Many different sites have many different ways of implementation and many people seem to have their most opinionated ones.
I would not have any external user interaction on my website at all.
It is MY website, it is made BY me, FOR me.
I actually have a small website where I publish photos, it is a simple static HTML/CSS page that I manually update in the code when I have new photo galleries (generated in digiKam) to link to.
This makes the site increadibly fast, there is zero access time to wait for a DB query to finnish, or a caching server to load or a google analytics script, it just loads instantly and looks great.
Since it is just HTML I don’t worry about anyone gaining access to the backend.
This also my answer, but better explained than I would have.
Much like every other implementation of a blocking system. Badly.
First off, block every Russian IP
client certificate
First, I couldn’t do this because I don’t have access to the server since it’s a Neocities page. Second, I have absolutely zero clue whether this would work.
I wouldn’t mind setting up a tiny 1 pixel dot in the very top corner of the site where nobody would ever click. You click it, you get sent to a page that will log your IP to a list of banned IPs. Don’t know if bots could get around that, but scrappers probably would get caught out by it.