Hi, I’m just another user here trying to help out. I’m not a pro but I have decades of experience defending an active website in the real world, so I try to put things in simple terms.
My take on your question is it’s important to think of security as layers. With your website, you’ve got your basic layer, which is the site and Wordfence. The next layer above that is usually controlled by your .htaccess file specific to your website, and the next layer above that is your actual server firewall. That’s the simple way to think of it all, anyhow.
Wordfence at your site level will not “completely shut them out.” In fact, nothing will completely “shut out” an IP because it has to access your server to be shut out, so at some level there will be a demand on resources, however small.
With that understood, the next level above your Wordfence blocking is to manually add the worst IP numbers to your .htaccess file in a “Deny” statement.
There are “honey pot” systems and plugins that attempt to capture bad IP numbers and automate their addition to your .htaccess file, but they’re difficult to install in my experience.
Above the htaccess level, you add the IP numbers to your server firewall. If you’re serious about security it’s best to learn how to operate your server firewall yourself, or have someone in-house working with it on a daily basis. But for the smaller operator sometimes you have to rely on your hosting support.
In the case of attacks that look like they’re using numbers from a block of IPs, or from a country I really don’t need traffic from, when doing blocks in .htaccess or in server firewall I block ranges of hundreds of IP numbers.
To learn how to do all this, Google is your friend and sometimes your hosting company support can be valuable.
Apologies to Wordfence support if this is too simplistic of an answer, and yes, the Wordfence WAF does operate in there as well.
I hope that helps. Happy to converse more about this. It’s an issue that is unfortunately very real to me.
One other thing. If you simply hide your login using plugin “WPS Hide Login” the login hack attempts will generate a low bandwidth simple file not found error on your server. Some “experts” scoff at this kind of simple fix, but it works. Perhaps the experts that scoff are being paid by the hour, so they have time to not use easy fixes…
MTN
