I just read your announcement of the wordpress bouncer: Protect your WordPress sites with CrowdSec - Security Automation based on behavior & reputation and then i had a look at your plugin: CrowdSec – WordPress plugin | WordPress.org
I am just wondering if this is really the “ideal” way to handle things, seeing that the connections are made to wordpress, PHP gets loaded and then the plugin says “captcha” or “block”.
Would it not be more resource friendly to use a plugin like this one: WP fail2ban – Advanced Security Plugin – WordPress plugin | WordPress.org which simply logs all login attempts – including via XML-RPC, whether successful or not, to syslog using LOG_AUTH and then have a crowdsec parser check the logs and handle it with any bouncer you like?
The benefit of the second method is that if an IP is blocked, there won’t be any traffic as the blacklisted IP will be blocked before it even hits PHP.
I was using the method I described with fail2ban before I discovered crowdsec so I was wondering if this method sounds like something you might implement in your plugin - i.e. enable logging to syslog + wordpress parser? This way one could chose between the methods?