I had big issue with one of our shared hosting cPanel machines on which massive brute force attacks were occurring from different IP addresses. So just firewall block was not possible. I checked Apache server status and all I saw was wp-login.php and xmlrpc.php requests. Major targets in WordPress case are wp-login.php and xmlrpc.php. Server was on the edge becouse of high load.
Allowing only specific country’s to access WordPress administration came to mind. Of course, you can think reversely too, block all country’s that are most common as attack source. I choose first option.