Hi, WordPress bruteforce attacks produce high cpu load
here some simple examples to get rid of that issue with mod_qos
Install apache module and enable it
apt install libapache2-mod-qos
a2enmod unique_id qos setenvif
For global mitigation, edit your apache module config
/etc/apache2/mods-enabled/qos.conf
<IfModule qos_module>
# minimum request rate (bytes/sec at request reading):
#QS_SrvRequestRate 120
# limits the connections for this virtual host:
#QS_SrvMaxConn 100
# allows keep-alive support till the server reaches 600 connections:
#QS_SrvMaxConnClose 600
# allows max 50 connections from a single ip address:
#QS_SrvMaxConnPerIP 50
# allows a single IP addess to access the URI /wp-login.php not more
# than 10 times within 2 minutes:
SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc
QS_ClientEventLimitCount 10 120 LimitWpXmlRpc
SetEnvIf Request_URI ^/wp-login.php LimitWpLogin
QS_ClientEventLimitCount 10 120 LimitWpLogin
</IfModule>
Per Virtualhost mitigation apache config
<IfModule qos_module>
# limits concurrent requests to the locations:
QS_LocRequestLimitMatch "^(/wp-login.php).*$" 2
# does not allow more than 1 requests/sec:
QS_LocRequestPerSecLimitMatch "^(/wp-login.php).*$" 1
# limits concurrent requests to the locations:
QS_LocRequestLimitMatch "^(/xmlrpc.php).*$" 2
# does not allow more than 1 requests/sec:
QS_LocRequestPerSecLimitMatch "^(/xmlrpc.php).*$" 1
</IfModule>
Have fun!