What type of server are you on (Apache, IIS, nginx, miscellaneous-others)? Do you have control of your own access (.htaccess in Apache, or equivalent in other servers) or are you limited to CMS offerings? The reference to “plugins and rulesets” makes it sound as if you’re trying to do it all at second hand.

Keep checking this thread. Presently there will be a post from keyplyr or someone like him, listing a number of useful ongoing threads having to do in various ways with access control.

I do this, a lot of this. Here is my experience. Firstly note that there are 7B people in the world and one of you, so this will take a lot of time and energy. I initially felt very overwhelmed, but as my host provider was threatening to shut me down, I had little choice. That being said, this is a difficult but not impossible task. Spammers clump together, unsurprisingly, so once you find their hiding spots on the web, and begin banning them, life will get slowly easier.

I structured my sites in subdirs and no site in public_html. You have a single htaccess in public_html and allow it to be inherited by all sites. The htaccess in each of the sites remains bog standard. Use SetEnvIfs, which will be inherited by, and therefore protect all sites. This tip was from @Lucy.

Go through your raw access logs and pick out preferably the User Agents UAs and Referrers and then secondly IPs that are most annoying. For Wordpress, use Akismet but in settings "Always put spam in the Spam folder for review." My procedure for Wordpress is to allow the spam to accumulate, then match the Akismet spam entry to the raw access log. If you see a GET followed by a PUT from the same IP, then you can safely ban that IP. If you see IPs within the same range clump together, then expand the ban range.

If you see a GET from one IP followed by a PUT from a second IP, this is what I call a "dual IP spammer". The second IP will show up in Wordpress or your CMS, and is usually the innocent victim. If you ban it, the spammer will continue using the first GET IP and yet another different second IP. Look at your log and ban the first IP, and your serial spammer will be gone.

Diligently read your logs and eventually, you will reach a stage where you will only receive 20 spams in a half month. This is where I am currently. That said, there is a lot more in the details, new bots are created, tech changes, security breach attempts, more schemes are unearthed.

If you have no clue about the above info, then the studying begins. Webmasterworld is a good place to learn, but you will need to thicken your skin.

There are discussions about how and what to block in the Apache Forum [webmasterworld.com]

One recent thread there offers some ideas: [webmasterworld.com...]

and as keyplyr offers:

.. check your server logs to determine who/what is the cause.

Blocking Methods [webmasterworld.com]

Search Engine Spider & User Agent ID Forum [webmasterworld.com]

Server Farm IP Ranges [webmasterworld.com]

Hi neegan12 and welcome to WebmasterWorld [webmasterworld.com]

Note that the directory name /public_html/ is not universal. Depending on your hosting setup, the directory might instead have the name of your flagship domain, or a “username” associated with your account. If you only happen to have one domain on a given server, it won’t matter anyway.