我体验到，我的服务器收到了99%的CPU负载，站点几乎停机。

已检查访问日志文件，有大量以下条目：

203.115.XXX.XXX - - [13/Oct/2017:12:40:01 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 178
212.92.XXX.XXX - - [13/Oct/2017:12:40:01 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1
218.29.XXX.XXX - - [13/Oct/2017:12:40:02 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1
104.130.XXX.XXX - - [13/Oct/2017:12:40:02 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1
176.123.XXX.XXX - - [13/Oct/2017:12:40:02 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 178
45.115.XXX.XXX - - [13/Oct/2017:12:40:03 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1
212.92.XXX.XXX - - [13/Oct/2017:12:40:03 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 178
31.179.XXX.XXX - - [13/Oct/2017:12:40:04 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1
92.240.XXX.XXX - - [13/Oct/2017:12:40:07 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1
92.240.XXX.XXX - - [13/Oct/2017:12:40:07 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1
61.5.XXX.XXX - - [13/Oct/2017:12:40:07 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 178
201.59.XXX.XXX - - [13/Oct/2017:12:40:07 +0000] "GET /wp-admin/admin-ajax.php HTTP/1.0" 200 1

在几个小时内，几乎有800个相同IP的单个请求。这对我来说似乎不太自然。此外，据分析，发生这种情况时，页面上的用户并不多。

因此，这起袭击似乎来自外部，并影响了我的服务器电源。

阻止访问管理ajax时。php文件，cpu负载恢复到1-3%，一切正常。

我的问题是：有没有办法block these spamming requests to the admin-ajax.php 来自“的文件”；“外部”；and only allow installed plugins/theme to access the admin-ajax.php file instead?

更新

我的网站似乎真的被一些机器人/服务器垃圾邮件了。

尝试了几种方法，如Cloudflare、不同的托管等。唯一有帮助的是使用Sucuri 作为阻止一切的网站防火墙。

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule ^wp-admin/admin-ajax.php - [F,L]

<Locationmatch "/wp-admin/admin-ajax.php">
SecRule REQUEST_METHOD "POST" "deny,status:401,id:972687,chain,msg:\'wp-admin ajax request blocked, no referrer\'"
SecRule &HTTP_REFERER "@eq 0"
</Locationmatch>