Sorry, I didn't see this post earlier. There are several methods to address this problem, but ultimately you want to stop the malicious traffic before it reaches MODX. A few of the methods:
- Enable CloudFlare
- Block in Firewall (send us the IPs)
- Block with .htaccess
- Block with PHP
Solutions such as CloudFlare leverage their global network to detect and block malicious traffic before it hits the server. Their business is stopping this traffic so enabling it is highly recommended. You can do this in cPanel in a few seconds, it's a free service.
The remaining traffic at this point in time is borderline malicious, and blocking it is ultimately up to the end user / hosting provider. We maintain a global block list used among all of our servers, if you report malicious users we will do our best to block them. We already have in excess of 500k addresses blocked, so we aren't afraid to use blocks.
In some cases the traffic isn't going to be worth blocking on a higher level, false positives, dynamic addresses, or other related reasons. You can still block these visitors using .htaccess rules as Bob shows above. The blocks only affect your sites vs the server as a whole, while the block isn't as drastic it's still very effective.
The final option is using some form of PHP to filter/block malicious traffic. This can work for lower level stuff, but you ultimately want to use one of the above methods as they will work better.