Hello @siriusphil and thanks for reaching out.
I believe that Jetpack uses the XML-RPC to authenticate. If you use it, I dont think you will be able to block access to it, unless you whitelisted your IP to always allow. Even then, all IPs from your ISP change after their lease is up.
This is directly from our help documentation here:
https://www.wordfence.com/help/login-security/
Require 2FA for XML-RPC call authentication
This option is set to “Required” by default, to prevent logins without 2FA via xmlrpc.php. Attackers often target xmlrpc.php with password guessing attacks, so it is important to keep this feature enabled if possible.
Plugins, features, and external apps or services that require authenticated XML-RPC calls are usually not compatible with this option. For example, if you use the WordPress app on your phone with a user account that uses 2FA, you will most likely need to set this option to “Skipped”, unless you have specific IPs or ranges you can safely whitelist.
Custom applications that log in via XML-RPC may be made compatible if they can generate a TOTP code and append the current code to the password during authentication. Codes still expire after the first use.
Disable XML-RPC authentication
This option rejects all XML-RPC requests that require authentication, whether they have a valid username and password or not. It applies to all logins, not only those for users with 2FA enabled.
This option is not compatible with the WordPress phone app, the Jetpack plugin, or most other services that use XML-RPC.
Let me know if this helps!
Thanks!
