A client with wordpress was getting hundreds of attempted logins per hour of attempted logins. Even with automatic IP blocking with Wordfence the number of attacks continued as the attackers would just switch IPs as soon as one IP was blocked.

One can change the login page without needing to modify the server or wordpress with the following HAproxy commands

        acl wp_hacker path_beg -i /wp-login.php
        acl wp_secret path_beg -i /INSERT_SECRET_KEY_HERE
        http-request deny if host_CLIENT_IDENTIFIER wp_hacker !METH_POST
        http-request set-path /wp-login.php?%[query] if wp_secret

A few things to note:

http-request modifies ALL traffic not just those assigned to a use_backend as it triggers both before and after use_backend.

Thus without host_CLIENT_IDENTIFIER it would affect all wordpress servers behind the haproxy server.