Protect Brute Force wp-login.php and xmlrpc.php


New Member

I am able to block brute force attacks using Wordfence but even though I see CPU usage spikes related with lsphp process. CPU gets to 100% for long time.
I am guessing it is because the blocking is not being performed by lsphp itself and each attack is handled as a request by lsphp, and after blocked by Wordfence.

How would you deal with this attacks?

I am using:
- Cyberpanel 2.0.3
- Openlitespeed 1.6.4
- Php 7.4
- Mod_security with Comodo 3 rules
- Cloudflare
- Wordpress 5.5.3
- Wordfence plugin

Google Cloud Server:
- 2CPU
- 3 GB RAM


New Member
Thanks for your answer.
Does anyone has a Rewrite Rule for protecting wp-login.php and xmlrpc.php files from being attacked using reCaptcha ?
I would not want to block callbacks from payment processors.

Thank you very much!