Hi @itaddict and thanks for your query.
I can assure you that Wordfence doesn’t employ any tactics to push you towards becoming a premium customer. Most automated login attempts will be done through XML-RPC or the WordPress REST API, therefore not requiring a front-end login page. Hiding the login page only slightly slows down somebody with malicious intent rather than stopping them. Our thoughts on obscuring the wp-login URL is discussed in this video: https://www.wordfence.com/blog/2017/10/should-you-hide-wordpress-login-page/
Going forwards, you could specifically state usernames you’re seeing come up frequently in Wordfence > All Options > Brute Force Protection > Immediately block the IP of users who try to sign in as these usernames, and could immediately lock out all invalid usernames to prevent other random attempts. However, if you’re running an e-commerce site the latter setting is not recommended: https://www.wordfence.com/help/firewall/brute-force/#lockout-invalid-user
The setting to disable XML-RPC authentication can be done by checking the “Disable XML-RPC authentication” box in Wordfence > Login Security > Settings. Manual attempts to access the XML-RPC file itself are common to be tried by attackers so you could add the following code to .htaccess:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
You can also lengthen the “Amount of time a user is locked out” in the Brute Force Protection section also, meaning that the attempts cannot be made as frequently. We often find locking out for days rather than minutes/hours helps stem a lot of these automated attacks.
I hope this helps you out,
Peter.
