Hi @danishhaidri, thanks for seeking out our help over this.
Firstly, our help resources will help you as a newer Wordfence user should you need to look into any further issues or settings you’d like to understand more clearly: https://www.wordfence.com/help/
As for blocking, you will block everybody, even yourself, should you add specific URLs to the Immediately block IPs that access these URLs text box so that can be risky with pages like /wp-admin. /xmlrpc.php is recommended as this can be a popular URL to attack. If you feel confident that your site does not use XML-RPC at all, you could also try checking Wordfence > Login Security > Settings > Disable XML-RPC authentication. This can always be turned off again if it causes any problems with plugins that use it.
The settings in Wordfence > All Options > Brute Force Protection can be set to be fairly strict. I recommend trying 3-5 for attempts and password resets, counted over 4 hours, with a 30+ minute lockout. For extra protection, checking Immediately lock out invalid usernames will prevent a password attempt if the username doesn’t match a valid entry. Bots will often try the admin username by default, so if this user definitely does not exist, add that to Immediately block the IP of users who try to sign in as these usernames.
If you turn on Wordfence > All Options > Rate Limiting, increasing How long is an IP address blocked when it breaks a rule from minutes to hours or even days can be very effective at preventing bots that are attempting access to your site from repeatedly trying again.
Under Additional Options, checking Block IPs who send POST requests with blank User-Agent and Referer can also help.
Your Live Traffic page also has a “BLOCK IP” button when clicking the view icon should you wish to block any suspicious traffic manually.
I hope that gives you a solid start and thank-you for using Wordfence!
Peter.
