@feditips we're a web host and very experienced with resolving Wordpress attacks. It's frankly a horrifically insecure platform if left as a stock, out of the box install!

Get in touch via our website if you're still having issues. Happy to jump on and investigate for you. https://www.qweb.co.uk

At the very least, a well configured Wordfence is a good start. My plugin, https://github.com/qwebltd/wordpress-admin-country-allowlist will block admin panel and XMLRPC access to countries that don't need it, too. Fail2Ban as a bonus.