Wordfence would never ever modify or patch WordPress core. Regarding the WordPress behavior referenced here, the Wordfence rate limiting prevents any abuse that could lead to website server overload and a resulting successful DOS attack.

Set up your rate limiting in Wordfence, and you’re good.

It would be nice to see WordPress take care of this sort of thing, but they seem to be more concerned about keeping the Hello Dolly plugin working well.

MTN

Hi,
The recent “DoS flaw” in WordPress core, designated as CVE-2018-6389, does not have enough data associated with it to indicate that it is a new threat. The attack relies on making multiple HTTP requests to a WordPress endpoint that is designed to generate some load. The load that the target PHP script generates does not appear to be orders of magnitude more than other WordPress core PHP scripts.

The web allows unauthenticated HTTP requests from client to server in order to provide it’s basic function. If an attacker sends enough HTTP requests to any website, they will DoS that website. In this case, the report is simply an attacker overwhelming a low resource website with a large number of requests. The endpoint doesn’t seem relevant.

Therefore we are considering this a non-issue and would class this attack with other DoS and DDoS style attacks.

Wordfence continuously monitors attack patterns on the web. If we determine that an IP or set of IP addresses is engaging in malicious activity, we will block those attackers from making any request to your website. We will continue to monitor this situation and, where we deem necessary, we will block malicious actors.

Thanks.

Yes, with Wordfence you can limit requests per IP in a number of different ways, though remember, the IP can still hit your server, receive a blocking or error message, and thus still use resources. But unless you are specifically targeted for a major DDOS effort, Wordfence has what you need. MTN