you might want to look at this:
How to block access to your server [webmasterworld.com]

A free solution is to host a IP geolocation database on your server (Maxmind offer a free version) and with some server-side code you can block countries by their two-letter contry code.

Your other option it to whitelist what is allowed, rejecting anything that does not match.

If you block specific IP ranges of the worst offenders, you will drastically cut down your traffic to a dull roar instead of a tsunami wave. There are some well known and persistent actors, so if you knock them out traffic will certainly go down. Go through your raw access log and target those that are trying to break into your site, or are looking for vulnerabilities. They are very easy to spot. If you have time, then go after bots that simply waste bandwidth with daily requests for everything.

I also recommend installing 2FA two factor authentication on your WP site, as well as do a scan for vulnerabilities. One of the main issues are bots trying to break into your security using brute force. This can really waste resources. Send them 400s with 2FA.

If each site is a subdirectory and not in root, you can use a single htaccess and SetEnvIf to protect them, using inheritance.

If the 400 parked domains are only redirecting traffic to the one you wish to protect, you only need to pay the DNS fees for that one domain. The others are dropped at its door, right?

More specifically, if these are parked (not viable domains) then the only thing you want is bots from g and bing. That should be four (4) allowed bots (2 each) and pretty simple ips allowed. If these are for sale, then take other steps to include allowed resources.

A free solution is to host a IP geolocation database on your server (Maxmind offer a free version) and with some server-side code you can block countries by their two-letter contry code.

Thanks; I ended up using the WP plugin IP2Location Country Blocker which is working pretty well. I am using the free dbs for the time being which have hugely dropped traffic overall but there seems to be holes in both of them. I am close to the US/CA border and not sure if this is a factor as I am still getting shall I say cr@p out of the PNW area.

It is kind of a band aid solution, it would be nice to protect at the server level as opposed to app level but I am on a shared account for now.

Your other option it to whitelist what is allowed, rejecting anything that does not match.

That is still a pretty large amount of info to process with every request, no? (all of Canada and the US)

If you block specific IP ranges of the worst offenders, you will drastically cut down your traffic to a dull roar instead of a tsunami wave. There are some well known and persistent actors, so if you knock them out traffic will certainly go down. Go through your raw access log and target those that are trying to break into your site, or are looking for vulnerabilities. They are very easy to spot. If you have time, then go after bots that simply waste bandwidth with daily requests for everything.

a htaccess file is going to get pretty big pretty fast; I think that an ideal solution would be to incorp a geo db at a firewall/http server level and then deal with the rest

I also recommend installing 2FA two factor authentication on your WP site, as well as do a scan for vulnerabilities. One of the main issues are bots trying to break into your security using brute force. This can really waste resources. Send them 400s with 2FA.

That I am not so worried about; I have long random passwords and login limit protection in place as well as other low hanging fruit taken care of.

If each site is a subdirectory and not in root, you can use a single htaccess and SetEnvIf to protect them, using inheritance.

all resolve to one root.

If the 400 parked domains are only redirecting traffic to the one you wish to protect, you only need to pay the DNS fees for that one domain. The others are dropped at its door, right?

Not exactly sure, I am pretty much a n00b. All domains are registered at a third company; nameservers are set to resolve with my hosting company and parked on my "master" domain.

So a request for domainnumber51.com as an example, would be served by my hosting company and sent to my IP address/master domain still, no?

More specifically, if these are parked (not viable domains) then the only thing you want is bots from g and bing. That should be four (4) allowed bots (2 each) and pretty simple ips allowed. If these are for sale, then take other steps to include allowed resources.

They are viable, they resolve to a page generated for each domain.

Thanks.

You could install a Wordpress security plugin (WP Cerber Security, i.e.) and get many ideas while checking the reports.

That is still a pretty large amount of info to process with every request, no? (all of Canada and the US)

Who do you want to access these pages?

Whitelisting is far easier than blacklisting by a long shot.

I assumed the domains are "viable" since they are parked. They do not have any CONTENT, correct? If that is the case Tom, Dick and Harry won't be interested.

You could install a Wordpress security plugin (WP Cerber Security, i.e.) and get many ideas while checking the reports.

I am running an excellent free firewall, WP Cerber, Honeypot Toolkit and now IP2location country block as active defences.

IP2 seems to have holes, but it has now got me to the point that I can start to manage some of the more hazardous threats. If anything is going to get me it is going to be something poking out from a freaking Tornode; but those are endless also: [dan.me.uk...] .

Just for reference, 5 weeks running now with IP2 up for the past week and I am at 96k visitors and 372k hits. It is safe to say that 99.99999% of that traffic is undesirable.

Perhaps I should just roll with it and put banner ads up? ;)

Who do you want to access these pages?

Whitelisting is far easier than blacklisting by a long shot.

I assumed the domains are "viable" since they are parked. They do not have any CONTENT, correct? If that is the case Tom, Dick and Harry won't be interested.

All of the domains are for sale, so what should happen is that Tom, Dick or Harriett goes to a WHOIS and then goes to the domain to pursue the matter further or not; or someone comes across the name in a search and clicks and resolves. Each domain has its own page that is generated with a title, keywords, graphics and a blurb, so not really "content" but not a generic parking page either.

Whitelisting is going to be hugely more workable, but even a whitelist for Canada alone is going to be sizable. apache will have to parse that list for every http request and that will slow/load it down, no?

798 KB allow IP list for Canada and I would like to open it up to the US also - [ip2location.com...]

goes to a WHOIS and then goes to the domain to pursue the matter further

With changes to whois after GDPR ... that might not be so easy.

IP bans alone are not how you manage undesirable traffic. Take a look at the Spider forum here [webmasterworld.com...]

798 KB allow IP list for Canada

wtf? The last time I compiled a list of Canadian IP ranges, it came out to 87k. And that's including the < /24 slivers--/27 here, /29 there--living on other regions' servers, which you would almost certainly never bother to whitelist.

With changes to whois after GDPR ... that might not be so easy.

it hasn't changed recently, not here at least we have had privacy for a while; most people with some knowledge will run names through a registry, or direct at CIRA and then investigate further; the domain name, if it is taken will resolve to my site. All one has to do is type in the domain name.

The last time I compiled a list of Canadian IP ranges, it came out to 87k. And that's including the < /24 slivers--/27 here, /29 there--living on other regions' servers, which you would almost certainly never bother to whitelist.

Is there another way; 798 is the output from IP2Location?

Is 798k the size after you've done all consolidation? For example
1.2.4.0/24 + 1.2.5.0/24 + 1.2.6.0/24 + 1.2.7.0/24 = 1.2.4.0/22
for a savings of 30 bytes or 75% of original filesize. And for the real space-guzzlers,
1.2.3.4/32 + 1.2.3.5/32 + etcetera = ... 0 (zero)
because anything in slivers that size is a server farm in the first place, and would therefore never be whitelisted.

Whitelisting acceptable human UA and desired bots and the other side of the equation has been helped immensely.