A simple Wordpress website and server I manage has been suffering a DDOS recently, and my attempts to combat it via fail2ban failed, so I've ended up using Cloudflare. Putting a huge centralised service in between the website and its readers feels like a privacy failure to me.
It's a simple website hosted on a physical server. The DDOS attack is trying to brute force /xmlrpc.php and /wp-login.php, so I'd blocked all access to xmlrpc.php in nginx, jailed any ips who requested it in fail2ban, and rate limited access to /wp-login.php. But still endless requests to both are being made at numerous times a second from an endless series of ips, crashing the server on a daily basis. Now I've got Cloudflare in the way I'm hoping to turn away to buggers before they reach the server. But is there no decentralised alternative?
I'm curious as to your host specs: WordPress isn't the only thing running on my server, so the specs I've got may not make sense for you - but I'd lean towards a server configuration issue before wanting to rely on Cloudflare's skeeziness
Really, xmlrpc.php and wp-login.php should not be accessible at all. You can rename wp-login.php, or you can make it available to specific IP address(es), or you can ssh -L to access it via ssh.
It might be helpful to do a histogram of the IPs that try to access those files and sort it so you can see if many attempts are coming from IPs on the same networks. If so, you can report the most egregious ones to their ISPs, and/or you can outright block whole networks.
I've done this with large parts of HiNet in China because they allow any kind of abuse and don't take any actions whatsoever. It has cut my logs significantly.
[0] https://stackoverflow.com/questions/20709549/drop-unwanted-c...