Hi @techpik, thanks for your question.
Firstly, make sure you have “Email me if Wordfence is deactivated” set in Wordfence > All Options > Email Alert Preferences.
Secondly, we do provide 2FA and reCAPTCHA through our Wordfence > Login Security module. One or both of these, with 2FA set to “Required” for administrators greatly reduces the possibility of plugins being disabled by a malicious source. Make sure to set a grace period if there are other administrators on your site that need time to comply with the changes.
As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.
I will provide our site cleaning instructions for you, just in case any steps can help after a breach: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
XML-RPC requests are one of the most common brute force/credential stuffing attack methods so we always recommend using long unique passwords along with 2FA for your administrative accounts.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
Many thanks,
Peter.
