We cache the hell out of our WP marketing site. Cloudfront > Varnish > Apache > OPCache > MySQL Query Cache. It feels fast to visitors. People in the admin area still suffer.
Typically, you restrict countries that you receive abusive traffic from and do not have any business in.
"Is that how you want the web to generally work?"
My suggestions on ways to prevent paying for CloudFront charges from junk requests are not prescriptive. However, they are AWS best practices when dealing with DDoS.
I look at GitHub profiles to help filter / disqualify candidates. Just last weekend, I had a marketing candidate who had stolen three Wordpress projects from their current employer and post them as public repos on their personal GitHub account. In addition to the flagrant intellectual property theft, the repos contained the wp-config.php file with exposed database “root” credentials to live, client sites.