able to get through):
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
ErrorDocument 403 "Denied"
Allow from 127.0.0.1
# should be WordPress.com allowed
Allow from 192.0.64.0/18
</Files>
I hope this helps.
-Michael
