I've alerted my host, but I suddenly started getting hit by login attempts from 10.0.0.6 trying dozens of common usernames and passwords with numerous spoofed user agents. I gather this means that either a server in the host's network has been compromised or that the IP has been forged somehow. Either way, there appears to be no way within Wordfence to block access attempts from 10.0.0.6 due to hard-coded whitelisting overriding my block. I presume it's doing this in case my own server is 10.0.0.6, in a well-meaning attempt to protect me from borking WP cron jobs etc.? The Advanced Blocking page let me put in a rule, but Wordfence is ignoring it.
Unfortunately I don't have SSL or FTP access, so I'm unable to effect a block via .htaccess myself. Any ideas how to stop or slow this attack while waiting on my host's customer support? It's hitting hard enough that it's slowing page loading significantly.