You can use this BPS Bonus Custom Code below and modify it so that it is not limited to just the login page to block blank User Agents/Bots sitewide, but be prepared to use FTP and delete the root htaccess file manually if your host server does not allow this code or your site crashes.
https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/
This code below will block/Forbid are large number of automated Brute Force Login attempts based on Server Protocol HTTP/1.0, which is an outdated Server Protocol used by hackers and spammers on older Proxy software or modified Proxy software for various beneficial reasons to those hackers and spammers. This code has a 95%/5% success fail ratio meaning that this code works on 95% of websites/Servers and does not work on 5% of websites/Servers. See the IMPORTANT NOTE below.
IMPORTANT NOTE: If you see a 403 error on your login page when trying to login or log out of your website then you cannot use this code on your Server/Website and will need to delete this code to correct the 403 error on login and logout.
# BRUTE FORCE LOGIN PAGE PROTECTION
# Protects the Login page from SpamBots, HackerBots & Proxies
# that use Server Protocol HTTP/1.0 or a blank User Agent
RewriteCond %{REQUEST_URI} ^(/wp-login\.php|.*wp-login\.php.*)$
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{THE_REQUEST} HTTP/1\.0$ [OR]
RewriteCond %{SERVER_PROTOCOL} HTTP/1\.0$
RewriteRule ^(.*)$ - [F,L]
To modify the code and have it work sitewide instead of just on the login page and just block blank user agents/bots and nothing else you would do something like this:
# sitewide protection against blank User Agents/Bots
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ - [F,L]
