Bots using up functions for nextjs app for invalid pages

I have a Nextjs app with functions enabled which is used to generate i18n pages.

The domain was used to host a wordpress site earlier due to which bots constantly try to access wp-login.php and brute force it.
In my Function ___netlify-handler log, i see lot of requests for wp-login.php, /PHP/eval-stdin.php, /xmlrpc.php?rsd= before ending up in 404 page.

Do these count in my functions quota? If so how do I stop them.

I tried a redirect for *.php but still see a lot of requests for php pages.

Unfortunately, yes.

Redirects cannot be applied according to an extension. Thus, it won’t work.

There’s no good solution to this, unfortunately. The only way to stop wasting function invocations is by using your Edge Function invocations. You can block specific paths (including based on extension).