<b>Rate-limit /wp-login before fail2ban even sees it</b>

<b>Rate-limit /wp-login before fail2ban even sees it</b>

fail2ban reacts after the hits land. nginx can refuse them at the door, no PHP touched. Throttle your login endpoints:

— <code>limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;</code>
— on the login location: <code>limit_req zone=login burst=3 nodelay;</code>

Five login attempts per minute per IP, the rest get 503 instantly without ever waking php-fpm. Credential-stuffing bots burn themselves out against a static error. Pair it with fail2ban for the persistent ones. CPU stayed flat through a stuffing run. Try it tonight.