Hi @vinewoodstudios_admin, thanks for getting in touch!
It can be frustrating to see so many requests in your Live Traffic, especially if there seems to be no logical reason due to hidden pages or other security measures, but this is actually quite a normal occurrence. You might find the following blog post interesting: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/
Perhaps also try disabling XML-RPC authentication by checking the “Disable XML-RPC authentication” checkbox in Wordfence > Login Security > Settings to prevent authentication attempts being POSTed through that file, so may help.
However, manual attempts to access the XML-RPC file itself are commonly tried by attackers, so if you did want to add a total blanket block, you could also add the following code to your .htaccess file if you are certain no plugins you use (such as Jetpack or the WordPress app) require access:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
2FA in itself won’t prevent invalid usernames from being attempted but you could certainly try increasing the time a user is locked out in your Brute Force and Rate Limiting settings to prevent frequent retries. If you don’t have a large number of public logins (such as a WooCommerce store), you could try enabling the “Immediately lock out invalid usernames” checkbox too.
Let me know if you’re already taking all of these measures, but otherwise see whether the attempts reduce over the coming days.
Thanks,
Peter.
