Apache PHP REST API handle/block web attack attempts

We're currently running a PHP API (all URL's get rewritten to index.php for route-handeling) on an Apache Debian server.

Edit: (I think I might have landed on the wrong StackExchange for this question, so my apologies for that, came here from another question.)

The last few weeks, the amount of "web attacks" have increased quite a bit.

This contains for example sessions with 1000+ requests in a two-three minutes to endpoints like:

• /old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /plus/e7xue.php
• /wp-includes/fonts/wp-login.php
• /?XDEBUG_SESSION_START=phpstorm
• /cgi-bin/mainfunction.cgi
• 400+ random .php files with a payload of <?=die(@md5(Apri1));?>
• ..

I've enabled the Apache mod_evasive module, but this results in a lot of false positives because (what I think the reason is) the normal API routes are being rewritten to the index.php file and the evasive module flags this as "same website/page" requests (?).

Security wise, I'm not 'that' worried, all our services are up-to-date, running latests patches, the API has a security wall,.. but because of the route-handeling, all these requests "spin-up" the API which puts unnecessary load/stress on the server.

I've searched through forums and stuff like that, but I couldn't really find a "solution". (or it was Wordpress related with a plugin etc)

Now, coming to the actual question: What can be done about this in an efficient way?

I was thinking about putting custom-handeling within the API that checks for requests to "unmapped endpoints (which results in a 404)", logging the IP address and if the threshold is passed for the amount of requests, add that IP address to the .htaccess to block it with a 'deny from' (because I don't want to enable command execution from PHP to add the IP address to the iptables for example). But this seems like inefficient and all this could be handled a layer higher?

I know web attacks are happening everywhere, every day and you can't really stop it, but I just want to keep the amount of those type request to a minimum, because, as the "server manager", these kind or requests are stressing me out.