Support

Use the 404Shield feature, that's exactly what it was made for. See https://www.akeeba.com/documentation/admin-tools/web-application-firewall.html#waf-configure-joomla-hardening and search for “Enable 404 Shield” and “404Shield”.

> Those. the system skips 4-5 times, then blocks, but the IP address is not automatically transferred to the black list.

Okay, this is the intended behaviour. Accessing a URL blocked by 404Shield records a blocked request. Do that many times within the blocking window (configurable by you, in the Configure WAF page) and they get their IP blocked. If they keep doing that they will get their IP permanently blocked based on the settings you have provided for permanent IP blocking, again in the Configure WAF page. This is how it's supposed to work, it's also documented why.

> Automatic blocking of IP after 1 or 2 attempts is not suitable.

Yes, it is.

If we blocked an IP immediately and permanently we'd make it super easy for an attacker to delist your site from search engines. All an attacker would have to do is create a page with real text and links to the non-functional WordPress URLs on your site. The search engine would dutifully pick these links up and try to crawl them. As soon as your site saw the crawler it would permanently block it, forever. As a result any other URL the search engine would try to crawl would appear to be permanently blocked with HTTP 403 Forbidden and the search engine would drop your site. 

Furthermore, a legitimate client visiting such a URL would be parma-banned. It's easy for someone to make a malicious phishing campaign only that instead of directing your clients to a shady URL to steal their credentials they'd be sending them to your domain, but on a URL which would get their IP address permanently banned. The user might miss the sender but they'd sure wouldn't miss the fact that they are really in your legitimate domain name and they are told they are blocked because they are a hacker. Can you imagine the havoc this wreaks upon an e-commerce site?

You also have people who are just plain curious and legitimate vulnerability scanners you may be running on your site. If you automatically and permanently block them you are doing a disservice to your site.

Finally, as I've said in the documentation and written in these here ticket replies thousands of times: IP addresses are NOT static. The IP address you are banning today because it belongs to a malicious actor will not necessarily remain assigned to them in all eternity. Very likely they are using a bot across a few compromised computers. These computers will sooner rather than later be assigned a different IP from their ISP and the old IP will be assigned to a different, legitimate client. If they try to access your site they will find themselves blocked. Don't overdo it with permanent IP banning, it will come back to bite you.

When doing security you need to think about the consequences of your actions. If you permanently block IPs for the slightest hint of a possibly problematic request you will come back here telling me that Admin Tools is preventing access to your site for legitimate users or that it keeps blocking you all the time. The problem won't be Admin Tools, it'll be your hair trigger configuration — after all, Admin Tools only does what you tell it to do, nothing less and nothing more.