Thanks for your replies. My current theme forces me to use the Jetpack from wordpress.com, and Jetpack uses xmlrpc.php, so I can`t just block acces to that file.
I added the code below to my .htaccess file to block requests not claiming to be from Jetpack, and so far it works.
RewriteCond %{REQUEST_URI} ^.*(xmlrpc\.php)$
RewriteCond %{HTTP_USER_AGENT} !^(.*Jetpack.*)$
RewriteRule ^(.*)$ - [F]
But I still thought the IPs should be blocked by Wordfence after so many attempts, at least if it is some sort of brute force login attack. Why else would someone be accessing this file?
