[inside65]

I blocked almost all wp-login bots just using bot fight mode in Cloudflare few months ago along with some CF page rules to run an interstatial. It seems to losing effectiveness over time though, and since I do have WP-login, I wonder how I can implement something like your idea.

Maybe rename the legit login and put this in its place, but that would cause issues for redirects from the legit login link...

[austinkhale]

Change your login path to something like /custom-admin. Then create a page rule to captcha any attempt to access /wp-login. What traffic other than bots is going to go to the old login page? You can change the login link to go to the new page.

[danuker]

or better yet /custom-admin-07a4b58e-3880-11ec-904e-ba0baece2ff4

[weird-eye-issue]

There are some popular WP plugins that takes care of changing the wp-login path