Spam hits with xmlrpc, wp-login, and 401.shtml in Live Traffic Help

I am seeing a hit almost every few minutes (almost all random international countries) in live traffic that show a few different page visits per hit with some variation of the following:

mydomain.com/xmlrpc.php
mydomain.com/wp-login
mydomain.com/401.shtml
(and then usually it shows the wp-login attempt again and then the 401.shtml one more time).

Do you know how I can stop this? I was thinking of adding something like:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !.*example.com.* [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ – [F]
</IfModule>

To the top of my .htaccess, would that help? Any suggestions?

Also is Wordfence making them reach the 401.shtml page or is that for a different reason?

I know my WordPress version is old (we are in the process of trying to update it) but in the meantime I wanted to figure out a fix.

Thank you for your help.